Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zt43pLXYiu.exe

Overview

General Information

Sample name:Zt43pLXYiu.exe
renamed because original name is a hash value
Original sample name:B88488B8E7066575EB4B3CCA53545388C53420F8C9519A8A1866352A07CB481D.exe
Analysis ID:1579607
MD5:a8d9973fa386ac46b47fed5f05d198d5
SHA1:6a6cb373ff59178a029fcd2da3d5d1b29673cf3a
SHA256:b88488b8e7066575eb4b3cca53545388c53420f8c9519a8a1866352a07cb481d
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Zt43pLXYiu.exe (PID: 7004 cmdline: "C:\Users\user\Desktop\Zt43pLXYiu.exe" MD5: A8D9973FA386AC46B47FED5F05D198D5)
    • Zt43pLXYiu.tmp (PID: 7056 cmdline: "C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp" /SL5="$20424,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 7104 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 3736 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • Zt43pLXYiu.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT MD5: A8D9973FA386AC46B47FED5F05D198D5)
        • Zt43pLXYiu.tmp (PID: 7160 cmdline: "C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp" /SL5="$3043E,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 6388 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7036 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6388 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 5304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1220 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6268 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6428 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6424 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7032 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6384 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2148 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4960 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7140 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7000 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5928 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6360 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6336 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1352 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1220 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4420 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3052 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1352 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6424 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4420 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5932 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5828 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7152 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1220 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5928 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3444 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7100 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7152 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5928 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4592 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp" /SL5="$20424,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp, ParentProcessId: 7056, ParentProcessName: Zt43pLXYiu.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7104, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1220, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6268, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp" /SL5="$20424,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp, ParentProcessId: 7056, ParentProcessName: Zt43pLXYiu.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7104, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1220, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6268, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp" /SL5="$20424,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp, ParentProcessId: 7056, ParentProcessName: Zt43pLXYiu.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7104, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 10%Perma Link
Source: Zt43pLXYiu.exeVirustotal: Detection: 7%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.7% probability
Source: Zt43pLXYiu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Zt43pLXYiu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1817947699.0000000000C90000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1817636189.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C18AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C18AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00236868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00236868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00237496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00237496
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: Zt43pLXYiu.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Zt43pLXYiu.exe, 00000000.00000003.1693773336.000000007EF6B000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.exe, 00000000.00000003.1693436348.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000001.00000000.1695143071.0000000000C21000.00000020.00000001.01000000.00000004.sdmp, Zt43pLXYiu.tmp, 00000006.00000000.1785890886.000000000112D000.00000020.00000001.01000000.00000008.sdmp, Zt43pLXYiu.tmp.5.dr, Zt43pLXYiu.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: Zt43pLXYiu.exe, 00000000.00000003.1693773336.000000007EF6B000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.exe, 00000000.00000003.1693436348.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000001.00000000.1695143071.0000000000C21000.00000020.00000001.01000000.00000004.sdmp, Zt43pLXYiu.tmp, 00000006.00000000.1785890886.000000000112D000.00000020.00000001.01000000.00000008.sdmp, Zt43pLXYiu.tmp.5.dr, Zt43pLXYiu.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C013886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C013886
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C195120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C195120
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C013C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C013C62
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C013D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C013D18
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C013D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C013D62
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C195D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C195D60
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C0139CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C0139CF
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C013A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C013A6A
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C011950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C011950
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C014754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C014754
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C0147546_2_6C014754
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C024A276_2_6C024A27
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1918806_2_6C191880
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C196A436_2_6C196A43
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1F6CE06_2_6C1F6CE0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C243D506_2_6C243D50
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C249E806_2_6C249E80
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1C8EA16_2_6C1C8EA1
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1E2EC96_2_6C1E2EC9
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C23E8106_2_6C23E810
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C25A9306_2_6C25A930
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1C89726_2_6C1C8972
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C2499F06_2_6C2499F0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C23FA506_2_6C23FA50
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C241AA06_2_6C241AA0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C254AA06_2_6C254AA0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C23DAD06_2_6C23DAD0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1E0B666_2_6C1E0B66
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1D0BCA6_2_6C1D0BCA
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1E540A6_2_6C1E540A
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C2425806_2_6C242580
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C24F5C06_2_6C24F5C0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C2496E06_2_6C2496E0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C2697006_2_6C269700
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1CC7CF6_2_6C1CC7CF
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C2400206_2_6C240020
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C2537506_2_6C253750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002781EC10_2_002781EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0024E00A10_2_0024E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B81C010_2_002B81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C824010_2_002C8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B22E010_2_002B22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002D230010_2_002D2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CC3C010_2_002CC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029E49F10_2_0029E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C04C810_2_002C04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B25F010_2_002B25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A865010_2_002A8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AA6A010_2_002AA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A66D010_2_002A66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028094310_2_00280943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AC95010_2_002AC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CE99010_2_002CE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B2A8010_2_002B2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028AB1110_2_0028AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A8C2010_2_002A8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B6CE010_2_002B6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C0E0010_2_002C0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C4EA010_2_002C4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002910AC10_2_002910AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002BD08910_2_002BD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029B12110_2_0029B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C112010_2_002C1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AB18010_2_002AB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B518010_2_002B5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C91C010_2_002C91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AD1D010_2_002AD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C720010_2_002C7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CD2C010_2_002CD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002BF3A010_2_002BF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0025B3E410_2_0025B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002953F310_2_002953F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002353CF10_2_002353CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CF3C010_2_002CF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002BF42010_2_002BF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A741010_2_002A7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CD47010_2_002CD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0027D49610_2_0027D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C54D010_2_002C54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C353010_2_002C3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AF50010_2_002AF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002D351A10_2_002D351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023157210_2_00231572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C155010_2_002C1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CF59910_2_002CF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002D360110_2_002D3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028965210_2_00289652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002BD6A010_2_002BD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0024976610_2_00249766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002397CA10_2_002397CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C77C010_2_002C77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0025F8E010_2_0025F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AF91010_2_002AF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CD9E010_2_002CD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00231AA110_2_00231AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00283AEF10_2_00283AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B7AF010_2_002B7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0024BAC910_2_0024BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B7C5010_2_002B7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0024BC9210_2_0024BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AFDF010_2_002AFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B5E8010_2_002B5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B5F8010_2_002B5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: String function: 6C266F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: String function: 6C1C9240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002328E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00231E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002CFB10 appears 720 times
Source: Zt43pLXYiu.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Zt43pLXYiu.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Zt43pLXYiu.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: Zt43pLXYiu.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: Zt43pLXYiu.exeStatic PE information: Number of sections : 11 > 10
Source: Zt43pLXYiu.exe, 00000000.00000003.1693773336.000000007F26A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs Zt43pLXYiu.exe
Source: Zt43pLXYiu.exe, 00000000.00000003.1693436348.000000000328E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs Zt43pLXYiu.exe
Source: Zt43pLXYiu.exe, 00000000.00000000.1691726117.0000000000299000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs Zt43pLXYiu.exe
Source: Zt43pLXYiu.exeBinary or memory string: OriginalFileNameSSRClient.exe vs Zt43pLXYiu.exe
Source: Zt43pLXYiu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@130/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C195D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C195D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00239313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00239313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00243D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00243D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00239252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00239252
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C195240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6C195240
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\is-J09AG.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4420:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6312:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7004:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeFile created: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmpJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: Zt43pLXYiu.exeVirustotal: Detection: 7%
Source: Zt43pLXYiu.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeFile read: C:\Users\user\Desktop\Zt43pLXYiu.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Zt43pLXYiu.exe "C:\Users\user\Desktop\Zt43pLXYiu.exe"
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp "C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp" /SL5="$20424,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Users\user\Desktop\Zt43pLXYiu.exe "C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess created: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp "C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp" /SL5="$3043E,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp "C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp" /SL5="$20424,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Users\user\Desktop\Zt43pLXYiu.exe "C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess created: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp "C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp" /SL5="$3043E,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Zt43pLXYiu.exeStatic file information: File size 5707174 > 1048576
Source: Zt43pLXYiu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1817947699.0000000000C90000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1817636189.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_002B57D0
Source: Zt43pLXYiu.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: Zt43pLXYiu.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: Zt43pLXYiu.exeStatic PE information: real checksum: 0x0 should be: 0x577ff5
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: Zt43pLXYiu.exeStatic PE information: section name: .didata
Source: Zt43pLXYiu.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .=~
Source: Zt43pLXYiu.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: is-KIKIU.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1986EB push ecx; ret 6_2_6C1986FE
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C040F00 push ss; retn 0001h6_2_6C040F0A
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C266F10 push eax; ret 6_2_6C266F2E
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1CB9F4 push 004AC35Ch; ret 6_2_6C1CBA0E
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C267290 push eax; ret 6_2_6C2672BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002345F4 push 002DC35Ch; ret 10_2_0023460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CFB10 push eax; ret 10_2_002CFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CFE90 push eax; ret 10_2_002CFEBE
Source: update.vac.1.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeFile created: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpJump to dropped file
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeFile created: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\is-KIKIU.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I9EV9.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I9EV9.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J0CBF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J0CBF.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I9EV9.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J0CBF.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Zt43pLXYiu.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5897Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3867Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpWindow / User API: threadDelayed 564Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpWindow / User API: threadDelayed 633Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-KIKIU.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I9EV9.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I9EV9.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J0CBF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J0CBF.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2484Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C18AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C18AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00236868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00236868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00237496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00237496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00239C60 GetSystemInfo,10_2_00239C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: Zt43pLXYiu.tmp, 00000001.00000002.1796571014.000000000144C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Zt43pLXYiu.tmp, 00000001.00000002.1796571014.000000000144C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C013886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C013886
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1A0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C1A0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_002B57D0
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1A9D35 mov eax, dword ptr fs:[00000030h]6_2_6C1A9D35
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1A9D66 mov eax, dword ptr fs:[00000030h]6_2_6C1A9D66
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C19F17D mov eax, dword ptr fs:[00000030h]6_2_6C19F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C198CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C198CBD
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C1A0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C1A0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmpProcess created: C:\Users\user\Desktop\Zt43pLXYiu.exe "C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmpCode function: 6_2_6C267720 cpuid 6_2_6C267720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023AB2A GetSystemTimeAsFileTime,10_2_0023AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002D0090 GetVersion,10_2_002D0090
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory431
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579607 Sample: Zt43pLXYiu.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 96 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Found driver which could be used to inject code into processes 2->101 103 3 other signatures 2->103 11 Zt43pLXYiu.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 95 C:\Users\user\AppData\...\Zt43pLXYiu.tmp, PE32 11->95 dropped 20 Zt43pLXYiu.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 26 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\update.vac, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 Zt43pLXYiu.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 25 other processes 34->54 signatures7 process8 file9 85 C:\Users\user\AppData\...\Zt43pLXYiu.tmp, PE32 36->85 dropped 56 Zt43pLXYiu.tmp 4 16 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\update.vac, PE32 56->87 dropped 89 C:\Program Files (x86)\...\trash (copy), PE32+ 56->89 dropped 91 C:\Program Files (x86)\...\is-KIKIU.tmp, PE32+ 56->91 dropped 93 3 other files (1 malicious) 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 115 Contains functionality to hide a thread from the debugger 56->115 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 6 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 conhost.exe 64->71         started        73 sc.exe 1 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 73->77         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Zt43pLXYiu.exe7%VirustotalBrowse
Zt43pLXYiu.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc10%VirustotalBrowse
C:\Program Files (x86)\Windows NT\is-KIKIU.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-KIKIU.tmp0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll4%VirustotalBrowse
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I9EV9.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-J0CBF.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUZt43pLXYiu.exefalse
      high
      https://github.com/aria2/aria2/issuesReportZt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drfalse
        high
        http://www.metalinker.org/Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drfalse
          high
          https://www.remobjects.com/psZt43pLXYiu.exe, 00000000.00000003.1693773336.000000007EF6B000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.exe, 00000000.00000003.1693436348.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000001.00000000.1695143071.0000000000C21000.00000020.00000001.01000000.00000004.sdmp, Zt43pLXYiu.tmp, 00000006.00000000.1785890886.000000000112D000.00000020.00000001.01000000.00000008.sdmp, Zt43pLXYiu.tmp.5.dr, Zt43pLXYiu.tmp.0.drfalse
            high
            https://aria2.github.io/Zt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drfalse
              high
              https://github.com/aria2/aria2/issuesZt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drfalse
                high
                https://www.innosetup.com/Zt43pLXYiu.exe, 00000000.00000003.1693773336.000000007EF6B000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.exe, 00000000.00000003.1693436348.0000000003170000.00000004.00001000.00020000.00000000.sdmp, Zt43pLXYiu.tmp, 00000001.00000000.1695143071.0000000000C21000.00000020.00000001.01000000.00000004.sdmp, Zt43pLXYiu.tmp, 00000006.00000000.1785890886.000000000112D000.00000020.00000001.01000000.00000008.sdmp, Zt43pLXYiu.tmp.5.dr, Zt43pLXYiu.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_constructZt43pLXYiu.tmp, 00000001.00000003.1782501454.0000000004739000.00000004.00001000.00020000.00000000.sdmp, is-KIKIU.tmp.6.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579607
                    Start date and time:2024-12-23 05:27:24 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 5s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:110
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:Zt43pLXYiu.exe
                    renamed because original name is a hash value
                    Original Sample Name:B88488B8E7066575EB4B3CCA53545388C53420F8C9519A8A1866352A07CB481D.exe
                    Detection:MAL
                    Classification:mal96.evad.winEXE@130/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 65
                    • Number of non-executed functions: 78
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 4.245.163.56
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                  #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                    ekTL8jTI4D.msiGet hashmaliciousUnknownBrowse
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):831200
                                      Entropy (8bit):6.671005303304742
                                      Encrypted:false
                                      SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                      MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                      SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                      SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                      SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                      • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                      • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                      • Filename: ekTL8jTI4D.msi, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249968
                                      Entropy (8bit):7.999181384527325
                                      Encrypted:true
                                      SSDEEP:6144:Ikr8c5j7Y5FW8pkt8sAU7tmfSQOUtqbJv4dcLZWM2nb:95fY5Lpu3AW53Ob
                                      MD5:08A2C168AB327371A9DF04F8B55B1FC8
                                      SHA1:DD84BC526F4829AA236C4EC64F4F8C261D737930
                                      SHA-256:683370ABE085C55C1BC40C4CA53FEBE03723E4CEC9115BBF39D307715B0A2CC4
                                      SHA-512:AABC8A8C158BAA1C3A298B66D034B932F7ECF7F8825F19A1F1EAB683BFA401B588C7D85DE15745E58437648D9AED063EF98D0C3FFA0F17A58F3E3DCBF994F795
                                      Malicious:false
                                      Preview:.@S....2..x.,...............*..~W4U.,.j.N..;r....p..`_M.R..............yQ..........o..G%.....k......F....?._.S..../.e.wM!L;>6..~...:%.%.5..N{.Z.op.4(..x.d.1mAwv..kh.....a.o.e.h....B...........yK.. ..W..4y..n..>..9...r.....Im.^....,A...l..$.........#.t@.....'.(9.<....z..n..J..P./......}.?..<.+n...kZ..^1.."A?....F....`...]..MW....P.h.W.1O$..?;.Tu....t.6p.L.'.O...#RKhq../...`.+.B......:.>..B.-6..8I.....IO..C.}.>...i..... .R..O.O.*)s...j..3.3.N.$\....a......(.4.&.$.J.:2..m..Z...r..M.g.."..3.v.=...e.....n.~.PJ.....]..x7r.nm.....j..h......T.;..E.dG....^.......T.-@R1.+H/.l.b..V.~.6..-..g.%..!J=..._..)m...-l.\3L3'..;i.......F..;q..Ef.%r.|D'....~..#...Jg.e...`.[qn.-.:..N.7i...."..o3...#[.....]jTf.6\.m'.......7.e..{l..t.{.*gl.V.zD.6..y..!.sf...T.y.........XE.....p"_......*t........q....lW.y.z.^.e..Jkhwx..WP...9,.Bm6.. ...j4..Y.M.v...{........;..RI..6.:oz.K`F.|.H.\..f......q....?5.$......-..I..~.I...!p.V...,.5.n9..*....C./..8....&...&..J...P
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Virustotal, Detection: 10%, Browse
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249968
                                      Entropy (8bit):7.999181384527325
                                      Encrypted:true
                                      SSDEEP:6144:Ikr8c5j7Y5FW8pkt8sAU7tmfSQOUtqbJv4dcLZWM2nb:95fY5Lpu3AW53Ob
                                      MD5:08A2C168AB327371A9DF04F8B55B1FC8
                                      SHA1:DD84BC526F4829AA236C4EC64F4F8C261D737930
                                      SHA-256:683370ABE085C55C1BC40C4CA53FEBE03723E4CEC9115BBF39D307715B0A2CC4
                                      SHA-512:AABC8A8C158BAA1C3A298B66D034B932F7ECF7F8825F19A1F1EAB683BFA401B588C7D85DE15745E58437648D9AED063EF98D0C3FFA0F17A58F3E3DCBF994F795
                                      Malicious:false
                                      Preview:.@S....2..x.,...............*..~W4U.,.j.N..;r....p..`_M.R..............yQ..........o..G%.....k......F....?._.S..../.e.wM!L;>6..~...:%.%.5..N{.Z.op.4(..x.d.1mAwv..kh.....a.o.e.h....B...........yK.. ..W..4y..n..>..9...r.....Im.^....,A...l..$.........#.t@.....'.(9.<....z..n..J..P./......}.?..<.+n...kZ..^1.."A?....F....`...]..MW....P.h.W.1O$..?;.Tu....t.6p.L.'.O...#RKhq../...`.+.B......:.>..B.-6..8I.....IO..C.}.>...i..... .R..O.O.*)s...j..3.3.N.$\....a......(.4.&.$.J.:2..m..Z...r..M.g.."..3.v.=...e.....n.~.PJ.....]..x7r.nm.....j..h......T.;..E.dG....^.......T.-@R1.+H/.l.b..V.~.6..-..g.%..!J=..._..)m...-l.\3L3'..;i.......F..;q..Ef.%r.|D'....~..#...Jg.e...`.[qn.-.:..N.7i...."..o3...#[.....]jTf.6\.m'.......7.e..{l..t.{.*gl.V.zD.6..y..!.sf...T.y.........XE.....p"_......*t........q....lW.y.z.^.e..Jkhwx..WP...9,.Bm6.. ...j4..Y.M.v...{........;..RI..6.:oz.K`F.|.H.\..f......q....?5.$......-..I..~.I...!p.V...,.5.n9..*....C./..8....&...&..J...P
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56530
                                      Entropy (8bit):7.996641034577904
                                      Encrypted:true
                                      SSDEEP:768:Jg6hUqdESpfJcLGdtTLvw2g1RDFsx9y8Q7bKzEHoIIFdAy7gqEzhhiW1cN6ye59R:JHTUG/zw2g1RDWq8sK4rIT8lHX5H/n
                                      MD5:4E6E3B0A58A2A4EE3D29D1C91F5371C5
                                      SHA1:60A59DB6EB459D4CC45247991923B40E65B2DA35
                                      SHA-256:0AC3E01ACCC59633B4AEA734E23EC1E6E6B9C6ABFFF56DCACCE3DEC66E3B8FC7
                                      SHA-512:8E61DFA6F974A55CB2B37F146FC80B3C12C8FCD4E6B76F2F4292C28D114CDD32D4D5FA462851ADDFD82A83AAD0922450CF835783FFA2FA2AB34EC4F3D598AA64
                                      Malicious:false
                                      Preview:.@S......!| ..............;.H......Z.<.....y...p....).<...(i...P..8../*.8...j..<....r~...W..9....K...ID..g..O4|9....Yw.r'R/.6.M.[..9fn/.......'.Q.8]7L.=.D.2Au...j4;......%.p @B.D.h..|.....`....Y:.w.. .."..q..o...k._0.S..P./..{$.?;.L2.Q.d4}.......J..ht... G........X...a.Y...4.....N........#.HaO3.(...'.(...9..S.{./$t.E..U..s....[./.....R~P.../......en.@.::.I...%...OV..h.f^..i?.qz.@...I.C...7|W.'....c...; ...~Q....&M....h....TR.....X....;d.u+..A.G...w"*..G....&.....!._P..%.E..1.*..jX..P...g....../.......A..n......._.%O;.9A.x...e...a..Cb......%.=.>.5...Y.H5D....#a}..?...C.p.....2B0...1...IV..M.?.@.9..D..V.#.!..9.i...Kls..:...7..M...I..g..z...|.....I..Y....,M.r;e..$....H0...|.[q.&...2..M(u5#....p1.].b...+........HJq^...).T....F.x.3....=c8jt.i9..u.]......o.,O.e.B..i.u....e....2..;.b..,&..#...`l...|;..q.%.o.yf?...nW3......._9tc.v)\...Y .k....g...v..Z.m.h..p_.Y....`..b.`Q..=>$.;.a.?EF...b...U#WE3...o....Brd.I.(p........%...NS..%Q.^.9@.t}.'c.K
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56530
                                      Entropy (8bit):7.996641034577909
                                      Encrypted:true
                                      SSDEEP:1536:C2CCPvwJl6YuPW/W9adr918LB0czeclMVQiyllgx:ACnKQYuKu2FcmgQ
                                      MD5:29795B95976A164E56C15872B764FB31
                                      SHA1:4DD6A98469D584542B551D61C74C701920DA032D
                                      SHA-256:B5AE456F7CDBDCC6AA48E19B1D3218F7B94F9F049768F0F1E8AD4B6CD6E45BA4
                                      SHA-512:41E086AFB5D4247CF0D61DD627B485BE4957AC9FFF3F00213096009DF432FAF0ACEDF1FEE2551B4B8E891286D35FC96042ABC1377C23692906256607FAF4AB28
                                      Malicious:false
                                      Preview:7z..'...6BR........2.........[..ge.A:i-..;.{.s......k..c.Z.w...Uj.G. /.E ....s...)-.!N +....J...".3^`Y..^$Tr..vt.kG....WSV..^.......(.:6......^.@..'.Y..'.$....1~.h...-x.^l^......+..\..%x......'...N.....C..H....hM?.:..u.[v.l.o...0....o._..Md..#\E'.g[.......kU8>..6.T.D+WC.a."77.E.d.-T.I.p.0uzl.4........IS:.\.<.`.##e.P....#_....Lb...#L.......e....*...Ew......./.,~[5.aoM..?Oy.'..vV..$z..N.PE9....n-..!G.o.........As ..9>....0.5.P.%...J...Y..e..GF.E...#...V....'w...pX6..h..t..1..r0.....\.h.....j......P.)1.y.....$o<n....BcV\.&=....v..m.wIU..t..i1M...SUYz*.h...L.{.B.<........jr.r/z......n"dd........K...\.._....n.}...y..........W..+..96..@F..b..|....F..&.*......c.X2$0.`..>x..{MH...i.c.z....3...i`....`W.Er;..v.u.y.V.&aZD5..r...j,..+S...}..i...v.L.....F..`.m..~7v<=.....t..*.z.?.jq..-N.T..?xD.X.Vw...U..Mo..>+!...m...i.@....}Q...-aCt.Tn......]dn.. ....K..t..jJ..".&2....W.J...N._..Mk...;.=.(.. ..V.-.....qC.jLD....<..O..B....Mf...{N...J....L.o.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255975
                                      Encrypted:true
                                      SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                      MD5:CEA69F993E1CE0FB945A98BF37A66546
                                      SHA1:7114365265F041DA904574D1F5876544506F89BA
                                      SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                      SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                      Malicious:false
                                      Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255979
                                      Encrypted:true
                                      SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                      MD5:4CB8B7E557C80FC7B014133AB834A042
                                      SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                      SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                      SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                      Malicious:false
                                      Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                      MD5:8622FC7228777F64A47BD6C61478ADD9
                                      SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                      SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                      SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                      Malicious:false
                                      Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                      MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                      SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                      SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                      SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                      Malicious:false
                                      Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.99759370165655
                                      Encrypted:true
                                      SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                      MD5:950338D50B95A25F494EE74E97B7B7A9
                                      SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                      SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                      SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                      Malicious:false
                                      Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.997593701656546
                                      Encrypted:true
                                      SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                      MD5:059BA7C31F3E227356CA5F29E4AA2508
                                      SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                      SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                      SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                      Malicious:false
                                      Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653607
                                      Encrypted:true
                                      SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                      MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                      SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                      SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                      SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                      Malicious:false
                                      Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653608
                                      Encrypted:true
                                      SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                      MD5:A9C8A3E00692F79E1BA9693003F85D18
                                      SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                      SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                      SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                      Malicious:false
                                      Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):249968
                                      Entropy (8bit):7.999181384527332
                                      Encrypted:true
                                      SSDEEP:6144:fZ2o9DuSSNzqMMN+4LjKvyVTM7CivpILH6Pg2sNQkCoMvJXRnj:f79DuSSFqMkHjpVw7CiBI+PJcQOMvJRj
                                      MD5:D424B602F6750E406B4C971C9C2D2C4A
                                      SHA1:90E6DDAA4B83B2C87002587A890BB36197A048F0
                                      SHA-256:955D1D09ADD6984BB12F5B9DF5F5D621C2A4C0EA6919013E0826E7E238D341BB
                                      SHA-512:56455C1C89198E61630E5EB207278FE75637547B8CA98D156D6A7753185371998021F35F0882BE63BD047ADA15F829BD6165F791D81C259B731C8E424441AB56
                                      Malicious:false
                                      Preview:7z..'....e).........@..........%F.....y....7.OZ-Wn.e.....!Y:<.~|`1..{8..Hb.B.=.8hj.L8v...*..........b..V.2.#..A~.....J..........*.....,....x..... 'D.*.$.....3....Su^...M...at{..]l?..L.Z>ht.k@..kf..*.0..x.....7.J....8.....&.....#4.7..{.....Hi..."..Q..K........ ).0.U.YP._...../....m..2..uw..2..*x....'.p".k]@.[.O...D,..B?...x.b.j..r\..|..j.T..h.3......q....q..PF...^.F...|.Z.5[.K....^..|h...7.@z........m.T..W74.+....".Z.{..MNM..NG&...H....~<y.9POeAf....).)..1.............R.|.%*....G.L.L.L..l.6..@.x..n...7..z.....|..^.D.c..a..o1.......u../X......;loyr......D..%.8..m(.e....^.#mg..r..B.....C9....G..............Pq..7..MA....t...8..K.W..0..p....u......B.f..|........]...f2f."..........4....S $..l.5|..T...L..N.q..].(I.......FL.=..A....E.7m/.:@..H{..@W?;+p....vn.%..X....t'.Z.q...b.&.....i......Xs...5...e...[..;J2.L..c..D.......D..w_xl...l-..?2.o......(.n.n.M:...h.B.fC.o.....W..>,..Uj..i}.......b,.y.v...m./..83.(>.b......!XI}..o.z...e.=yA.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):63640
                                      Entropy (8bit):6.482810107683822
                                      Encrypted:false
                                      SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                      MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                      SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                      SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                      SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 9%
                                      • Antivirus: Virustotal, Detection: 4%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):4096
                                      Entropy (8bit):3.344834847024567
                                      Encrypted:false
                                      SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                                      MD5:7F252B19B6E96247184F55570325E9FA
                                      SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                                      SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                                      SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                                      Malicious:false
                                      Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1940658735648508
                                      Encrypted:false
                                      SSDEEP:3:NlllulnmWllZ:NllUmWl
                                      MD5:3EBBEC2F920D055DAC842B4FF84448FA
                                      SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                                      SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                                      SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                                      Malicious:false
                                      Preview:@...e................................................@..........
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\Zt43pLXYiu.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530548291878271
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:9902FA6D39184B87AED7D94A037912D8
                                      SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                      SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                      SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Users\user\Desktop\Zt43pLXYiu.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530548291878271
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:9902FA6D39184B87AED7D94A037912D8
                                      SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                      SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                      SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                      Malicious:true
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:dropped
                                      Size (bytes):406
                                      Entropy (8bit):5.117520345541057
                                      Encrypted:false
                                      SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                      MD5:9200058492BCA8F9D88B4877F842C148
                                      SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                      SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                      SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                      Malicious:false
                                      Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.921107921233916
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 98.04%
                                      • Inno Setup installer (109748/4) 1.08%
                                      • InstallShield setup (43055/19) 0.42%
                                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      File name:Zt43pLXYiu.exe
                                      File size:5'707'174 bytes
                                      MD5:a8d9973fa386ac46b47fed5f05d198d5
                                      SHA1:6a6cb373ff59178a029fcd2da3d5d1b29673cf3a
                                      SHA256:b88488b8e7066575eb4b3cca53545388c53420f8c9519a8a1866352a07cb481d
                                      SHA512:f5a00e78e0d51d7b597c4a0b0bb18d425bfb08ce5bdcc73822dce3065fb46a7782a13ded9ebcd6c9fd49947c476dd4572c072eae2049da53fea645e2b629a0c9
                                      SSDEEP:98304:XwREfaptn/e8iM2INNcyrxLjEJAqr7wnVbOdMwZgf:lfapZLibGNVrhjSw+s
                                      TLSH:FC461212F2CBE43EE4190B3B16B3A15495FB6A606422AD538BECB4ECCF750501E3E657
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                      Icon Hash:0c0c2d33ceec80aa
                                      Entrypoint:0x4a83bc
                                      Entrypoint Section:.itext
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:1
                                      File Version Major:6
                                      File Version Minor:1
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:1
                                      Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      add esp, FFFFFFA4h
                                      push ebx
                                      push esi
                                      push edi
                                      xor eax, eax
                                      mov dword ptr [ebp-3Ch], eax
                                      mov dword ptr [ebp-40h], eax
                                      mov dword ptr [ebp-5Ch], eax
                                      mov dword ptr [ebp-30h], eax
                                      mov dword ptr [ebp-38h], eax
                                      mov dword ptr [ebp-34h], eax
                                      mov dword ptr [ebp-2Ch], eax
                                      mov dword ptr [ebp-28h], eax
                                      mov dword ptr [ebp-14h], eax
                                      mov eax, 004A2EBCh
                                      call 00007F204457CEA5h
                                      xor eax, eax
                                      push ebp
                                      push 004A8AC1h
                                      push dword ptr fs:[eax]
                                      mov dword ptr fs:[eax], esp
                                      xor edx, edx
                                      push ebp
                                      push 004A8A7Bh
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      mov eax, dword ptr [004B0634h]
                                      call 00007F204460E82Bh
                                      call 00007F204460E37Eh
                                      lea edx, dword ptr [ebp-14h]
                                      xor eax, eax
                                      call 00007F2044609058h
                                      mov edx, dword ptr [ebp-14h]
                                      mov eax, 004B41F4h
                                      call 00007F2044576F53h
                                      push 00000002h
                                      push 00000000h
                                      push 00000001h
                                      mov ecx, dword ptr [004B41F4h]
                                      mov dl, 01h
                                      mov eax, dword ptr [0049CD14h]
                                      call 00007F204460A383h
                                      mov dword ptr [004B41F8h], eax
                                      xor edx, edx
                                      push ebp
                                      push 004A8A27h
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      call 00007F204460E8B3h
                                      mov dword ptr [004B4200h], eax
                                      mov eax, dword ptr [004B4200h]
                                      cmp dword ptr [eax+0Ch], 01h
                                      jne 00007F204461559Ah
                                      mov eax, dword ptr [004B4200h]
                                      mov edx, 00000028h
                                      call 00007F204460AC78h
                                      mov edx, dword ptr [004B4200h]
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      .rsrc0xcb0000x110000x1100022275ad5d88888daf44251b5e37a8b11False0.18785903033088236data3.7212963188606576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                      RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                      RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                      RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                      RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                      RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                      RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                      RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                      RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                      RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                      RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                      RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                      RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                      RT_STRING0xd8e000x3f8data0.3198818897637795
                                      RT_STRING0xd91f80x2dcdata0.36475409836065575
                                      RT_STRING0xd94d40x430data0.40578358208955223
                                      RT_STRING0xd99040x44cdata0.38636363636363635
                                      RT_STRING0xd9d500x2d4data0.39226519337016574
                                      RT_STRING0xda0240xb8data0.6467391304347826
                                      RT_STRING0xda0dc0x9cdata0.6410256410256411
                                      RT_STRING0xda1780x374data0.4230769230769231
                                      RT_STRING0xda4ec0x398data0.3358695652173913
                                      RT_STRING0xda8840x368data0.3795871559633027
                                      RT_STRING0xdabec0x2a4data0.4275147928994083
                                      RT_RCDATA0xdae900x10data1.5
                                      RT_RCDATA0xdaea00x310data0.6173469387755102
                                      RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                      RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                      RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                      RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                      DLLImport
                                      kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                      comctl32.dllInitCommonControls
                                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                      NameOrdinalAddress
                                      __dbk_fcall_wrapper20x40fc10
                                      dbkFCallWrapperAddr10x4b063c
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      No network behavior found

                                      Click to jump to process

                                      Click to jump to process

                                      Click to dive into process behavior distribution

                                      Click to jump to process

                                      Target ID:0
                                      Start time:23:28:16
                                      Start date:22/12/2024
                                      Path:C:\Users\user\Desktop\Zt43pLXYiu.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Zt43pLXYiu.exe"
                                      Imagebase:0x1e0000
                                      File size:5'707'174 bytes
                                      MD5 hash:A8D9973FA386AC46B47FED5F05D198D5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:true

                                      Target ID:1
                                      Start time:23:28:16
                                      Start date:22/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-UK1DD.tmp\Zt43pLXYiu.tmp" /SL5="$20424,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe"
                                      Imagebase:0xc20000
                                      File size:3'366'912 bytes
                                      MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:true

                                      Target ID:2
                                      Start time:23:28:17
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:3
                                      Start time:23:28:17
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:4
                                      Start time:23:28:20
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff693ab0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Target ID:5
                                      Start time:23:28:25
                                      Start date:22/12/2024
                                      Path:C:\Users\user\Desktop\Zt43pLXYiu.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT
                                      Imagebase:0x1e0000
                                      File size:5'707'174 bytes
                                      MD5 hash:A8D9973FA386AC46B47FED5F05D198D5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:false

                                      Target ID:6
                                      Start time:23:28:25
                                      Start date:22/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-O8B8A.tmp\Zt43pLXYiu.tmp" /SL5="$3043E,4752782,845824,C:\Users\user\Desktop\Zt43pLXYiu.exe" /VERYSILENT
                                      Imagebase:0xeb0000
                                      File size:3'366'912 bytes
                                      MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:true

                                      Target ID:7
                                      Start time:23:28:28
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:8
                                      Start time:23:28:28
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:9
                                      Start time:23:28:28
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:10
                                      Start time:23:28:28
                                      Start date:22/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                      Imagebase:0x230000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      • Detection: 0%, Virustotal, Browse
                                      Has exited:true

                                      Target ID:11
                                      Start time:23:28:28
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:12
                                      Start time:23:28:28
                                      Start date:22/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                      Imagebase:0x230000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:13
                                      Start time:23:28:28
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:14
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:15
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:16
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:17
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:18
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:19
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:20
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:21
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:22
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:23
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:24
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:25
                                      Start time:23:28:29
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:26
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:27
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:28
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:29
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:30
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:31
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:32
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:33
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:34
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:35
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:36
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:37
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:38
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:39
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:40
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:41
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:42
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:43
                                      Start time:23:28:30
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:44
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:45
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:46
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:47
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:48
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:49
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:50
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:51
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:52
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:53
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:54
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:55
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:56
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:57
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:58
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:59
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:60
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:61
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:62
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:63
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:64
                                      Start time:23:28:31
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:66
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:67
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:68
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:69
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:70
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:71
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:72
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:73
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:74
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:75
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:76
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:77
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:78
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:79
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:80
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:81
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:82
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:83
                                      Start time:23:28:32
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:84
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:85
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:86
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:87
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:88
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:89
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:90
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:91
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:92
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:93
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:94
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:95
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:96
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:97
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:98
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:99
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:100
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:101
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:102
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:103
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:104
                                      Start time:23:28:33
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:105
                                      Start time:23:28:34
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:106
                                      Start time:23:28:34
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff681640000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:107
                                      Start time:23:28:34
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:108
                                      Start time:23:28:34
                                      Start date:22/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7ca210000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:2.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:15.5%
                                        Total number of Nodes:818
                                        Total number of Limit Nodes:9
                                        execution_graph 65956 6c014b53 66114 6c196a43 65956->66114 65958 6c014b5c _Yarn 66128 6c18aec0 65958->66128 65960 6c03639e 66226 6c1a0130 18 API calls __Getctype 65960->66226 65962 6c015164 CreateFileA CloseHandle 65968 6c0151ec 65962->65968 65963 6c014cff 65964 6c014bae std::ios_base::_Ios_base_dtor 65964->65960 65964->65962 65964->65963 65965 6c02245a _Yarn _strlen 65964->65965 65965->65960 65966 6c18aec0 2 API calls 65965->65966 65982 6c022a83 std::ios_base::_Ios_base_dtor 65966->65982 66134 6c195120 OpenSCManagerA 65968->66134 65970 6c01fc00 66219 6c195240 CreateToolhelp32Snapshot 65970->66219 65973 6c196a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66010 6c015478 std::ios_base::_Ios_base_dtor _Yarn _strlen 65973->66010 65975 6c0237d0 Sleep 66020 6c0237e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 65975->66020 65976 6c18aec0 2 API calls 65976->66010 65977 6c0363b2 66227 6c0115e0 18 API calls std::ios_base::_Ios_base_dtor 65977->66227 65978 6c195240 4 API calls 65997 6c02053a 65978->65997 65980 6c195240 4 API calls 66005 6c0212e2 65980->66005 65981 6c0364f8 65982->65960 66138 6c180390 65982->66138 65983 6c01ffe3 65983->65978 65989 6c020abc 65983->65989 65984 6c036ba0 104 API calls 65984->66010 65985 6c036e60 32 API calls 65985->66010 65988 6c195240 4 API calls 65988->65989 65989->65965 65989->65980 65990 6c016722 66195 6c191880 25 API calls 4 library calls 65990->66195 65991 6c195240 4 API calls 66008 6c021dd9 65991->66008 65992 6c02211c 65992->65965 65994 6c02241a 65992->65994 65996 6c180390 11 API calls 65994->65996 65995 6c18aec0 2 API calls 65995->66020 65998 6c02244d 65996->65998 65997->65988 65997->65989 66225 6c195d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 65998->66225 66000 6c022452 Sleep 66000->65965 66001 6c0216ac 66002 6c016162 66004 6c01740b 66196 6c194ff0 CreateProcessA 66004->66196 66005->65991 66005->65992 66005->66001 66006 6c195240 4 API calls 66006->65992 66008->65992 66008->66006 66010->65960 66010->65970 66010->65973 66010->65976 66010->65984 66010->65985 66010->65990 66010->66002 66176 6c037090 66010->66176 66189 6c05e010 66010->66189 66011 6c037090 77 API calls 66011->66020 66012 6c05e010 67 API calls 66012->66020 66013 6c01775a _strlen 66013->65960 66014 6c017b92 66013->66014 66015 6c017ba9 66013->66015 66018 6c017b43 _Yarn 66013->66018 66016 6c196a43 std::_Facet_Register 4 API calls 66014->66016 66017 6c196a43 std::_Facet_Register 4 API calls 66015->66017 66016->66018 66017->66018 66019 6c18aec0 2 API calls 66018->66019 66029 6c017be7 std::ios_base::_Ios_base_dtor 66019->66029 66020->65960 66020->65995 66020->66011 66020->66012 66147 6c036ba0 66020->66147 66166 6c036e60 66020->66166 66021 6c194ff0 4 API calls 66032 6c018a07 66021->66032 66022 6c01962c _strlen 66022->65960 66023 6c019d68 66022->66023 66024 6c019d7f 66022->66024 66027 6c019d18 _Yarn 66022->66027 66025 6c196a43 std::_Facet_Register 4 API calls 66023->66025 66026 6c196a43 std::_Facet_Register 4 API calls 66024->66026 66025->66027 66026->66027 66028 6c18aec0 2 API calls 66027->66028 66036 6c019dbd std::ios_base::_Ios_base_dtor 66028->66036 66029->65960 66029->66021 66029->66022 66030 6c018387 66029->66030 66031 6c194ff0 4 API calls 66040 6c019120 66031->66040 66032->66031 66033 6c194ff0 4 API calls 66050 6c01a215 _strlen 66033->66050 66034 6c194ff0 4 API calls 66035 6c019624 66034->66035 66200 6c195d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66035->66200 66036->65960 66036->66033 66041 6c01e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66036->66041 66037 6c196a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66037->66041 66039 6c18aec0 2 API calls 66039->66041 66040->66034 66041->65960 66041->66037 66041->66039 66042 6c01f7b1 66041->66042 66043 6c01ed02 Sleep 66041->66043 66218 6c195d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66042->66218 66062 6c01e8c1 66043->66062 66045 6c01a9a4 66048 6c196a43 std::_Facet_Register 4 API calls 66045->66048 66046 6c01a9bb 66049 6c196a43 std::_Facet_Register 4 API calls 66046->66049 66047 6c01e8dd GetCurrentProcess TerminateProcess 66047->66041 66059 6c01a953 _Yarn _strlen 66048->66059 66049->66059 66050->65960 66050->66045 66050->66046 66050->66059 66051 6c194ff0 4 API calls 66051->66062 66052 6c01fbb8 66054 6c01fbe8 ExitWindowsEx Sleep 66052->66054 66053 6c01f7c0 66053->66052 66054->65970 66055 6c01aff0 66057 6c196a43 std::_Facet_Register 4 API calls 66055->66057 66056 6c01b009 66058 6c196a43 std::_Facet_Register 4 API calls 66056->66058 66060 6c01afa0 _Yarn 66057->66060 66058->66060 66059->65977 66059->66055 66059->66056 66059->66060 66201 6c195960 66060->66201 66062->66041 66062->66047 66062->66051 66063 6c01b059 std::ios_base::_Ios_base_dtor _strlen 66063->65960 66064 6c01b443 66063->66064 66065 6c01b42c 66063->66065 66068 6c01b3da _Yarn _strlen 66063->66068 66067 6c196a43 std::_Facet_Register 4 API calls 66064->66067 66066 6c196a43 std::_Facet_Register 4 API calls 66065->66066 66066->66068 66067->66068 66068->65977 66069 6c01b7b7 66068->66069 66070 6c01b79e 66068->66070 66073 6c01b751 _Yarn 66068->66073 66072 6c196a43 std::_Facet_Register 4 API calls 66069->66072 66071 6c196a43 std::_Facet_Register 4 API calls 66070->66071 66071->66073 66072->66073 66074 6c195960 104 API calls 66073->66074 66075 6c01b804 std::ios_base::_Ios_base_dtor _strlen 66074->66075 66075->65960 66076 6c01bc26 66075->66076 66077 6c01bc0f 66075->66077 66080 6c01bbbd _Yarn _strlen 66075->66080 66079 6c196a43 std::_Facet_Register 4 API calls 66076->66079 66078 6c196a43 std::_Facet_Register 4 API calls 66077->66078 66078->66080 66079->66080 66080->65977 66081 6c01c075 66080->66081 66082 6c01c08e 66080->66082 66085 6c01c028 _Yarn 66080->66085 66083 6c196a43 std::_Facet_Register 4 API calls 66081->66083 66084 6c196a43 std::_Facet_Register 4 API calls 66082->66084 66083->66085 66084->66085 66086 6c195960 104 API calls 66085->66086 66091 6c01c0db std::ios_base::_Ios_base_dtor _strlen 66086->66091 66087 6c01c7a5 66089 6c196a43 std::_Facet_Register 4 API calls 66087->66089 66088 6c01c7bc 66090 6c196a43 std::_Facet_Register 4 API calls 66088->66090 66098 6c01c753 _Yarn _strlen 66089->66098 66090->66098 66091->65960 66091->66087 66091->66088 66091->66098 66092 6c01d406 66095 6c196a43 std::_Facet_Register 4 API calls 66092->66095 66093 6c01d3ed 66094 6c196a43 std::_Facet_Register 4 API calls 66093->66094 66096 6c01d39a _Yarn 66094->66096 66095->66096 66097 6c195960 104 API calls 66096->66097 66099 6c01d458 std::ios_base::_Ios_base_dtor _strlen 66097->66099 66098->65977 66098->66092 66098->66093 66098->66096 66104 6c01cb2f 66098->66104 66099->65960 66100 6c01d8a4 66099->66100 66101 6c01d8bb 66099->66101 66105 6c01d852 _Yarn _strlen 66099->66105 66102 6c196a43 std::_Facet_Register 4 API calls 66100->66102 66103 6c196a43 std::_Facet_Register 4 API calls 66101->66103 66102->66105 66103->66105 66105->65977 66106 6c01dcb6 66105->66106 66107 6c01dccf 66105->66107 66110 6c01dc69 _Yarn 66105->66110 66108 6c196a43 std::_Facet_Register 4 API calls 66106->66108 66109 6c196a43 std::_Facet_Register 4 API calls 66107->66109 66108->66110 66109->66110 66111 6c195960 104 API calls 66110->66111 66113 6c01dd1c std::ios_base::_Ios_base_dtor 66111->66113 66112 6c194ff0 4 API calls 66112->66041 66113->65960 66113->66112 66115 6c196a48 66114->66115 66116 6c196a62 66115->66116 66120 6c196a64 std::_Facet_Register 66115->66120 66228 6c19f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66115->66228 66116->65958 66118 6c1978c3 std::_Facet_Register 66232 6c199379 RaiseException 66118->66232 66120->66118 66229 6c199379 RaiseException 66120->66229 66121 6c1980bc IsProcessorFeaturePresent 66127 6c1980e1 66121->66127 66123 6c197883 66230 6c199379 RaiseException 66123->66230 66125 6c1978a3 std::invalid_argument::invalid_argument 66231 6c199379 RaiseException 66125->66231 66127->65958 66129 6c18aed4 66128->66129 66130 6c18aed6 FindFirstFileA 66128->66130 66129->66130 66131 6c18af10 66130->66131 66132 6c18af14 FindClose 66131->66132 66133 6c18af72 66131->66133 66132->66131 66133->65964 66135 6c195156 66134->66135 66136 6c1951e8 OpenServiceA 66135->66136 66137 6c19522f 66135->66137 66136->66135 66137->66010 66144 6c1803a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66138->66144 66139 6c183f5f CloseHandle 66139->66144 66140 6c18310e CloseHandle 66140->66144 66141 6c0237cb 66146 6c195d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66141->66146 66142 6c16c1e0 WriteFile WriteFile WriteFile ReadFile 66142->66144 66143 6c18251b CloseHandle 66143->66144 66144->66139 66144->66140 66144->66141 66144->66142 66144->66143 66233 6c16b730 66144->66233 66146->65975 66148 6c036bd5 66147->66148 66244 6c062020 66148->66244 66150 6c036c68 66151 6c196a43 std::_Facet_Register 4 API calls 66150->66151 66152 6c036ca0 66151->66152 66261 6c197327 66152->66261 66154 6c036cb4 66273 6c061d90 66154->66273 66157 6c036d8e 66157->66020 66159 6c036dc8 66281 6c0626e0 24 API calls 4 library calls 66159->66281 66161 6c036dda 66282 6c199379 RaiseException 66161->66282 66163 6c036def 66164 6c05e010 67 API calls 66163->66164 66165 6c036e0f 66164->66165 66165->66020 66167 6c036e9f 66166->66167 66170 6c036eb3 66167->66170 66677 6c063560 32 API calls std::_Xinvalid_argument 66167->66677 66172 6c036f5b 66170->66172 66679 6c062250 30 API calls 66170->66679 66680 6c0626e0 24 API calls 4 library calls 66170->66680 66681 6c199379 RaiseException 66170->66681 66173 6c036f6e 66172->66173 66678 6c0637e0 32 API calls std::_Xinvalid_argument 66172->66678 66173->66020 66177 6c03709e 66176->66177 66178 6c0370d1 66176->66178 66682 6c0601f0 66177->66682 66180 6c037183 66178->66180 66686 6c062250 30 API calls 66178->66686 66180->66010 66182 6c1a0b18 67 API calls 66182->66178 66184 6c0371ae 66687 6c062340 24 API calls 66184->66687 66186 6c0371be 66688 6c199379 RaiseException 66186->66688 66188 6c0371c9 66190 6c05e04b 66189->66190 66191 6c05e0a3 66190->66191 66192 6c0601f0 64 API calls 66190->66192 66191->66010 66193 6c05e098 66192->66193 66194 6c1a0b18 67 API calls 66193->66194 66194->66191 66195->66004 66197 6c1950ca 66196->66197 66198 6c195080 WaitForSingleObject CloseHandle CloseHandle 66197->66198 66199 6c1950e3 66197->66199 66198->66197 66199->66013 66200->66022 66202 6c1959b7 66201->66202 66734 6c195ff0 66202->66734 66204 6c1959c8 66205 6c036ba0 104 API calls 66204->66205 66206 6c1959ec 66205->66206 66211 6c195a54 66206->66211 66217 6c195a67 66206->66217 66753 6c196340 66206->66753 66761 6c072000 66206->66761 66207 6c05e010 67 API calls 66209 6c195a9f std::ios_base::_Ios_base_dtor 66207->66209 66210 6c05e010 67 API calls 66209->66210 66212 6c195ae2 std::ios_base::_Ios_base_dtor 66210->66212 66771 6c195b90 66211->66771 66212->66063 66215 6c195a5c 66216 6c037090 77 API calls 66215->66216 66216->66217 66217->66207 66218->66053 66220 6c1952a0 std::locale::_Setgloballocale 66219->66220 66221 6c195277 CloseHandle 66220->66221 66222 6c195320 Process32NextW 66220->66222 66223 6c1953b1 66220->66223 66224 6c195345 Process32FirstW 66220->66224 66221->66220 66222->66220 66223->65983 66224->66220 66225->66000 66227->65981 66228->66115 66229->66123 66230->66125 66231->66118 66232->66121 66234 6c16b743 _Yarn __wsopen_s std::locale::_Setgloballocale 66233->66234 66235 6c16c180 66234->66235 66236 6c16bced CreateFileA 66234->66236 66238 6c16aa30 66234->66238 66235->66144 66236->66234 66239 6c16aa43 __wsopen_s std::locale::_Setgloballocale 66238->66239 66240 6c16b3e9 WriteFile 66239->66240 66241 6c16b43d WriteFile 66239->66241 66242 6c16b718 66239->66242 66243 6c16ab95 ReadFile 66239->66243 66240->66239 66241->66239 66242->66234 66243->66239 66245 6c196a43 std::_Facet_Register 4 API calls 66244->66245 66246 6c06207e 66245->66246 66247 6c197327 43 API calls 66246->66247 66248 6c062092 66247->66248 66283 6c062f60 42 API calls 4 library calls 66248->66283 66250 6c06210d 66255 6c062120 66250->66255 66284 6c196f8e 9 API calls 2 library calls 66250->66284 66251 6c0620c8 66251->66250 66252 6c062136 66251->66252 66285 6c062250 30 API calls 66252->66285 66255->66150 66256 6c06215b 66286 6c062340 24 API calls 66256->66286 66258 6c062171 66287 6c199379 RaiseException 66258->66287 66260 6c06217c 66260->66150 66262 6c197333 __EH_prolog3 66261->66262 66288 6c196eb5 66262->66288 66267 6c197351 66302 6c1973ba 39 API calls std::locale::_Setgloballocale 66267->66302 66268 6c1973ac 66268->66154 66270 6c197359 66303 6c1971b1 HeapFree GetLastError _Yarn ___std_exception_destroy 66270->66303 66272 6c19736f 66294 6c196ee6 66272->66294 66274 6c036d5d 66273->66274 66275 6c061ddc 66273->66275 66274->66157 66280 6c062250 30 API calls 66274->66280 66308 6c197447 66275->66308 66279 6c061e82 66280->66159 66281->66161 66282->66163 66283->66251 66284->66255 66285->66256 66286->66258 66287->66260 66289 6c196ecb 66288->66289 66290 6c196ec4 66288->66290 66292 6c196ec9 66289->66292 66305 6c19858b EnterCriticalSection 66289->66305 66304 6c1a03cd 6 API calls std::_Lockit::_Lockit 66290->66304 66292->66272 66301 6c197230 6 API calls 2 library calls 66292->66301 66295 6c1a03db 66294->66295 66296 6c196ef0 66294->66296 66307 6c1a03b6 LeaveCriticalSection 66295->66307 66297 6c196f03 66296->66297 66306 6c198599 LeaveCriticalSection 66296->66306 66297->66268 66299 6c1a03e2 66299->66268 66301->66267 66302->66270 66303->66272 66304->66292 66305->66292 66306->66297 66307->66299 66309 6c197450 66308->66309 66310 6c061dea 66309->66310 66317 6c19fd4a 66309->66317 66310->66274 66316 6c19c563 18 API calls __Getctype 66310->66316 66312 6c19749c 66312->66310 66328 6c19fa58 65 API calls 66312->66328 66314 6c1974b7 66314->66310 66329 6c1a0b18 66314->66329 66316->66279 66319 6c19fd55 __wsopen_s 66317->66319 66318 6c19fd68 66354 6c1a0120 18 API calls __Getctype 66318->66354 66319->66318 66320 6c19fd88 66319->66320 66322 6c19fd78 66320->66322 66340 6c1aae0c 66320->66340 66322->66312 66328->66314 66330 6c1a0b24 __wsopen_s 66329->66330 66331 6c1a0b2e 66330->66331 66332 6c1a0b43 66330->66332 66550 6c1a0120 18 API calls __Getctype 66331->66550 66339 6c1a0b3e 66332->66339 66535 6c19c5a9 EnterCriticalSection 66332->66535 66335 6c1a0b60 66536 6c1a0b9c 66335->66536 66337 6c1a0b6b 66551 6c1a0b92 LeaveCriticalSection 66337->66551 66339->66310 66341 6c1aae18 __wsopen_s 66340->66341 66356 6c1a039f EnterCriticalSection 66341->66356 66343 6c1aae26 66357 6c1aaeb0 66343->66357 66348 6c1aaf72 66349 6c1ab091 66348->66349 66381 6c1ab114 66349->66381 66352 6c19fdcc 66355 6c19fdf5 LeaveCriticalSection 66352->66355 66354->66322 66355->66322 66356->66343 66358 6c1aaed3 66357->66358 66359 6c1aaf2b 66358->66359 66366 6c1aae33 66358->66366 66374 6c19c5a9 EnterCriticalSection 66358->66374 66375 6c19c5bd LeaveCriticalSection 66358->66375 66376 6c1a71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66359->66376 66361 6c1aaf34 66377 6c1a47bb HeapFree GetLastError __dosmaperr 66361->66377 66364 6c1aaf3d 66364->66366 66378 6c1a6c1f 6 API calls std::_Lockit::_Lockit 66364->66378 66371 6c1aae6c 66366->66371 66367 6c1aaf5c 66379 6c19c5a9 EnterCriticalSection 66367->66379 66370 6c1aaf6f 66370->66366 66380 6c1a03b6 LeaveCriticalSection 66371->66380 66373 6c19fda3 66373->66322 66373->66348 66374->66358 66375->66358 66376->66361 66377->66364 66378->66367 66379->66370 66380->66373 66382 6c1ab133 66381->66382 66383 6c1ab146 66382->66383 66387 6c1ab15b 66382->66387 66397 6c1a0120 18 API calls __Getctype 66383->66397 66385 6c1ab0a7 66385->66352 66394 6c1b3fde 66385->66394 66387->66387 66392 6c1ab27b 66387->66392 66398 6c1b3ea8 37 API calls __Getctype 66387->66398 66389 6c1ab2cb 66389->66392 66399 6c1b3ea8 37 API calls __Getctype 66389->66399 66391 6c1ab2e9 66391->66392 66400 6c1b3ea8 37 API calls __Getctype 66391->66400 66392->66385 66401 6c1a0120 18 API calls __Getctype 66392->66401 66402 6c1b4396 66394->66402 66397->66385 66398->66389 66399->66391 66400->66392 66401->66385 66404 6c1b43a2 __wsopen_s 66402->66404 66403 6c1b43a9 66420 6c1a0120 18 API calls __Getctype 66403->66420 66404->66403 66405 6c1b43d4 66404->66405 66411 6c1b3ffe 66405->66411 66410 6c1b3ff9 66410->66352 66422 6c1a06cb 66411->66422 66417 6c1b4034 66418 6c1b4066 66417->66418 66462 6c1a47bb HeapFree GetLastError __dosmaperr 66417->66462 66421 6c1b442b LeaveCriticalSection __wsopen_s 66418->66421 66420->66410 66421->66410 66463 6c19bceb 66422->66463 66425 6c1a06ef 66427 6c19bdf6 66425->66427 66472 6c19be4e 66427->66472 66429 6c19be0e 66429->66417 66430 6c1b406c 66429->66430 66487 6c1b44ec 66430->66487 66435 6c1b409e __dosmaperr 66435->66417 66437 6c1b4192 GetFileType 66439 6c1b419d GetLastError 66437->66439 66440 6c1b41e4 66437->66440 66438 6c1b4167 GetLastError 66438->66435 66516 6c19f9f2 __dosmaperr 66439->66516 66517 6c1b17b0 SetStdHandle __dosmaperr __wsopen_s 66440->66517 66441 6c1b4115 66441->66437 66441->66438 66515 6c1b4457 CreateFileW 66441->66515 66443 6c1b41ab CloseHandle 66443->66435 66447 6c1b41d4 66443->66447 66446 6c1b415a 66446->66437 66446->66438 66447->66435 66448 6c1b4205 66449 6c1b4251 66448->66449 66518 6c1b4666 70 API calls 2 library calls 66448->66518 66453 6c1b4258 66449->66453 66532 6c1b4710 70 API calls 2 library calls 66449->66532 66452 6c1b4286 66452->66453 66454 6c1b4294 66452->66454 66519 6c1ab925 66453->66519 66454->66435 66456 6c1b4310 CloseHandle 66454->66456 66533 6c1b4457 CreateFileW 66456->66533 66458 6c1b433b 66458->66447 66459 6c1b4345 GetLastError 66458->66459 66460 6c1b4351 __dosmaperr 66459->66460 66534 6c1b171f SetStdHandle __dosmaperr __wsopen_s 66460->66534 66462->66418 66464 6c19bd0b 66463->66464 66465 6c19bd02 66463->66465 66464->66465 66466 6c1a49b2 __Getctype 37 API calls 66464->66466 66465->66425 66471 6c1a69d5 5 API calls std::_Lockit::_Lockit 66465->66471 66467 6c19bd2b 66466->66467 66468 6c1a4f28 __Getctype 37 API calls 66467->66468 66469 6c19bd41 66468->66469 66470 6c1a4f55 __cftoe 37 API calls 66469->66470 66470->66465 66471->66425 66473 6c19be5c 66472->66473 66474 6c19be76 66472->66474 66477 6c19bddc __wsopen_s HeapFree GetLastError 66473->66477 66475 6c19be7d 66474->66475 66476 6c19be9c 66474->66476 66479 6c19bd9d __wsopen_s HeapFree GetLastError 66475->66479 66480 6c19be66 __dosmaperr 66475->66480 66478 6c1a4843 __fassign MultiByteToWideChar 66476->66478 66477->66480 66481 6c19beab 66478->66481 66479->66480 66480->66429 66482 6c19beb2 GetLastError 66481->66482 66483 6c19bed8 66481->66483 66484 6c19bd9d __wsopen_s HeapFree GetLastError 66481->66484 66482->66480 66483->66480 66485 6c1a4843 __fassign MultiByteToWideChar 66483->66485 66484->66483 66486 6c19beef 66485->66486 66486->66480 66486->66482 66488 6c1b4527 66487->66488 66490 6c1b450d 66487->66490 66489 6c1b447c __wsopen_s 18 API calls 66488->66489 66491 6c1b455f 66489->66491 66490->66488 66492 6c1a0120 __Getctype 18 API calls 66490->66492 66496 6c1a0120 __Getctype 18 API calls 66491->66496 66498 6c1b458e 66491->66498 66492->66488 66493 6c1b5911 __wsopen_s 18 API calls 66494 6c1b45dc 66493->66494 66495 6c1b4659 66494->66495 66499 6c1b4089 66494->66499 66497 6c1a014d __Getctype 11 API calls 66495->66497 66496->66498 66500 6c1b4665 66497->66500 66498->66493 66498->66499 66499->66435 66501 6c1b160c 66499->66501 66502 6c1b1618 __wsopen_s 66501->66502 66503 6c1a039f std::_Lockit::_Lockit EnterCriticalSection 66502->66503 66506 6c1b161f 66503->66506 66504 6c1b1666 66505 6c1b1716 __wsopen_s LeaveCriticalSection 66504->66505 66508 6c1b1686 66505->66508 66506->66504 66507 6c1b1644 66506->66507 66511 6c1b16b3 EnterCriticalSection 66506->66511 66509 6c1b1842 __wsopen_s 11 API calls 66507->66509 66508->66435 66514 6c1b4457 CreateFileW 66508->66514 66510 6c1b1649 66509->66510 66510->66504 66513 6c1b1990 __wsopen_s EnterCriticalSection 66510->66513 66511->66504 66512 6c1b16c0 LeaveCriticalSection 66511->66512 66512->66506 66513->66504 66514->66441 66515->66446 66516->66443 66517->66448 66518->66449 66520 6c1b15a2 __wsopen_s 18 API calls 66519->66520 66522 6c1ab935 66520->66522 66521 6c1ab93b 66523 6c1b171f __wsopen_s SetStdHandle 66521->66523 66522->66521 66524 6c1ab96d 66522->66524 66525 6c1b15a2 __wsopen_s 18 API calls 66522->66525 66531 6c1ab993 __dosmaperr 66523->66531 66524->66521 66526 6c1b15a2 __wsopen_s 18 API calls 66524->66526 66528 6c1ab964 66525->66528 66527 6c1ab979 CloseHandle 66526->66527 66527->66521 66529 6c1ab985 GetLastError 66527->66529 66530 6c1b15a2 __wsopen_s 18 API calls 66528->66530 66529->66521 66530->66524 66531->66435 66532->66452 66533->66458 66534->66447 66535->66335 66537 6c1a0ba9 66536->66537 66538 6c1a0bbe 66536->66538 66574 6c1a0120 18 API calls __Getctype 66537->66574 66541 6c1a0bb9 66538->66541 66552 6c1a0cb9 66538->66552 66541->66337 66546 6c1a0be1 66567 6c1ab898 66546->66567 66548 6c1a0be7 66548->66541 66575 6c1a47bb HeapFree GetLastError __dosmaperr 66548->66575 66550->66339 66551->66339 66553 6c1a0cd1 66552->66553 66557 6c1a0bd3 66552->66557 66554 6c1a9c60 18 API calls 66553->66554 66553->66557 66555 6c1a0cef 66554->66555 66576 6c1abb6c 66555->66576 66558 6c1a873e 66557->66558 66559 6c1a0bdb 66558->66559 66560 6c1a8755 66558->66560 66562 6c1a9c60 66559->66562 66560->66559 66664 6c1a47bb HeapFree GetLastError __dosmaperr 66560->66664 66563 6c1a9c81 66562->66563 66564 6c1a9c6c 66562->66564 66563->66546 66665 6c1a0120 18 API calls __Getctype 66564->66665 66566 6c1a9c7c 66566->66546 66568 6c1ab8be 66567->66568 66572 6c1ab8a9 __dosmaperr 66567->66572 66569 6c1ab8e5 66568->66569 66571 6c1ab907 __dosmaperr 66568->66571 66666 6c1ab9c1 66569->66666 66674 6c1a0120 18 API calls __Getctype 66571->66674 66572->66548 66574->66541 66575->66541 66577 6c1abb78 __wsopen_s 66576->66577 66578 6c1abc33 __dosmaperr 66577->66578 66579 6c1abbca 66577->66579 66583 6c1abb80 __dosmaperr 66577->66583 66617 6c1a0120 18 API calls __Getctype 66578->66617 66587 6c1b1990 EnterCriticalSection 66579->66587 66581 6c1abbd0 66585 6c1abbec __dosmaperr 66581->66585 66588 6c1abc5e 66581->66588 66583->66557 66616 6c1abc2b LeaveCriticalSection __wsopen_s 66585->66616 66587->66581 66589 6c1abc80 66588->66589 66615 6c1abc9c __dosmaperr 66588->66615 66590 6c1abcd4 66589->66590 66592 6c1abc84 __dosmaperr 66589->66592 66591 6c1abce7 66590->66591 66626 6c1aac69 20 API calls __wsopen_s 66590->66626 66618 6c1abe40 66591->66618 66625 6c1a0120 18 API calls __Getctype 66592->66625 66597 6c1abd3c 66599 6c1abd50 66597->66599 66600 6c1abd95 WriteFile 66597->66600 66598 6c1abcfd 66601 6c1abd26 66598->66601 66604 6c1abd01 66598->66604 66602 6c1abd5b 66599->66602 66603 6c1abd85 66599->66603 66605 6c1abdb9 GetLastError 66600->66605 66600->66615 66628 6c1abeb1 43 API calls 5 library calls 66601->66628 66607 6c1abd60 66602->66607 66608 6c1abd75 66602->66608 66631 6c1ac2c3 7 API calls 2 library calls 66603->66631 66604->66615 66627 6c1ac25b 6 API calls __wsopen_s 66604->66627 66605->66615 66611 6c1abd65 66607->66611 66607->66615 66630 6c1ac487 8 API calls 3 library calls 66608->66630 66629 6c1ac39e 7 API calls 2 library calls 66611->66629 66613 6c1abd73 66613->66615 66615->66585 66616->66583 66617->66583 66632 6c1b19e5 66618->66632 66620 6c1abcf8 66620->66597 66620->66598 66621 6c1abe51 66621->66620 66637 6c1a49b2 GetLastError 66621->66637 66624 6c1abe8e GetConsoleMode 66624->66620 66625->66615 66626->66591 66627->66615 66628->66615 66629->66613 66630->66613 66631->66613 66634 6c1b19f2 66632->66634 66635 6c1b19ff 66632->66635 66633 6c1b1a0b 66633->66621 66634->66621 66635->66633 66636 6c1a0120 __Getctype 18 API calls 66635->66636 66636->66634 66638 6c1a49c9 66637->66638 66642 6c1a49cf 66637->66642 66639 6c1a6b23 __Getctype 6 API calls 66638->66639 66639->66642 66640 6c1a6b62 __Getctype 6 API calls 66641 6c1a49ed 66640->66641 66643 6c1a49d5 SetLastError 66641->66643 66644 6c1a49f1 66641->66644 66642->66640 66642->66643 66650 6c1a4a69 66643->66650 66651 6c1a4a63 66643->66651 66645 6c1a71e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 66644->66645 66646 6c1a49fd 66645->66646 66648 6c1a4a1c 66646->66648 66649 6c1a4a05 66646->66649 66654 6c1a6b62 __Getctype 6 API calls 66648->66654 66652 6c1a6b62 __Getctype 6 API calls 66649->66652 66653 6c1a0ac9 __Getctype 35 API calls 66650->66653 66651->66620 66651->66624 66655 6c1a4a13 66652->66655 66656 6c1a4a6e 66653->66656 66657 6c1a4a28 66654->66657 66660 6c1a47bb _free HeapFree GetLastError 66655->66660 66658 6c1a4a2c 66657->66658 66659 6c1a4a3d 66657->66659 66661 6c1a6b62 __Getctype 6 API calls 66658->66661 66663 6c1a47bb _free HeapFree GetLastError 66659->66663 66662 6c1a4a19 66660->66662 66661->66655 66662->66643 66663->66662 66664->66559 66665->66566 66667 6c1ab9cd __wsopen_s 66666->66667 66675 6c1b1990 EnterCriticalSection 66667->66675 66669 6c1ab9db 66670 6c1aba08 66669->66670 66671 6c1ab925 __wsopen_s 21 API calls 66669->66671 66676 6c1aba41 LeaveCriticalSection __wsopen_s 66670->66676 66671->66670 66673 6c1aba2a 66673->66572 66674->66572 66675->66669 66676->66673 66677->66170 66678->66173 66679->66170 66680->66170 66681->66170 66683 6c06022e 66682->66683 66684 6c0370c4 66683->66684 66689 6c1a17db 66683->66689 66684->66182 66686->66184 66687->66186 66688->66188 66690 6c1a17e9 66689->66690 66691 6c1a1806 66689->66691 66690->66691 66692 6c1a180a 66690->66692 66693 6c1a17f6 66690->66693 66691->66683 66697 6c1a1a02 66692->66697 66705 6c1a0120 18 API calls __Getctype 66693->66705 66698 6c1a1a0e __wsopen_s 66697->66698 66706 6c19c5a9 EnterCriticalSection 66698->66706 66700 6c1a1a1c 66707 6c1a19bf 66700->66707 66704 6c1a183c 66704->66683 66705->66691 66706->66700 66715 6c1a85a6 66707->66715 66713 6c1a19f9 66714 6c1a1a51 LeaveCriticalSection 66713->66714 66714->66704 66716 6c1a9c60 18 API calls 66715->66716 66717 6c1a85b7 66716->66717 66718 6c1b19e5 __wsopen_s 18 API calls 66717->66718 66719 6c1a85bd __wsopen_s 66718->66719 66720 6c1a19d3 66719->66720 66732 6c1a47bb HeapFree GetLastError __dosmaperr 66719->66732 66722 6c1a183e 66720->66722 66723 6c1a186e 66722->66723 66725 6c1a1850 66722->66725 66731 6c1a8659 62 API calls 66723->66731 66724 6c1a185e 66733 6c1a0120 18 API calls __Getctype 66724->66733 66725->66723 66725->66724 66729 6c1a1886 _Yarn 66725->66729 66727 6c1a0cb9 62 API calls 66727->66729 66728 6c1a9c60 18 API calls 66728->66729 66729->66723 66729->66727 66729->66728 66730 6c1abb6c __wsopen_s 62 API calls 66729->66730 66730->66729 66731->66713 66732->66720 66733->66723 66735 6c196025 66734->66735 66736 6c062020 52 API calls 66735->66736 66737 6c1960c6 66736->66737 66738 6c196a43 std::_Facet_Register 4 API calls 66737->66738 66739 6c1960fe 66738->66739 66740 6c197327 43 API calls 66739->66740 66741 6c196112 66740->66741 66742 6c061d90 89 API calls 66741->66742 66743 6c1961bb 66742->66743 66744 6c1961ec 66743->66744 66786 6c062250 30 API calls 66743->66786 66744->66204 66746 6c196226 66787 6c0626e0 24 API calls 4 library calls 66746->66787 66748 6c196238 66788 6c199379 RaiseException 66748->66788 66750 6c19624d 66751 6c05e010 67 API calls 66750->66751 66752 6c19625f 66751->66752 66752->66204 66754 6c19638d 66753->66754 66789 6c1965a0 66754->66789 66757 6c19647c 66757->66206 66760 6c1963a5 66760->66757 66807 6c062250 30 API calls 66760->66807 66808 6c0626e0 24 API calls 4 library calls 66760->66808 66809 6c199379 RaiseException 66760->66809 66762 6c07203f 66761->66762 66765 6c072053 66762->66765 66818 6c063560 32 API calls std::_Xinvalid_argument 66762->66818 66767 6c07210e 66765->66767 66820 6c062250 30 API calls 66765->66820 66821 6c0626e0 24 API calls 4 library calls 66765->66821 66822 6c199379 RaiseException 66765->66822 66766 6c072121 66766->66206 66767->66766 66819 6c0637e0 32 API calls std::_Xinvalid_argument 66767->66819 66772 6c195b9e 66771->66772 66776 6c195bd1 66771->66776 66773 6c0601f0 64 API calls 66772->66773 66775 6c195bc4 66773->66775 66774 6c195c83 66774->66215 66777 6c1a0b18 67 API calls 66775->66777 66776->66774 66823 6c062250 30 API calls 66776->66823 66777->66776 66779 6c195cae 66824 6c062340 24 API calls 66779->66824 66781 6c195cbe 66825 6c199379 RaiseException 66781->66825 66783 6c195cc9 66784 6c05e010 67 API calls 66783->66784 66785 6c195d22 std::ios_base::_Ios_base_dtor 66784->66785 66785->66215 66786->66746 66787->66748 66788->66750 66790 6c196608 66789->66790 66791 6c1965dc 66789->66791 66797 6c196619 66790->66797 66810 6c063560 32 API calls std::_Xinvalid_argument 66790->66810 66792 6c196601 66791->66792 66812 6c062250 30 API calls 66791->66812 66792->66760 66795 6c1967e8 66813 6c062340 24 API calls 66795->66813 66797->66792 66811 6c062f60 42 API calls 4 library calls 66797->66811 66798 6c1967f7 66814 6c199379 RaiseException 66798->66814 66802 6c196827 66816 6c062340 24 API calls 66802->66816 66804 6c19683d 66817 6c199379 RaiseException 66804->66817 66806 6c196653 66806->66792 66815 6c062250 30 API calls 66806->66815 66807->66760 66808->66760 66809->66760 66810->66797 66811->66806 66812->66795 66813->66798 66814->66806 66815->66802 66816->66804 66817->66792 66818->66765 66819->66766 66820->66765 66821->66765 66822->66765 66823->66779 66824->66781 66825->66783 66826 6c013d62 66828 6c013bc0 66826->66828 66827 6c013e8a GetCurrentThread NtSetInformationThread 66829 6c013eea 66827->66829 66828->66827 66830 6c024a27 66832 6c024a5d _strlen 66830->66832 66831 6c03639e 66921 6c1a0130 18 API calls __Getctype 66831->66921 66832->66831 66833 6c025b58 66832->66833 66834 6c025b6f 66832->66834 66838 6c025b09 _Yarn 66832->66838 66836 6c196a43 std::_Facet_Register 4 API calls 66833->66836 66837 6c196a43 std::_Facet_Register 4 API calls 66834->66837 66836->66838 66837->66838 66839 6c18aec0 2 API calls 66838->66839 66841 6c025bad std::ios_base::_Ios_base_dtor 66839->66841 66840 6c194ff0 4 API calls 66850 6c0261cb _strlen 66840->66850 66841->66831 66841->66840 66844 6c029ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66841->66844 66842 6c196a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66842->66844 66843 6c18aec0 2 API calls 66843->66844 66844->66831 66844->66842 66844->66843 66845 6c02a292 Sleep 66844->66845 66865 6c02e619 66844->66865 66863 6c029bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66845->66863 66846 6c026624 66849 6c196a43 std::_Facet_Register 4 API calls 66846->66849 66847 6c02660d 66848 6c196a43 std::_Facet_Register 4 API calls 66847->66848 66855 6c0265bc _Yarn _strlen 66848->66855 66849->66855 66850->66831 66850->66846 66850->66847 66850->66855 66851 6c194ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66851->66863 66852 6c029bbd GetCurrentProcess TerminateProcess 66852->66844 66853 6c0363b2 66922 6c0115e0 18 API calls std::ios_base::_Ios_base_dtor 66853->66922 66855->66853 66857 6c026970 66855->66857 66858 6c026989 66855->66858 66861 6c026920 _Yarn 66855->66861 66856 6c0364f8 66859 6c196a43 std::_Facet_Register 4 API calls 66857->66859 66860 6c196a43 std::_Facet_Register 4 API calls 66858->66860 66859->66861 66860->66861 66862 6c195960 104 API calls 66861->66862 66867 6c0269d6 std::ios_base::_Ios_base_dtor _strlen 66862->66867 66863->66831 66863->66844 66863->66851 66863->66852 66863->66853 66870 6c196a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66863->66870 66887 6c195960 104 API calls 66863->66887 66864 6c02f243 CreateFileA 66875 6c02f2a7 66864->66875 66865->66864 66866 6c0302ca 66867->66831 66868 6c026dd2 66867->66868 66869 6c026dbb 66867->66869 66878 6c026d69 _Yarn _strlen 66867->66878 66872 6c196a43 std::_Facet_Register 4 API calls 66868->66872 66871 6c196a43 std::_Facet_Register 4 API calls 66869->66871 66870->66863 66871->66878 66872->66878 66873 6c027440 66877 6c196a43 std::_Facet_Register 4 API calls 66873->66877 66874 6c027427 66876 6c196a43 std::_Facet_Register 4 API calls 66874->66876 66875->66866 66880 6c0302ac GetCurrentProcess TerminateProcess 66875->66880 66879 6c0273da _Yarn 66876->66879 66877->66879 66878->66853 66878->66873 66878->66874 66878->66879 66881 6c195960 104 API calls 66879->66881 66880->66866 66882 6c02748d std::ios_base::_Ios_base_dtor _strlen 66881->66882 66882->66831 66883 6c027991 66882->66883 66884 6c0279a8 66882->66884 66892 6c027940 _Yarn _strlen 66882->66892 66885 6c196a43 std::_Facet_Register 4 API calls 66883->66885 66886 6c196a43 std::_Facet_Register 4 API calls 66884->66886 66885->66892 66886->66892 66887->66863 66888 6c027de2 66891 6c196a43 std::_Facet_Register 4 API calls 66888->66891 66889 6c027dc9 66890 6c196a43 std::_Facet_Register 4 API calls 66889->66890 66893 6c027d7c _Yarn 66890->66893 66891->66893 66892->66853 66892->66888 66892->66889 66892->66893 66894 6c195960 104 API calls 66893->66894 66895 6c027e2f std::ios_base::_Ios_base_dtor _strlen 66894->66895 66895->66831 66896 6c0285a8 66895->66896 66897 6c0285bf 66895->66897 66900 6c028556 _Yarn _strlen 66895->66900 66898 6c196a43 std::_Facet_Register 4 API calls 66896->66898 66899 6c196a43 std::_Facet_Register 4 API calls 66897->66899 66898->66900 66899->66900 66900->66853 66901 6c028983 66900->66901 66902 6c02896a 66900->66902 66905 6c02891d _Yarn 66900->66905 66904 6c196a43 std::_Facet_Register 4 API calls 66901->66904 66903 6c196a43 std::_Facet_Register 4 API calls 66902->66903 66903->66905 66904->66905 66906 6c195960 104 API calls 66905->66906 66909 6c0289d0 std::ios_base::_Ios_base_dtor _strlen 66906->66909 66907 6c028f36 66911 6c196a43 std::_Facet_Register 4 API calls 66907->66911 66908 6c028f1f 66910 6c196a43 std::_Facet_Register 4 API calls 66908->66910 66909->66831 66909->66907 66909->66908 66912 6c028ecd _Yarn _strlen 66909->66912 66910->66912 66911->66912 66912->66853 66913 6c029354 66912->66913 66914 6c02936d 66912->66914 66917 6c029307 _Yarn 66912->66917 66915 6c196a43 std::_Facet_Register 4 API calls 66913->66915 66916 6c196a43 std::_Facet_Register 4 API calls 66914->66916 66915->66917 66916->66917 66918 6c195960 104 API calls 66917->66918 66920 6c0293ba std::ios_base::_Ios_base_dtor 66918->66920 66919 6c194ff0 4 API calls 66919->66844 66920->66831 66920->66919 66922->66856 66923 6c19ef3f 66924 6c19ef4b __wsopen_s 66923->66924 66925 6c19ef5f 66924->66925 66926 6c19ef52 GetLastError ExitThread 66924->66926 66927 6c1a49b2 __Getctype 37 API calls 66925->66927 66928 6c19ef64 66927->66928 66935 6c1a9d66 66928->66935 66932 6c19ef7b 66941 6c19eeaa 16 API calls 2 library calls 66932->66941 66934 6c19ef9d 66936 6c1a9d78 GetPEB 66935->66936 66937 6c19ef6f 66935->66937 66936->66937 66938 6c1a9d8b 66936->66938 66937->66932 66940 6c1a6d6f 5 API calls std::_Lockit::_Lockit 66937->66940 66942 6c1a6e18 5 API calls std::_Lockit::_Lockit 66938->66942 66940->66932 66941->66934 66942->66937 66943 6c1acad3 66944 6c1acafd 66943->66944 66945 6c1acae5 __dosmaperr 66943->66945 66944->66945 66947 6c1acb48 __dosmaperr 66944->66947 66948 6c1acb77 66944->66948 66985 6c1a0120 18 API calls __Getctype 66947->66985 66949 6c1acb90 66948->66949 66950 6c1acbab __dosmaperr 66948->66950 66952 6c1acbe7 __wsopen_s 66948->66952 66949->66950 66970 6c1acb95 66949->66970 66978 6c1a0120 18 API calls __Getctype 66950->66978 66951 6c1b19e5 __wsopen_s 18 API calls 66953 6c1acd3e 66951->66953 66979 6c1a47bb HeapFree GetLastError __dosmaperr 66952->66979 66956 6c1acdb4 66953->66956 66959 6c1acd57 GetConsoleMode 66953->66959 66958 6c1acdb8 ReadFile 66956->66958 66957 6c1acc07 66980 6c1a47bb HeapFree GetLastError __dosmaperr 66957->66980 66962 6c1ace2c GetLastError 66958->66962 66963 6c1acdd2 66958->66963 66959->66956 66964 6c1acd68 66959->66964 66961 6c1acc0e 66974 6c1acbc2 __dosmaperr __wsopen_s 66961->66974 66981 6c1aac69 20 API calls __wsopen_s 66961->66981 66962->66974 66963->66962 66965 6c1acda9 66963->66965 66964->66958 66966 6c1acd6e ReadConsoleW 66964->66966 66971 6c1ace0e 66965->66971 66972 6c1acdf7 66965->66972 66965->66974 66966->66965 66969 6c1acd8a GetLastError 66966->66969 66969->66974 66970->66951 66971->66974 66975 6c1ace25 66971->66975 66983 6c1acefe 23 API calls 3 library calls 66972->66983 66982 6c1a47bb HeapFree GetLastError __dosmaperr 66974->66982 66984 6c1ad1b6 21 API calls __wsopen_s 66975->66984 66977 6c1ace2a 66977->66974 66978->66974 66979->66957 66980->66961 66981->66970 66982->66945 66983->66974 66984->66977 66985->66945
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: HR^
                                        • API String ID: 4218353326-1341859651
                                        • Opcode ID: 53a40da365c13a26f6b13a11bd240b86bf5e8c97e041306935cad03f292bf10a
                                        • Instruction ID: 90e984487370ccc559e7968e447516c36d87ae99584b9304a893c6d8c96622ad
                                        • Opcode Fuzzy Hash: 53a40da365c13a26f6b13a11bd240b86bf5e8c97e041306935cad03f292bf10a
                                        • Instruction Fuzzy Hash: D6740571648B028FC728CF68C8D0795F7E3EF85318B598A6DC0A68BE55E774B54ACB40
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: }jk$;T55$L@^
                                        • API String ID: 0-4218709813
                                        • Opcode ID: c5806c62b9f84a0f8dc2b672f488945d6d0101cdcd042c877245a4448e6a2dc2
                                        • Instruction ID: 90d669ebbc2c63e63c3abb1494357b968519b9842e0d72be41e370d525b62bf8
                                        • Opcode Fuzzy Hash: c5806c62b9f84a0f8dc2b672f488945d6d0101cdcd042c877245a4448e6a2dc2
                                        • Instruction Fuzzy Hash: 2C3419716457018FC728CF28C8D0B95B7E3EF85318B598A6DC0EA4BB55EB78B54ACB40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7677 6c195240-6c195275 CreateToolhelp32Snapshot 7678 6c1952a0-6c1952a9 7677->7678 7679 6c1952ab-6c1952b0 7678->7679 7680 6c1952e0-6c1952e5 7678->7680 7681 6c1952b2-6c1952b7 7679->7681 7682 6c195315-6c19531a 7679->7682 7683 6c1952eb-6c1952f0 7680->7683 7684 6c195377-6c1953a1 call 6c1a2c05 7680->7684 7686 6c1952b9-6c1952be 7681->7686 7687 6c195334-6c19535d call 6c19b920 Process32FirstW 7681->7687 7690 6c195320-6c195332 Process32NextW 7682->7690 7691 6c1953a6-6c1953ab 7682->7691 7688 6c1952f2-6c1952f7 7683->7688 7689 6c195277-6c195292 CloseHandle 7683->7689 7684->7678 7686->7678 7696 6c1952c0-6c1952d1 7686->7696 7692 6c195362-6c195372 7687->7692 7688->7678 7697 6c1952f9-6c195313 7688->7697 7689->7678 7690->7692 7691->7678 7695 6c1953b1-6c1953bf 7691->7695 7692->7678 7696->7678 7697->7678
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C19524E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: CreateSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 3332741929-0
                                        • Opcode ID: 7cac641a225e3c501665c7f650f39d408aa757449990e2aef56e2ea011806ccd
                                        • Instruction ID: 5f1c5d5af20428007492839609582ad640354740bc19f0d67097907d0821e9e0
                                        • Opcode Fuzzy Hash: 7cac641a225e3c501665c7f650f39d408aa757449990e2aef56e2ea011806ccd
                                        • Instruction Fuzzy Hash: 0E315C74608300DFD7109F69C888B0ABBF4AF96745F914A2EE498E73A0D371D8488B53

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7821 6c013886-6c01388e 7822 6c013970-6c01397d 7821->7822 7823 6c013894-6c013896 7821->7823 7824 6c0139f1-6c0139f8 7822->7824 7825 6c01397f-6c013989 7822->7825 7823->7822 7826 6c01389c-6c0138b9 7823->7826 7828 6c013ab5-6c013aba 7824->7828 7829 6c0139fe-6c013a03 7824->7829 7825->7826 7827 6c01398f-6c013994 7825->7827 7830 6c0138c0-6c0138c1 7826->7830 7832 6c013b16-6c013b18 7827->7832 7833 6c01399a-6c01399f 7827->7833 7828->7826 7831 6c013ac0-6c013ac7 7828->7831 7834 6c0138d2-6c0138d4 7829->7834 7835 6c013a09-6c013a2f 7829->7835 7836 6c01395e 7830->7836 7831->7830 7838 6c013acd-6c013ad6 7831->7838 7832->7830 7839 6c0139a5-6c0139bf 7833->7839 7840 6c01383b-6c013855 call 6c161470 call 6c161480 7833->7840 7843 6c013957-6c01395c 7834->7843 7841 6c013a35-6c013a3a 7835->7841 7842 6c0138f8-6c013955 7835->7842 7837 6c013960-6c013964 7836->7837 7845 6c013860-6c013885 7837->7845 7846 6c01396a 7837->7846 7838->7832 7847 6c013ad8-6c013aeb 7838->7847 7848 6c013a5a-6c013a5d 7839->7848 7840->7845 7849 6c013a40-6c013a57 7841->7849 7850 6c013b1d-6c013b22 7841->7850 7842->7843 7843->7836 7845->7821 7852 6c013ba1-6c013bb6 7846->7852 7847->7842 7853 6c013af1-6c013af8 7847->7853 7857 6c013aa9-6c013ab0 7848->7857 7849->7848 7855 6c013b24-6c013b44 7850->7855 7856 6c013b49-6c013b50 7850->7856 7864 6c013bc0-6c013bda call 6c161470 call 6c161480 7852->7864 7859 6c013b62-6c013b85 7853->7859 7860 6c013afa-6c013aff 7853->7860 7855->7857 7856->7830 7863 6c013b56-6c013b5d 7856->7863 7857->7837 7859->7842 7868 6c013b8b 7859->7868 7860->7843 7863->7837 7872 6c013be0-6c013bfe 7864->7872 7868->7852 7875 6c013c04-6c013c11 7872->7875 7876 6c013e7b 7872->7876 7878 6c013ce0-6c013cea 7875->7878 7879 6c013c17-6c013c20 7875->7879 7877 6c013e81-6c013ee0 call 6c013750 GetCurrentThread NtSetInformationThread 7876->7877 7893 6c013eea-6c013f04 call 6c161470 call 6c161480 7877->7893 7882 6c013d3a-6c013d3c 7878->7882 7883 6c013cec-6c013d0c 7878->7883 7880 6c013dc5 7879->7880 7881 6c013c26-6c013c2d 7879->7881 7888 6c013dc6 7880->7888 7889 6c013dc3 7881->7889 7890 6c013c33-6c013c3a 7881->7890 7885 6c013d70-6c013d8d 7882->7885 7886 6c013d3e-6c013d45 7882->7886 7891 6c013d90-6c013d95 7883->7891 7885->7891 7892 6c013d50-6c013d57 7886->7892 7896 6c013dc8-6c013dcc 7888->7896 7889->7880 7897 6c013c40-6c013c5b 7890->7897 7898 6c013e26-6c013e2b 7890->7898 7894 6c013d97-6c013db8 7891->7894 7895 6c013dba-6c013dc1 7891->7895 7892->7888 7915 6c013f75-6c013fa1 7893->7915 7894->7880 7895->7889 7900 6c013dd7-6c013ddc 7895->7900 7896->7872 7901 6c013dd2 7896->7901 7902 6c013e1b-6c013e24 7897->7902 7903 6c013e31 7898->7903 7904 6c013c7b-6c013cd0 7898->7904 7907 6c013e36-6c013e3d 7900->7907 7908 6c013dde-6c013e17 7900->7908 7905 6c013e76-6c013e79 7901->7905 7902->7896 7902->7905 7903->7864 7904->7892 7905->7877 7911 6c013e5c-6c013e5f 7907->7911 7912 6c013e3f-6c013e5a 7907->7912 7908->7902 7911->7904 7913 6c013e65-6c013e69 7911->7913 7912->7902 7913->7896 7913->7905 7919 6c014020-6c014026 7915->7919 7920 6c013fa3-6c013fa8 7915->7920 7921 6c013f06-6c013f35 7919->7921 7922 6c01402c-6c01403c 7919->7922 7923 6c01407c-6c014081 7920->7923 7924 6c013fae-6c013fcf 7920->7924 7925 6c013f38-6c013f61 7921->7925 7926 6c0140b3-6c0140b8 7922->7926 7927 6c01403e-6c014058 7922->7927 7928 6c014083-6c01408a 7923->7928 7929 6c0140aa-6c0140ae 7923->7929 7924->7929 7930 6c013f64-6c013f67 7925->7930 7926->7924 7934 6c0140be-6c0140c9 7926->7934 7931 6c01405a-6c014063 7927->7931 7928->7925 7932 6c014090 7928->7932 7933 6c013f6b-6c013f6f 7929->7933 7936 6c013f69 7930->7936 7937 6c0140f5-6c01413f 7931->7937 7938 6c014069-6c01406c 7931->7938 7932->7893 7939 6c0140a7 7932->7939 7933->7915 7934->7929 7935 6c0140cb-6c0140d4 7934->7935 7935->7939 7940 6c0140d6-6c0140f0 7935->7940 7936->7933 7937->7936 7942 6c014072-6c014077 7938->7942 7943 6c014144-6c01414b 7938->7943 7939->7929 7940->7931 7942->7930 7943->7933
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e668e4becb3a7eb44e713222f02bad79e21a44b8d52028c719916094cccac8a3
                                        • Instruction ID: b1a736a6775359904723801364fa2f4955853063875fe452718d95ae58511d2d
                                        • Opcode Fuzzy Hash: e668e4becb3a7eb44e713222f02bad79e21a44b8d52028c719916094cccac8a3
                                        • Instruction Fuzzy Hash: E832D232249B018FC324CF68C8D0795F7E3EF993187698A6DC0AA4BE95D775B44ACB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7969 6c013a6a-6c013a85 7970 6c013a87-6c013aa7 7969->7970 7971 6c013aa9-6c013ab0 7970->7971 7972 6c013960-6c013964 7971->7972 7973 6c013860-6c01388e 7972->7973 7974 6c01396a 7972->7974 7984 6c013970-6c01397d 7973->7984 7985 6c013894-6c013896 7973->7985 7975 6c013ba1-6c013bb6 7974->7975 7978 6c013bc0-6c013bda call 6c161470 call 6c161480 7975->7978 7990 6c013be0-6c013bfe 7978->7990 7987 6c0139f1-6c0139f8 7984->7987 7988 6c01397f-6c013989 7984->7988 7985->7984 7989 6c01389c-6c0138b9 7985->7989 7992 6c013ab5-6c013aba 7987->7992 7993 6c0139fe-6c013a03 7987->7993 7988->7989 7991 6c01398f-6c013994 7988->7991 7994 6c0138c0-6c0138c1 7989->7994 8011 6c013c04-6c013c11 7990->8011 8012 6c013e7b 7990->8012 7997 6c013b16-6c013b18 7991->7997 7998 6c01399a-6c01399f 7991->7998 7992->7989 7995 6c013ac0-6c013ac7 7992->7995 7999 6c0138d2-6c0138d4 7993->7999 8000 6c013a09-6c013a2f 7993->8000 8001 6c01395e 7994->8001 7995->7994 8002 6c013acd-6c013ad6 7995->8002 7997->7994 8004 6c0139a5-6c0139bf 7998->8004 8005 6c01383b-6c013855 call 6c161470 call 6c161480 7998->8005 8008 6c013957-6c01395c 7999->8008 8006 6c013a35-6c013a3a 8000->8006 8007 6c0138f8-6c013955 8000->8007 8001->7972 8002->7997 8010 6c013ad8-6c013aeb 8002->8010 8013 6c013a5a-6c013a5d 8004->8013 8005->7973 8014 6c013a40-6c013a57 8006->8014 8015 6c013b1d-6c013b22 8006->8015 8007->8008 8008->8001 8010->8007 8018 6c013af1-6c013af8 8010->8018 8019 6c013ce0-6c013cea 8011->8019 8020 6c013c17-6c013c20 8011->8020 8017 6c013e81-6c013ee0 call 6c013750 GetCurrentThread NtSetInformationThread 8012->8017 8013->7971 8014->8013 8021 6c013b24-6c013b44 8015->8021 8022 6c013b49-6c013b50 8015->8022 8042 6c013eea-6c013f04 call 6c161470 call 6c161480 8017->8042 8024 6c013b62-6c013b85 8018->8024 8025 6c013afa-6c013aff 8018->8025 8029 6c013d3a-6c013d3c 8019->8029 8030 6c013cec-6c013d0c 8019->8030 8026 6c013dc5 8020->8026 8027 6c013c26-6c013c2d 8020->8027 8021->7970 8022->7994 8028 6c013b56-6c013b5d 8022->8028 8024->8007 8039 6c013b8b 8024->8039 8025->8008 8036 6c013dc6 8026->8036 8037 6c013dc3 8027->8037 8038 6c013c33-6c013c3a 8027->8038 8028->7972 8032 6c013d70-6c013d8d 8029->8032 8033 6c013d3e-6c013d45 8029->8033 8040 6c013d90-6c013d95 8030->8040 8032->8040 8041 6c013d50-6c013d57 8033->8041 8045 6c013dc8-6c013dcc 8036->8045 8037->8026 8046 6c013c40-6c013c5b 8038->8046 8047 6c013e26-6c013e2b 8038->8047 8039->7975 8043 6c013d97-6c013db8 8040->8043 8044 6c013dba-6c013dc1 8040->8044 8041->8036 8064 6c013f75-6c013fa1 8042->8064 8043->8026 8044->8037 8049 6c013dd7-6c013ddc 8044->8049 8045->7990 8050 6c013dd2 8045->8050 8051 6c013e1b-6c013e24 8046->8051 8052 6c013e31 8047->8052 8053 6c013c7b-6c013cd0 8047->8053 8056 6c013e36-6c013e3d 8049->8056 8057 6c013dde-6c013e17 8049->8057 8054 6c013e76-6c013e79 8050->8054 8051->8045 8051->8054 8052->7978 8053->8041 8054->8017 8060 6c013e5c-6c013e5f 8056->8060 8061 6c013e3f-6c013e5a 8056->8061 8057->8051 8060->8053 8062 6c013e65-6c013e69 8060->8062 8061->8051 8062->8045 8062->8054 8068 6c014020-6c014026 8064->8068 8069 6c013fa3-6c013fa8 8064->8069 8070 6c013f06-6c013f35 8068->8070 8071 6c01402c-6c01403c 8068->8071 8072 6c01407c-6c014081 8069->8072 8073 6c013fae-6c013fcf 8069->8073 8074 6c013f38-6c013f61 8070->8074 8075 6c0140b3-6c0140b8 8071->8075 8076 6c01403e-6c014058 8071->8076 8077 6c014083-6c01408a 8072->8077 8078 6c0140aa-6c0140ae 8072->8078 8073->8078 8079 6c013f64-6c013f67 8074->8079 8075->8073 8083 6c0140be-6c0140c9 8075->8083 8080 6c01405a-6c014063 8076->8080 8077->8074 8081 6c014090 8077->8081 8082 6c013f6b-6c013f6f 8078->8082 8085 6c013f69 8079->8085 8086 6c0140f5-6c01413f 8080->8086 8087 6c014069-6c01406c 8080->8087 8081->8042 8088 6c0140a7 8081->8088 8082->8064 8083->8078 8084 6c0140cb-6c0140d4 8083->8084 8084->8088 8089 6c0140d6-6c0140f0 8084->8089 8085->8082 8086->8085 8091 6c014072-6c014077 8087->8091 8092 6c014144-6c01414b 8087->8092 8088->8078 8089->8080 8091->8079 8092->8082
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: a0d7ca2f321ea1fade5dc99113c12207557517af3a314afa90117870b5e4bade
                                        • Instruction ID: 97ebb6100956a616f305238b89fe18bc60d622b4ca89eb234c37ebcc6fb25235
                                        • Opcode Fuzzy Hash: a0d7ca2f321ea1fade5dc99113c12207557517af3a314afa90117870b5e4bade
                                        • Instruction Fuzzy Hash: 5951DE711097018FC3208FA8C880785F7E3AF99324F698A5DC0E65BE95DB75B44ACB81
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: 9f3b147f5a4f5859745e4bb688ddbf3542d588db0c285e1cb1ab7286ea2edcbb
                                        • Instruction ID: d961480caf07a253a9dd50a52bb02e99b325e45c903ecd46ab950d568e306e58
                                        • Opcode Fuzzy Hash: 9f3b147f5a4f5859745e4bb688ddbf3542d588db0c285e1cb1ab7286ea2edcbb
                                        • Instruction Fuzzy Hash: AC51A071108B018FC320CFA9C480799F7E3BF99324F658A5DC0E65BEA5DB71B4468B91
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6C013E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C013EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: 9d78a5f6bf517816af9e44b405317f6f60e5e74f1693f071d205d9f4608252f6
                                        • Instruction ID: 82f73fdeace98748375193a4c51d5bc5dd391311024f64aa74275eef45de02fc
                                        • Opcode Fuzzy Hash: 9d78a5f6bf517816af9e44b405317f6f60e5e74f1693f071d205d9f4608252f6
                                        • Instruction Fuzzy Hash: D2310171109B018FC720CFA4C8847CAF7E3AF9A318F6A4A1DC0A65BE90DB74B009DB51
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6C013E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C013EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: 541fdbd9e0bc7a27f355fa35b119105605faffa9e3e9d475654653581e44afcd
                                        • Instruction ID: 299a3356e90680c771dfe590ca2abc1633606d07e2df8f9b84559e87fda4b810
                                        • Opcode Fuzzy Hash: 541fdbd9e0bc7a27f355fa35b119105605faffa9e3e9d475654653581e44afcd
                                        • Instruction Fuzzy Hash: 7A310F31108701CFC720CFA8C49479AF7E2AF9A308F654A1CC0E64BE91DB71B445CB91
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6C013E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C013EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: 149ea684923cf0c06460dece0098e992caa74ca5529801510d3419525e92369d
                                        • Instruction ID: 160c54f736d885ccba83577dedb90194f4b843f8c733186aa5cc19bbf72c0825
                                        • Opcode Fuzzy Hash: 149ea684923cf0c06460dece0098e992caa74ca5529801510d3419525e92369d
                                        • Instruction Fuzzy Hash: 3521E07011C7019FD724CFE4C89479AF7F2AF9A318F654A2DC0A68BEA0DB75B4088B51
                                        APIs
                                        • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C195130
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ManagerOpen
                                        • String ID:
                                        • API String ID: 1889721586-0
                                        • Opcode ID: 409829e705ad8113092db9eeb8f22549c7c1dc2c72c9d3763e26fd3128627bb4
                                        • Instruction ID: da48b0b3a28eeca182d4ffa5a5e1dff4ca24afc5ab27222cf9e164b03daee806
                                        • Opcode Fuzzy Hash: 409829e705ad8113092db9eeb8f22549c7c1dc2c72c9d3763e26fd3128627bb4
                                        • Instruction Fuzzy Hash: 39312AB4608341EFC7108F29C544B0ABBF0EB8A755F548A6EF998D6360C371C949DB53
                                        APIs
                                        • FindFirstFileA.KERNEL32(?,?), ref: 6C18AEDC
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: f66fed0ff951a74b0a84b940678246639859298f7952e7f7e24b13b647d73534
                                        • Instruction ID: 7c7821b79a0ea5f4d2e7745843ea68892ef3ec9f93a803fff2c50fcbd9b4f955
                                        • Opcode Fuzzy Hash: f66fed0ff951a74b0a84b940678246639859298f7952e7f7e24b13b647d73534
                                        • Instruction Fuzzy Hash: 401122B450E350AFD7108E28D58494EBBE4BF86315F188E99F4A8CB6D1D334CC888F62
                                        APIs
                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C16ABA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                        • API String ID: 2738559852-1563143607
                                        • Opcode ID: 2921dce062a3cc6123a1f68683743ed65af7750f49b5bf92dac5b0424920780f
                                        • Instruction ID: 32a17c1bf1613c049299a9b68a464350a63ea1a25771ffe53b252899372e28ab
                                        • Opcode Fuzzy Hash: 2921dce062a3cc6123a1f68683743ed65af7750f49b5bf92dac5b0424920780f
                                        • Instruction Fuzzy Hash: 3B626B7060D3818FC724CF29C490A6ABBE2ABDA304F248D5EF999CBB51D734D8559B43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6824 6c1acad3-6c1acae3 6825 6c1acafd-6c1acaff 6824->6825 6826 6c1acae5-6c1acaf8 call 6c19f9df call 6c19f9cc 6824->6826 6827 6c1ace64-6c1ace71 call 6c19f9df call 6c19f9cc 6825->6827 6828 6c1acb05-6c1acb0b 6825->6828 6844 6c1ace7c 6826->6844 6845 6c1ace77 call 6c1a0120 6827->6845 6828->6827 6830 6c1acb11-6c1acb37 6828->6830 6830->6827 6833 6c1acb3d-6c1acb46 6830->6833 6837 6c1acb48-6c1acb5b call 6c19f9df call 6c19f9cc 6833->6837 6838 6c1acb60-6c1acb62 6833->6838 6837->6845 6842 6c1acb68-6c1acb6b 6838->6842 6843 6c1ace60-6c1ace62 6838->6843 6842->6843 6848 6c1acb71-6c1acb75 6842->6848 6847 6c1ace7f-6c1ace82 6843->6847 6844->6847 6845->6844 6848->6837 6851 6c1acb77-6c1acb8e 6848->6851 6853 6c1acbdf-6c1acbe5 6851->6853 6854 6c1acb90-6c1acb93 6851->6854 6855 6c1acbab-6c1acbc2 call 6c19f9df call 6c19f9cc call 6c1a0120 6853->6855 6856 6c1acbe7-6c1acbf1 6853->6856 6857 6c1acba3-6c1acba9 6854->6857 6858 6c1acb95-6c1acb9e 6854->6858 6889 6c1acd97 6855->6889 6860 6c1acbf8-6c1acc16 call 6c1a47f5 call 6c1a47bb * 2 6856->6860 6861 6c1acbf3-6c1acbf5 6856->6861 6857->6855 6863 6c1acbc7-6c1acbda 6857->6863 6862 6c1acc63-6c1acc73 6858->6862 6893 6c1acc18-6c1acc2e call 6c19f9cc call 6c19f9df 6860->6893 6894 6c1acc33-6c1acc5c call 6c1aac69 6860->6894 6861->6860 6865 6c1acd38-6c1acd41 call 6c1b19e5 6862->6865 6866 6c1acc79-6c1acc85 6862->6866 6863->6862 6877 6c1acd43-6c1acd55 6865->6877 6878 6c1acdb4 6865->6878 6866->6865 6870 6c1acc8b-6c1acc8d 6866->6870 6870->6865 6874 6c1acc93-6c1accb7 6870->6874 6874->6865 6879 6c1accb9-6c1acccf 6874->6879 6877->6878 6883 6c1acd57-6c1acd66 GetConsoleMode 6877->6883 6881 6c1acdb8-6c1acdd0 ReadFile 6878->6881 6879->6865 6884 6c1accd1-6c1accd3 6879->6884 6887 6c1ace2c-6c1ace37 GetLastError 6881->6887 6888 6c1acdd2-6c1acdd8 6881->6888 6883->6878 6890 6c1acd68-6c1acd6c 6883->6890 6884->6865 6891 6c1accd5-6c1accfb 6884->6891 6895 6c1ace39-6c1ace4b call 6c19f9cc call 6c19f9df 6887->6895 6896 6c1ace50-6c1ace53 6887->6896 6888->6887 6897 6c1acdda 6888->6897 6899 6c1acd9a-6c1acda4 call 6c1a47bb 6889->6899 6890->6881 6898 6c1acd6e-6c1acd88 ReadConsoleW 6890->6898 6891->6865 6892 6c1accfd-6c1acd13 6891->6892 6892->6865 6901 6c1acd15-6c1acd17 6892->6901 6893->6889 6894->6862 6895->6889 6908 6c1ace59-6c1ace5b 6896->6908 6909 6c1acd90-6c1acd96 call 6c19f9f2 6896->6909 6905 6c1acddd-6c1acdef 6897->6905 6906 6c1acd8a GetLastError 6898->6906 6907 6c1acda9-6c1acdb2 6898->6907 6899->6847 6901->6865 6911 6c1acd19-6c1acd33 6901->6911 6905->6899 6915 6c1acdf1-6c1acdf5 6905->6915 6906->6909 6907->6905 6908->6899 6909->6889 6911->6865 6919 6c1ace0e-6c1ace19 6915->6919 6920 6c1acdf7-6c1ace07 call 6c1acefe 6915->6920 6925 6c1ace1b call 6c1ace83 6919->6925 6926 6c1ace25-6c1ace2a call 6c1ad1b6 6919->6926 6932 6c1ace0a-6c1ace0c 6920->6932 6930 6c1ace20-6c1ace23 6925->6930 6926->6930 6930->6932 6932->6899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: 2c9d3ac8f127d4f4b62bcb0ceb606faa902076170a12a6b5ee2db3fa6867c3f8
                                        • Instruction ID: 681e5b02d082256b429b367c64d260461ed56b984fa4e1b0bc95320309c009dd
                                        • Opcode Fuzzy Hash: 2c9d3ac8f127d4f4b62bcb0ceb606faa902076170a12a6b5ee2db3fa6867c3f8
                                        • Instruction Fuzzy Hash: 74C10878E04249AFDF01DFD9C890BEDBFB1AF4A318F104159E814ABB81C7769946CB64

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6933 6c1b406c-6c1b409c call 6c1b44ec 6936 6c1b409e-6c1b40a9 call 6c19f9df 6933->6936 6937 6c1b40b7-6c1b40c3 call 6c1b160c 6933->6937 6942 6c1b40ab-6c1b40b2 call 6c19f9cc 6936->6942 6943 6c1b40dc-6c1b4125 call 6c1b4457 6937->6943 6944 6c1b40c5-6c1b40da call 6c19f9df call 6c19f9cc 6937->6944 6954 6c1b4391-6c1b4395 6942->6954 6952 6c1b4192-6c1b419b GetFileType 6943->6952 6953 6c1b4127-6c1b4130 6943->6953 6944->6942 6958 6c1b419d-6c1b41ce GetLastError call 6c19f9f2 CloseHandle 6952->6958 6959 6c1b41e4-6c1b41e7 6952->6959 6956 6c1b4132-6c1b4136 6953->6956 6957 6c1b4167-6c1b418d GetLastError call 6c19f9f2 6953->6957 6956->6957 6962 6c1b4138-6c1b4165 call 6c1b4457 6956->6962 6957->6942 6958->6942 6970 6c1b41d4-6c1b41df call 6c19f9cc 6958->6970 6960 6c1b41e9-6c1b41ee 6959->6960 6961 6c1b41f0-6c1b41f6 6959->6961 6966 6c1b41fa-6c1b4248 call 6c1b17b0 6960->6966 6961->6966 6967 6c1b41f8 6961->6967 6962->6952 6962->6957 6976 6c1b424a-6c1b4256 call 6c1b4666 6966->6976 6977 6c1b4267-6c1b428f call 6c1b4710 6966->6977 6967->6966 6970->6942 6976->6977 6984 6c1b4258 6976->6984 6982 6c1b4291-6c1b4292 6977->6982 6983 6c1b4294-6c1b42d5 6977->6983 6985 6c1b425a-6c1b4262 call 6c1ab925 6982->6985 6986 6c1b42d7-6c1b42db 6983->6986 6987 6c1b42f6-6c1b4304 6983->6987 6984->6985 6985->6954 6986->6987 6989 6c1b42dd-6c1b42f1 6986->6989 6990 6c1b430a-6c1b430e 6987->6990 6991 6c1b438f 6987->6991 6989->6987 6990->6991 6993 6c1b4310-6c1b4343 CloseHandle call 6c1b4457 6990->6993 6991->6954 6996 6c1b4377-6c1b438b 6993->6996 6997 6c1b4345-6c1b4371 GetLastError call 6c19f9f2 call 6c1b171f 6993->6997 6996->6991 6997->6996
                                        APIs
                                          • Part of subcall function 6C1B4457: CreateFileW.KERNEL32(00000000,00000000,?,6C1B4115,?,?,00000000,?,6C1B4115,00000000,0000000C), ref: 6C1B4474
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1B4180
                                        • __dosmaperr.LIBCMT ref: 6C1B4187
                                        • GetFileType.KERNEL32(00000000), ref: 6C1B4193
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1B419D
                                        • __dosmaperr.LIBCMT ref: 6C1B41A6
                                        • CloseHandle.KERNEL32(00000000), ref: 6C1B41C6
                                        • CloseHandle.KERNEL32(6C1AB0D0), ref: 6C1B4313
                                        • GetLastError.KERNEL32 ref: 6C1B4345
                                        • __dosmaperr.LIBCMT ref: 6C1B434C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: 8Q
                                        • API String ID: 4237864984-4022487301
                                        • Opcode ID: 27dbf6402061c28192d2779af9982a28a684ac39736a2805b2d4cbe50bbadc97
                                        • Instruction ID: 7f8ad6c9bded0f3286f50f3c0583e8bd7c24b7c316965776151e94fb8c04b073
                                        • Opcode Fuzzy Hash: 27dbf6402061c28192d2779af9982a28a684ac39736a2805b2d4cbe50bbadc97
                                        • Instruction Fuzzy Hash: ABA14432A041589FCF09DF68C851BEE7BB1AB07328F288259F851BB7D0CB359916CB51

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7002 6c16c1e0-6c16c239 call 6c196b70 7005 6c16c260-6c16c269 7002->7005 7006 6c16c2b0-6c16c2b5 7005->7006 7007 6c16c26b-6c16c270 7005->7007 7010 6c16c2b7-6c16c2bc 7006->7010 7011 6c16c330-6c16c335 7006->7011 7008 6c16c272-6c16c277 7007->7008 7009 6c16c2f0-6c16c2f5 7007->7009 7014 6c16c372-6c16c3df WriteFile 7008->7014 7015 6c16c27d-6c16c282 7008->7015 7018 6c16c431-6c16c448 WriteFile 7009->7018 7019 6c16c2fb-6c16c300 7009->7019 7016 6c16c407-6c16c41b 7010->7016 7017 6c16c2c2-6c16c2c7 7010->7017 7012 6c16c33b-6c16c340 7011->7012 7013 6c16c489-6c16c4b9 call 6c19b3a0 7011->7013 7021 6c16c346-6c16c36d 7012->7021 7022 6c16c4be-6c16c4c3 7012->7022 7013->7005 7024 6c16c3e9-6c16c3fd WriteFile 7014->7024 7023 6c16c288-6c16c28d 7015->7023 7015->7024 7025 6c16c41f-6c16c42c 7016->7025 7026 6c16c2cd-6c16c2d2 7017->7026 7027 6c16c23b-6c16c250 7017->7027 7029 6c16c452-6c16c47f call 6c19b920 ReadFile 7018->7029 7028 6c16c306-6c16c30b 7019->7028 7019->7029 7031 6c16c253-6c16c258 7021->7031 7022->7005 7033 6c16c4c9-6c16c4d7 7022->7033 7023->7005 7034 6c16c28f-6c16c2aa 7023->7034 7024->7016 7025->7005 7026->7005 7035 6c16c2d4-6c16c2e7 7026->7035 7027->7031 7028->7005 7030 6c16c311-6c16c32b 7028->7030 7029->7013 7030->7025 7031->7005 7034->7031 7035->7031
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: :uW$;uW$;uW$> 4!$> 4!
                                        • API String ID: 0-4100612575
                                        • Opcode ID: c1d713da5617dfc82cfb4fa472ae0a24daad9a1c494ec6e2d7d1668946978433
                                        • Instruction ID: b43179fd660a639bf57553172564dedcee36a186d780783af7b84e912cbe4dbc
                                        • Opcode Fuzzy Hash: c1d713da5617dfc82cfb4fa472ae0a24daad9a1c494ec6e2d7d1668946978433
                                        • Instruction Fuzzy Hash: 79718EB0208345AFDB10DF56C490B5ABBF4FF8A708F10492EF898D7A50D775D8589B92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K?Jo$K?Jo$`Rlx$7eO
                                        • API String ID: 0-174837320
                                        • Opcode ID: 691cdbd2895c1a02c87fe588d35136e1577b11e4ca96424e21739af3c0299d4e
                                        • Instruction ID: 0450f66acacd8f77d3d21f9dd6e1595f85c708288d9d1d68c2b976e948b659d1
                                        • Opcode Fuzzy Hash: 691cdbd2895c1a02c87fe588d35136e1577b11e4ca96424e21739af3c0299d4e
                                        • Instruction Fuzzy Hash: 794287B46093428FC754CF6AC090A1ABBE1AFD9314F248D1EF9958BB60D738D865DB43
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;T55
                                        • API String ID: 0-2572755013
                                        • Opcode ID: 524a50520cf52bcfd26f89ece5fcd46d2c43ddb6d9e525c26f82f80e5c16de41
                                        • Instruction ID: d5aa90ccf89e28df418837a7a07b87f1708c15cc0f7df0d9f701d9953199d1d2
                                        • Opcode Fuzzy Hash: 524a50520cf52bcfd26f89ece5fcd46d2c43ddb6d9e525c26f82f80e5c16de41
                                        • Instruction Fuzzy Hash: DE03D431645B018FC728CF28C8D0799F7E3AFD53287598B6DC0AA4BA95D778B44ACB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7579 6c194ff0-6c195077 CreateProcessA 7580 6c1950ca-6c1950d3 7579->7580 7581 6c1950f0-6c19510b 7580->7581 7582 6c1950d5-6c1950da 7580->7582 7581->7580 7583 6c1950dc-6c1950e1 7582->7583 7584 6c195080-6c1950c2 WaitForSingleObject CloseHandle * 2 7582->7584 7583->7580 7585 6c1950e3-6c195118 7583->7585 7584->7580
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID: D
                                        • API String ID: 963392458-2746444292
                                        • Opcode ID: 50c68b6327f4d1bc0be039632c03eac76e944d5d9b8001e9e32a82a1b8553632
                                        • Instruction ID: 7c8f68c61465306b7524f3936ef5135701ce907d47c26253e51813cd44cec709
                                        • Opcode Fuzzy Hash: 50c68b6327f4d1bc0be039632c03eac76e944d5d9b8001e9e32a82a1b8553632
                                        • Instruction Fuzzy Hash: 6531E1708093808FD750DF29D19872EBBF0AB9A318F405A1DF8A996250E7B9D588CF43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7587 6c1abc5e-6c1abc7a 7588 6c1abe39 7587->7588 7589 6c1abc80-6c1abc82 7587->7589 7590 6c1abe3b-6c1abe3f 7588->7590 7591 6c1abca4-6c1abcc5 7589->7591 7592 6c1abc84-6c1abc97 call 6c19f9df call 6c19f9cc call 6c1a0120 7589->7592 7594 6c1abccc-6c1abcd2 7591->7594 7595 6c1abcc7-6c1abcca 7591->7595 7609 6c1abc9c-6c1abc9f 7592->7609 7594->7592 7597 6c1abcd4-6c1abcd9 7594->7597 7595->7594 7595->7597 7598 6c1abcea-6c1abcfb call 6c1abe40 7597->7598 7599 6c1abcdb-6c1abce7 call 6c1aac69 7597->7599 7607 6c1abd3c-6c1abd4e 7598->7607 7608 6c1abcfd-6c1abcff 7598->7608 7599->7598 7610 6c1abd50-6c1abd59 7607->7610 7611 6c1abd95-6c1abdb7 WriteFile 7607->7611 7612 6c1abd01-6c1abd09 7608->7612 7613 6c1abd26-6c1abd32 call 6c1abeb1 7608->7613 7609->7590 7614 6c1abd5b-6c1abd5e 7610->7614 7615 6c1abd85-6c1abd93 call 6c1ac2c3 7610->7615 7618 6c1abdb9-6c1abdbf GetLastError 7611->7618 7619 6c1abdc2 7611->7619 7616 6c1abdcb-6c1abdce 7612->7616 7617 6c1abd0f-6c1abd1c call 6c1ac25b 7612->7617 7626 6c1abd37-6c1abd3a 7613->7626 7622 6c1abd60-6c1abd63 7614->7622 7623 6c1abd75-6c1abd83 call 6c1ac487 7614->7623 7615->7626 7621 6c1abdd1-6c1abdd6 7616->7621 7634 6c1abd1f-6c1abd21 7617->7634 7618->7619 7627 6c1abdc5-6c1abdca 7619->7627 7628 6c1abdd8-6c1abddd 7621->7628 7629 6c1abe34-6c1abe37 7621->7629 7622->7621 7630 6c1abd65-6c1abd73 call 6c1ac39e 7622->7630 7623->7626 7626->7634 7627->7616 7635 6c1abe09-6c1abe15 7628->7635 7636 6c1abddf-6c1abde4 7628->7636 7629->7590 7630->7626 7634->7627 7642 6c1abe1c-6c1abe2f call 6c19f9cc call 6c19f9df 7635->7642 7643 6c1abe17-6c1abe1a 7635->7643 7639 6c1abdfd-6c1abe04 call 6c19f9f2 7636->7639 7640 6c1abde6-6c1abdf8 call 6c19f9cc call 6c19f9df 7636->7640 7639->7609 7640->7609 7642->7609 7643->7588 7643->7642
                                        APIs
                                          • Part of subcall function 6C1ABEB1: GetConsoleCP.KERNEL32(?,6C1AB0D0,?), ref: 6C1ABEF9
                                        • WriteFile.KERNEL32(?,?,6C1B46EC,00000000,00000000,?,00000000,00000000,6C1B5AB6,00000000,00000000,?,00000000,6C1AB0D0,6C1B46EC,00000000), ref: 6C1ABDAF
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1B46EC,6C1AB0D0,00000000,?,?,?,?,00000000,?), ref: 6C1ABDB9
                                        • __dosmaperr.LIBCMT ref: 6C1ABDFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 251514795-4022487301
                                        • Opcode ID: 81f50ffb9a827729f0cdee2722ea7ea3a1feb79e2058f663aa78c693386cd90c
                                        • Instruction ID: 421a550e68c03afb090344a53dba4966f18315a5d99269988a4168242786e622
                                        • Opcode Fuzzy Hash: 81f50ffb9a827729f0cdee2722ea7ea3a1feb79e2058f663aa78c693386cd90c
                                        • Instruction Fuzzy Hash: 2151E279A0128EBFDB019FE8C840FEEBBB9EF1631CF140551E510ABA81D735994687A0

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7654 6c195b90-6c195b9c 7655 6c195bdd 7654->7655 7656 6c195b9e-6c195ba9 7654->7656 7659 6c195bdf-6c195c57 7655->7659 7657 6c195bab-6c195bbd 7656->7657 7658 6c195bbf-6c195bcc call 6c0601f0 call 6c1a0b18 7656->7658 7657->7658 7667 6c195bd1-6c195bdb 7658->7667 7661 6c195c59-6c195c81 7659->7661 7662 6c195c83-6c195c89 7659->7662 7661->7662 7664 6c195c8a-6c195d49 call 6c062250 call 6c062340 call 6c199379 call 6c05e010 call 6c197088 7661->7664 7667->7659
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C195D31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 323602529-1866435925
                                        • Opcode ID: b32183c6ed6a8ff73f6be78ba56808fd758cc61d2d1b0c67644150e466e5b4ed
                                        • Instruction ID: e0b8097cac689804a5622293dca933db78eec2406cb5c7e2280cf57e66948503
                                        • Opcode Fuzzy Hash: b32183c6ed6a8ff73f6be78ba56808fd758cc61d2d1b0c67644150e466e5b4ed
                                        • Instruction Fuzzy Hash: 555152B5A00B008FD725CF29C485B97BBF1BB58318F008A2DD8965BB90D779B909CF90

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7699 6c1ab925-6c1ab939 call 6c1b15a2 7702 6c1ab93b-6c1ab93d 7699->7702 7703 6c1ab93f-6c1ab947 7699->7703 7704 6c1ab98d-6c1ab9ad call 6c1b171f 7702->7704 7705 6c1ab949-6c1ab950 7703->7705 7706 6c1ab952-6c1ab955 7703->7706 7715 6c1ab9bb 7704->7715 7716 6c1ab9af-6c1ab9b9 call 6c19f9f2 7704->7716 7705->7706 7708 6c1ab95d-6c1ab971 call 6c1b15a2 * 2 7705->7708 7709 6c1ab973-6c1ab983 call 6c1b15a2 CloseHandle 7706->7709 7710 6c1ab957-6c1ab95b 7706->7710 7708->7702 7708->7709 7709->7702 7718 6c1ab985-6c1ab98b GetLastError 7709->7718 7710->7708 7710->7709 7720 6c1ab9bd-6c1ab9c0 7715->7720 7716->7720 7718->7704
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,6C1B425F), ref: 6C1AB97B
                                        • GetLastError.KERNEL32(?,00000000,?,6C1B425F), ref: 6C1AB985
                                        • __dosmaperr.LIBCMT ref: 6C1AB9B0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID:
                                        • API String ID: 2583163307-0
                                        • Opcode ID: 04caf57fedddae6c51ed69fa67e65267285ae44be8f220b9a45ba0bad11f1a7f
                                        • Instruction ID: b1c3a4062e722ca3469a7bafb45df6710e7c304eb4ad4b6344e6b507b481e969
                                        • Opcode Fuzzy Hash: 04caf57fedddae6c51ed69fa67e65267285ae44be8f220b9a45ba0bad11f1a7f
                                        • Instruction Fuzzy Hash: 22014E37B592AC5AC20106BB94457AD37694F9373CF3A036DF81597AC0DF75C88B8298

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7944 6c1a0b9c-6c1a0ba7 7945 6c1a0ba9-6c1a0bbc call 6c19f9cc call 6c1a0120 7944->7945 7946 6c1a0bbe-6c1a0bcb 7944->7946 7957 6c1a0c10-6c1a0c12 7945->7957 7948 6c1a0bcd-6c1a0be2 call 6c1a0cb9 call 6c1a873e call 6c1a9c60 call 6c1ab898 7946->7948 7949 6c1a0c06-6c1a0c0f call 6c1aae75 7946->7949 7963 6c1a0be7-6c1a0bec 7948->7963 7949->7957 7964 6c1a0bee-6c1a0bf1 7963->7964 7965 6c1a0bf3-6c1a0bf7 7963->7965 7964->7949 7965->7949 7966 6c1a0bf9-6c1a0c05 call 6c1a47bb 7965->7966 7966->7949
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction ID: c1c74d600443f7401d05eb566b7eee0978e0a41ddcdf7735ccfca1acce1edf03
                                        • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction Fuzzy Hash: 2AF0F43E501A547BD6215EE98D00BCB36989F4337CF100765E97693ED0DB74D40BC6A1
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C195AB4
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C195AF4
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID:
                                        • API String ID: 323602529-0
                                        • Opcode ID: 68958582bf17c3a1ae1cb3bfb2c9787aa90a14d7187bd56641d43c11659f7f70
                                        • Instruction ID: e9b51b9bc2b4c5faa0225b957f18677de2941005ba944f2bb51c0ac9dd1eeeec
                                        • Opcode Fuzzy Hash: 68958582bf17c3a1ae1cb3bfb2c9787aa90a14d7187bd56641d43c11659f7f70
                                        • Instruction Fuzzy Hash: 04514771201B00DBE725CF25C894BE6BBF4BB05718F448A1CD4AA5BBA1DB30B549CB90
                                        APIs
                                        • GetLastError.KERNEL32(6C1C6DD8,0000000C), ref: 6C19EF52
                                        • ExitThread.KERNEL32 ref: 6C19EF59
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ErrorExitLastThread
                                        • String ID:
                                        • API String ID: 1611280651-0
                                        • Opcode ID: 28c804d36b40f95253c2b257f096cdd6abd8646b365e817efde72b92293dc9b2
                                        • Instruction ID: 8edcf0a3dea9867970e3baefa8d0949ebf11195c23e1ddb28fa4e23d81e3e09c
                                        • Opcode Fuzzy Hash: 28c804d36b40f95253c2b257f096cdd6abd8646b365e817efde72b92293dc9b2
                                        • Instruction Fuzzy Hash: 31F0C275A00204AFDB009FB0C449BAE3B74FF41318F144689F00697B50CF355A46DBA1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: 8ec90042218d4c5791fcc6bac37634e5b69472c46f73ff7dabc10603828d5c7b
                                        • Instruction ID: c2e125002e0ebb199997bd007ec5448a9196970dab1dd772dc8f2fac22e4cd86
                                        • Opcode Fuzzy Hash: 8ec90042218d4c5791fcc6bac37634e5b69472c46f73ff7dabc10603828d5c7b
                                        • Instruction Fuzzy Hash: B9118C75A0420EAFCF05CF99E945A9B3BF8EF49304F004059F818EB301D631E912CBA4
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction ID: 859bf886dc3397213d511b3a22cba1a7fb532e4c8f65c6d72a26aeaa0acfe749
                                        • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction Fuzzy Hash: AD012872C01159AFCF029FE88D00AEE7FB5AB08214F144165FE24A26A0E7318A25DB91
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000000,?,6C1B4115,?,?,00000000,?,6C1B4115,00000000,0000000C), ref: 6C1B4474
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 7334f11dfc8fc82e48480934f58ec159f76a03adb03417642b764067eacbcf3d
                                        • Instruction ID: 9c4aa8b902d384af061af1e98d78114550e4999b2464d0aab52e93ed12ebea0a
                                        • Opcode Fuzzy Hash: 7334f11dfc8fc82e48480934f58ec159f76a03adb03417642b764067eacbcf3d
                                        • Instruction Fuzzy Hash: F9D06C3210410DBBDF128E84DC06EDA3FAAFB88714F014000BA1856020C736E961EB90
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction ID: c528898b29729d1e78e7ad13d5d351cf05abfe285dd5f55930d1fec0d3441974
                                        • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: g)''
                                        • API String ID: 4218353326-3487984327
                                        • Opcode ID: 3dcb0b197e23fea05f64d32c3920df6f0465f1df86767ad4ad3b5d1378b304b3
                                        • Instruction ID: 5625d50c41568ca44a0f38a01451fd5ca965d57e79722a78f75920337e39920c
                                        • Opcode Fuzzy Hash: 3dcb0b197e23fea05f64d32c3920df6f0465f1df86767ad4ad3b5d1378b304b3
                                        • Instruction Fuzzy Hash: C7630331645B018FC728CF28C8D0A95B7F3BF9531876A8A6DC0AA4BA55E774B54ACB40
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 6C195D6A
                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C195D76
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C195D84
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C195DAB
                                        • NtInitiatePowerAction.NTDLL ref: 6C195DBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3256374457-3733053543
                                        • Opcode ID: b7bdb365c279e682d21a7949bdd6ddaa7b2360df5d52c3927f264d94a73ffaa6
                                        • Instruction ID: 00af51b3e478dc1bf6ffa0ca37a84d36e6abfb9d4f80ce72ac97282cb6248de2
                                        • Opcode Fuzzy Hash: b7bdb365c279e682d21a7949bdd6ddaa7b2360df5d52c3927f264d94a73ffaa6
                                        • Instruction Fuzzy Hash: FDF0B4B0644300BBEA006F64DD0EB5A7BB4EF55705F014508FD45A60C1D7B06984CB92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \j`7$\j`7$j
                                        • API String ID: 0-3644614255
                                        • Opcode ID: d8cef53fb8804d10c06d3c4c17719a89d4880b7bbfecbe741f1519812383d5a0
                                        • Instruction ID: 4bf81c75d437f228b73b5fa28a4480f9d8328ea670512ba8202bfa4a7a28651e
                                        • Opcode Fuzzy Hash: d8cef53fb8804d10c06d3c4c17719a89d4880b7bbfecbe741f1519812383d5a0
                                        • Instruction Fuzzy Hash: 0C42137460D3828FCB18CFA8C49065EBBE1ABDA354F144A1EE4A9D7B61D334D845CB53
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1F6CE5
                                          • Part of subcall function 6C1CCC2A: __EH_prolog.LIBCMT ref: 6C1CCC2F
                                          • Part of subcall function 6C1CE6A6: __EH_prolog.LIBCMT ref: 6C1CE6AB
                                          • Part of subcall function 6C1F6A0E: __EH_prolog.LIBCMT ref: 6C1F6A13
                                          • Part of subcall function 6C1F6837: __EH_prolog.LIBCMT ref: 6C1F683C
                                          • Part of subcall function 6C1FA143: __EH_prolog.LIBCMT ref: 6C1FA148
                                          • Part of subcall function 6C1FA143: ctype.LIBCPMT ref: 6C1FA16C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog$ctype
                                        • String ID:
                                        • API String ID: 1039218491-3916222277
                                        • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                        • Instruction ID: 78ce80c718eee29b9ea895e26e0021eea485d6c9f4b6aed97a3b9228bbe30282
                                        • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                        • Instruction Fuzzy Hash: A203BF3090528CDFDF11CFA4C850BDCBBB1AF26318F1440DAE46567A91DB785B8ADB62
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C1A0279
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C1A0283
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C1A0290
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: f6db6e7276a3d7e85d88a13a4adeacb2e2125d82fd2c9825bb5061a10fba9258
                                        • Instruction ID: dc88daa190991199ab3e3a9b79d0169b1e1b3ba7e4b47b3715d6a7943ff6bab3
                                        • Opcode Fuzzy Hash: f6db6e7276a3d7e85d88a13a4adeacb2e2125d82fd2c9825bb5061a10fba9258
                                        • Instruction Fuzzy Hash: 5A31C27491122C9BCB21DF68D888BDDBBB8BF18314F5042EAE41DA7250EB749B858F44
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,6C19F235,?,?,?,?), ref: 6C19F19F
                                        • TerminateProcess.KERNEL32(00000000,?,6C19F235,?,?,?,?), ref: 6C19F1A6
                                        • ExitProcess.KERNEL32 ref: 6C19F1B8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: c924e4342e064c7ba91683668f0fa7af4a4cb95059405106d64d764d9c03e1fb
                                        • Instruction ID: eb4359f542b37a5556b6230668118c5d960da7a5cfc7b164ca0379ac8b580c14
                                        • Opcode Fuzzy Hash: c924e4342e064c7ba91683668f0fa7af4a4cb95059405106d64d764d9c03e1fb
                                        • Instruction Fuzzy Hash: C7E04632104108AFCF022F94C808AA93F78FB46266F000424F829C6620CB39DE82EA80
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: x=J
                                        • API String ID: 3519838083-1497497802
                                        • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction ID: 54722ff33d8ba2d49a7243c7100a0a5f65b6557068e46cee774dccd1fafff618
                                        • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction Fuzzy Hash: 3591E131F01109DBDF04DFA4C8A1AEDB775AF3631CF20806AF45167A51DB3A9A49CB92
                                        APIs
                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C1978B0
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C1980D3
                                          • Part of subcall function 6C199379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1980BC,00000000,?,?,?,6C1980BC,?,6C1C554C), ref: 6C1993D9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                        • String ID:
                                        • API String ID: 915016180-0
                                        • Opcode ID: 2b717835189a6b96eb9b2771cebb21f7214951808c415d4de491d169cb0313f5
                                        • Instruction ID: f6316e05af0cb756e55104ac4eb1c0ffa47f16e3519c905d7e9fa97e84caa13f
                                        • Opcode Fuzzy Hash: 2b717835189a6b96eb9b2771cebb21f7214951808c415d4de491d169cb0313f5
                                        • Instruction Fuzzy Hash: 49B1CF75E042089FDB05CF56C89569DBBB4FB19318F25822ED819E7680D378EA44CFA0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @4J$DsL
                                        • API String ID: 0-2004129199
                                        • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction ID: 7a5db4786dfd822ca16ea82deaf056aa759f59f4d894ead80215120f8e997738
                                        • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction Fuzzy Hash: 282191377A49564BD74CCA28DC33EB92681E744305B89527EED4BCB7D1DF5C8800C648
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1E540F
                                          • Part of subcall function 6C1E6137: __EH_prolog.LIBCMT ref: 6C1E613C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                        • Instruction ID: 90c82ac3cab234e869238e0eb053de9c5849781b0df271401daa16152c412417
                                        • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                        • Instruction Fuzzy Hash: 88626670D00659CFDF15CFA4C894BEEBBB5BF18308F24416AE815ABA81D7749A84CF90
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: YA1
                                        • API String ID: 0-613462611
                                        • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                        • Instruction ID: 2242dea658c1bcc85ece0d6990fa147e5ce4cd02d688fb08d07c6dfa6984480d
                                        • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                        • Instruction Fuzzy Hash: 6142E3B06183A58FC315CF28C49069AFBE2FFD9308F15596DE8D98B741D671D90ACB82
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: __aullrem
                                        • String ID:
                                        • API String ID: 3758378126-0
                                        • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction ID: 462acc28271f25ed56fa6639c3d68b85d930576ac8491e2db7c8ec4c848e5bd0
                                        • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction Fuzzy Hash: 2051FA71A043859BD710CF5AC4C02EEFBF6EF7A214F15C05EE8C897242D27A599AC760
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                        • Instruction ID: c67fd6d52bf406f2c2f9dfc7090c2c39e05db005e76add29e1180ef808d5330a
                                        • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                        • Instruction Fuzzy Hash: 58029C31608345CBD329CF28C49079EBBE2BFD9708F148A2DE8C597B51D775A949CB82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (SL
                                        • API String ID: 0-669240678
                                        • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction ID: 83d14da0005a7baec78ec577c4c8f7fc198fc7afe8cc0d624f4844ba4e409ad6
                                        • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction Fuzzy Hash: 3A519473E208214AD78CCE24DC2177572D2E784310F8BC1B99D8BAB6E6CD78989087D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xU)l
                                        • API String ID: 0-3858368940
                                        • Opcode ID: a30af8fd8827648c97056325b46381b55f166a718ee39fcbe6a0ec890a191e01
                                        • Instruction ID: 0a6d2205a85c4b0b747245091339566a3c5f2bc1ed50414a296b0b03bac0e662
                                        • Opcode Fuzzy Hash: a30af8fd8827648c97056325b46381b55f166a718ee39fcbe6a0ec890a191e01
                                        • Instruction Fuzzy Hash: BBF0E532A10324DBCB12DB8DC405B89B3BDEB45B66F1101A6E404DBA41C3B0DD80C7C0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                        • Instruction ID: 4c8013a55641d153f8a3226a8edfc894274257c5520a1350229cbe45f0bd9252
                                        • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                        • Instruction Fuzzy Hash: 5C524071604B898BD319CF29C59076ABBE2BF95308F148A2DD8DAC7B41DB74F885CB41
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction ID: 5c2cc456b16c3ad9429313c23ecf44e4113052cdf0d49435af1e7dd6db4f2a23
                                        • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction Fuzzy Hash: 9E62F2B5A08349CFC714CF19C48092BBBE1BBC8745FA48A2EF89587714D770E855CBA2
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                        • Instruction ID: 25475253bd8349993a871507b06640e6d9f0c6ec26d2d12e01c9c3adb5e88bf8
                                        • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                        • Instruction Fuzzy Hash: 7C128E7120974A8FC718CF28C490A6AFBE2BFC8345F64892DE9968BB41D731E845CB51
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction ID: dd45cc3dc332a31cf0155ed18f02f05b68a9d8d0447bd3637e9dc43149581c53
                                        • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction Fuzzy Hash: C502F732A083158BC319CF28C49025AFBF2FBC4355F554B2EEC96D7A94D7709864CB92
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                        • Instruction ID: 299b93a696d3229cac5fe8a2b1f82b5c32b42f4902351603a5ddca2b254378cd
                                        • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                        • Instruction Fuzzy Hash: 75F110726042998BEB24CE28E8507EFB7E2FBC5304F584979DC89CBB41DB35950AC791
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                        • Instruction ID: 671e103b9ad80a3ab80c0b482ce241a7b0919a930f3b1aa1d42e36eb39167d55
                                        • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                        • Instruction Fuzzy Hash: C2D1FF7150461A8FD31DCF1CC494636BBE1EFC6305F068ABDEAA28B79AD7389615CB40
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction ID: 59c055c54ebb59377d2886019c316da7d8655f186b4bb64a60eb64d025b00a5d
                                        • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction Fuzzy Hash: B7C1F5752047468BC319CF3AD0E46A7BBE2EFD9314F148A6DC8CA8BB55DA30A40DCB55
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction ID: c1cac700e62c2af363a40691e061ec0d5b9fc1836267d9d94d00e5ecc66c19ca
                                        • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction Fuzzy Hash: 48B1ACB1304B194BD325DB39C8907DBB7E1AF84708F04492DD9AE87791EF30A90D8B95
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                        • Instruction ID: 0214844aaf497ccf2dd0dab78154321339180805b26276c56c90db56044a4d3a
                                        • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                        • Instruction Fuzzy Hash: 53B19D756047068BC308DF29C8806ABF7E2FFC8304F14892DE899C7715E771A599CB96
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                        • Instruction ID: 101a3173bdbdc6b5f2c33a45492e358c07e9a23b072f4558f56250c7d9f47b94
                                        • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                        • Instruction Fuzzy Hash: 78A1063160C3458FC319DF29C59069ABBE5AFD9318F048A2DF8DAC7B40D631E95ACB42
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                        • Instruction ID: ce74ae4e7dd901a485fbf5d288040af8c6a643f1d90e744b99538f7a4cd2fe70
                                        • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                        • Instruction Fuzzy Hash: BC811235A047068FC324DF29C180286F7E5FF99704F28CAADD9999B715E732E946CB81
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction ID: 8aeaa7b1b494637daccf63ac2fe8b3e056ece2a82fd9bad761157237a388278a
                                        • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction Fuzzy Hash: 78519F72F00A099BDB08CE98DDA16EDB7F2FB98308F248169D515E7781DB749A41DB40
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction ID: b6f4bdd2f399f2ce59890cd4ffc66828f04d6e3f6626ace89d84353c6cd33dca
                                        • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction Fuzzy Hash: 0E3114277A480203C70CCA3BCC2679F91536BE862A70ECB796805DAF55D52CC8124144
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                        • Instruction ID: 05ed835e039d34b40d517ab5d4b49b4275dd0a2e7bba8ae3c71e3a762c7ef719
                                        • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                        • Instruction Fuzzy Hash: 97219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2DB3AC457C385
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                        • Instruction ID: 184e2ebdb4546817223205cd66fa50c29cd8b6eb34b875f64cb7e981bd674269
                                        • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                        • Instruction Fuzzy Hash: 4AE08C72A12238EBCB15EBD8C940E8AB3ECEB44A45F11009AF501E3610D271DE81C7D0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                        • Instruction ID: 85819b1b73f2740868e7e864c725accb87aff719b4eddaa635031292b0e81be3
                                        • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                        • Instruction Fuzzy Hash: 21C080A311810017C303D92594C079AF6637350330F318C2DA051E7E43C314C0644111
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                        • API String ID: 3519838083-609671
                                        • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction ID: 0d9254d4170ac96dc69e7747c21c3b360b1b93c9fac7f6694ca935db82ea52e0
                                        • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction Fuzzy Hash: 4FD10831A04209DFDF11CFA4D990BEEB7F5FF55308F244459E066A3A50DB74AA0ACBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: __aulldiv$H_prolog
                                        • String ID: >WJ$x$x
                                        • API String ID: 2300968129-3162267903
                                        • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction ID: 544efb14ab8af3e3aec67612015651b7b0d6b70aa6949d3465e0a73e0628e7a3
                                        • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction Fuzzy Hash: 3412667190061DEFDF10DFA4C880AEDBBB5FF58318F648169EA15EB650CB35A984CB50
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 6C199B07
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 6C199B0F
                                        • _ValidateLocalCookies.LIBCMT ref: 6C199B98
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6C199BC3
                                        • _ValidateLocalCookies.LIBCMT ref: 6C199C18
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: eab41235f946e2fcd55851c363d063ed08cdbc131da3d58564342729d1d0b28f
                                        • Instruction ID: ef688289ff64de53e4fde3cd1a65d2155bb3f97a65cc924528458c2c5d4bd664
                                        • Opcode Fuzzy Hash: eab41235f946e2fcd55851c363d063ed08cdbc131da3d58564342729d1d0b28f
                                        • Instruction Fuzzy Hash: A941D534A112189FCF00DFA8C8A4B9E7BB5BF46318F148155E81D9BB51DB39EA06CB90
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 0-537541572
                                        • Opcode ID: 24fd0084fe99c556ef63a401421e7e9296a163e54cda9d40b6508ff1006f4ce4
                                        • Instruction ID: 26ba3f57009a8237a6dc6cf7e00baf1c71a4ae20ec6c68dd13b78d2e3d3a3f83
                                        • Opcode Fuzzy Hash: 24fd0084fe99c556ef63a401421e7e9296a163e54cda9d40b6508ff1006f4ce4
                                        • Instruction Fuzzy Hash: 2C212E3AA16219B7DB118BBDCC54B5A37749F1A768F1202D1F815E7AC0D734DD02C6E0
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,6C1AB0D0,?), ref: 6C1ABEF9
                                        • __fassign.LIBCMT ref: 6C1AC0D8
                                        • __fassign.LIBCMT ref: 6C1AC0F5
                                        • WriteFile.KERNEL32(?,6C1B5AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C1AC13D
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C1AC17D
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C1AC229
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ConsoleErrorLast
                                        • String ID:
                                        • API String ID: 4031098158-0
                                        • Opcode ID: d553b03de732e28b6188316b620b95649c7c013e378f72e0625751708c625284
                                        • Instruction ID: b4467a9cf30df8aa5848f6dc6a5ee9dcc4fd4422e63b6e24f759031f0076de5a
                                        • Opcode Fuzzy Hash: d553b03de732e28b6188316b620b95649c7c013e378f72e0625751708c625284
                                        • Instruction Fuzzy Hash: ECD19B79E012889FCF11DFE8C8909EDBBB5BF49314F28016AE855BB341D632A906CF50
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C062F95
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C062FAF
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C062FD0
                                        • __Getctype.LIBCPMT ref: 6C063084
                                        • std::_Facet_Register.LIBCPMT ref: 6C06309C
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0630B7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                        • String ID:
                                        • API String ID: 1102183713-0
                                        • Opcode ID: 3614902820530afa5e8cba410fc66be83b66bdd168759d95c5bcba0c8462751e
                                        • Instruction ID: ea885f27022e016d4f100a06cb49bb90bbf04f4a5a052978e6c1d2495951dbbe
                                        • Opcode Fuzzy Hash: 3614902820530afa5e8cba410fc66be83b66bdd168759d95c5bcba0c8462751e
                                        • Instruction Fuzzy Hash: C24145B1E002588FDB10CF96C854B9EB7F0FF49718F054129D869ABB80D735AA08CBE1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: __aulldiv$__aullrem
                                        • String ID:
                                        • API String ID: 2022606265-0
                                        • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction ID: 5f3e9ffb5b34a5a37d3ee482ebbb54ff41a3d938e3603bd7c90239b5d7d023b3
                                        • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction Fuzzy Hash: 4821C3B051121DBBDF208F959C40DCF7E69EF417A8F218226B92061A90D6719D90CAF1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1DA6F1
                                          • Part of subcall function 6C1E9173: __EH_prolog.LIBCMT ref: 6C1E9178
                                        • __EH_prolog.LIBCMT ref: 6C1DA8F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: IJ$WIJ$J
                                        • API String ID: 3519838083-740443243
                                        • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction ID: d2660cbec4036b13b5e944f02cac9e08cfb42d7517dba5f43aaf19edad32492b
                                        • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction Fuzzy Hash: 1071C030A00255DFDB14DFA4C480BEDB7F1BF25308F1180A9E855ABB91CB79BA49CB91
                                        APIs
                                        • _free.LIBCMT ref: 6C1B5ADD
                                        • _free.LIBCMT ref: 6C1B5B06
                                        • SetEndOfFile.KERNEL32(00000000,6C1B46EC,00000000,6C1AB0D0,?,?,?,?,?,?,?,6C1B46EC,6C1AB0D0,00000000), ref: 6C1B5B38
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1B46EC,6C1AB0D0,00000000,?,?,?,?,00000000,?), ref: 6C1B5B54
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFileLast
                                        • String ID: 8Q
                                        • API String ID: 1547350101-4022487301
                                        • Opcode ID: 55cf9c5dfc5e5bab96e2a9cb455d9229209130ca15c75ebc8258804d90f0993a
                                        • Instruction ID: c5c8ef7f1b4ec9a63fba42b47adbe2b0d5861ed9897606739adb00340f768c6c
                                        • Opcode Fuzzy Hash: 55cf9c5dfc5e5bab96e2a9cb455d9229209130ca15c75ebc8258804d90f0993a
                                        • Instruction Fuzzy Hash: 6841B336A00605ABDB019BB9CD81BDE3BB6AF59328F250551F424F7B90EB34D9458F60
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1EE41D
                                          • Part of subcall function 6C1EEE40: __EH_prolog.LIBCMT ref: 6C1EEE45
                                          • Part of subcall function 6C1EE8EB: __EH_prolog.LIBCMT ref: 6C1EE8F0
                                          • Part of subcall function 6C1EE593: __EH_prolog.LIBCMT ref: 6C1EE598
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: &qB$0aJ$A0$XqB
                                        • API String ID: 3519838083-1326096578
                                        • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction ID: 7b0ecd4326a21b775a22f2ccfbb4f635ba65d70a45f8519dd6bbc7fa6fc119f7
                                        • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction Fuzzy Hash: 9D218B71E01258EACB05DBE4D994AEDBBB5AF25318F20402AE41267780DB781F0CCB61
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: J$0J$DJ$`J
                                        • API String ID: 3519838083-2453737217
                                        • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                        • Instruction ID: 7aa5b6bd846ef3bd082c33194eba9f037c08bce86a009189afbc9b4a68b7971a
                                        • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                        • Instruction Fuzzy Hash: B411C2B0900B64CFC720DF5AC45429AFBE4BFA5708B10C91FC4A687B50C7F8A548CB99
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C19F1B4,?,?,6C19F235,?,?,?), ref: 6C19F13F
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C19F152
                                        • FreeLibrary.KERNEL32(00000000,?,?,6C19F1B4,?,?,6C19F235,?,?,?), ref: 6C19F175
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 527ea01ca53881d283de949c18114cf876c05a55314a008baa5ce2e9efd697e3
                                        • Instruction ID: 7303bd72a5645f85571de871464ca84088ef657a8865804145211b6fd86174f8
                                        • Opcode Fuzzy Hash: 527ea01ca53881d283de949c18114cf876c05a55314a008baa5ce2e9efd697e3
                                        • Instruction Fuzzy Hash: E8F08C31601618FBDF029B91C80DBAE7E78EB0676AF200060F815E2060CB388F40EA94
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C19732E
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C197339
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1973A7
                                          • Part of subcall function 6C197230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C197248
                                        • std::locale::_Setgloballocale.LIBCPMT ref: 6C197354
                                        • _Yarn.LIBCPMT ref: 6C19736A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                        • String ID:
                                        • API String ID: 1088826258-0
                                        • Opcode ID: 1d2961ca3b95a0d1fa96999685b0d04d4bcee3c3292465bf57c3a3902836a40a
                                        • Instruction ID: 9b056eddfe26b51f5c76515d0eff3f5c9ddd18770a8b3432fd131ade54c8f4c0
                                        • Opcode Fuzzy Hash: 1d2961ca3b95a0d1fa96999685b0d04d4bcee3c3292465bf57c3a3902836a40a
                                        • Instruction Fuzzy Hash: 01017C75A001149BDB06DF21C994ABD77B1FF96644B15404ADC11977C0CF34AA56CBD1
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $!$@
                                        • API String ID: 3519838083-2517134481
                                        • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction ID: aa98eca77793f72a4d47524a8536baae1826d23b93faf2ee83d8557eb032f4c7
                                        • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction Fuzzy Hash: AF12487490924E9FCB04CFA4C4D0ADEBBF1BF48709F148069E945ABF51DB31A985CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog__aulldiv
                                        • String ID: $SJ
                                        • API String ID: 4125985754-3948962906
                                        • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction ID: d63659ce03f53607b5e5aa983398f6fd8f8bc15d29c7a1e1d15d7dbad780bb7f
                                        • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction Fuzzy Hash: EAB15E71D0060ADFCB14CF55C8949AEBBB1FF58314F20852EE516E7B50D774AA85CB90
                                        APIs
                                          • Part of subcall function 6C197327: __EH_prolog3.LIBCMT ref: 6C19732E
                                          • Part of subcall function 6C197327: std::_Lockit::_Lockit.LIBCPMT ref: 6C197339
                                          • Part of subcall function 6C197327: std::locale::_Setgloballocale.LIBCPMT ref: 6C197354
                                          • Part of subcall function 6C197327: _Yarn.LIBCPMT ref: 6C19736A
                                          • Part of subcall function 6C197327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C1973A7
                                          • Part of subcall function 6C062F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C062F95
                                          • Part of subcall function 6C062F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C062FAF
                                          • Part of subcall function 6C062F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C062FD0
                                          • Part of subcall function 6C062F60: __Getctype.LIBCPMT ref: 6C063084
                                          • Part of subcall function 6C062F60: std::_Facet_Register.LIBCPMT ref: 6C06309C
                                          • Part of subcall function 6C062F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0630B7
                                        • std::ios_base::_Addstd.LIBCPMT ref: 6C06211B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 3332196525-1866435925
                                        • Opcode ID: 93de9084f84ad47a37f33e6703603f211fcac6f20ccc83a915860c17c5e6ec0e
                                        • Instruction ID: 5961d84794bb81587e6b541b8e3d26537ef690035bc8555e201f00bd47cd93b1
                                        • Opcode Fuzzy Hash: 93de9084f84ad47a37f33e6703603f211fcac6f20ccc83a915860c17c5e6ec0e
                                        • Instruction Fuzzy Hash: 704191B0A003099FDB00CF65C8457AEBBF1FF54318F148268E919ABB91D775A985CB91
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $CK$CK
                                        • API String ID: 3519838083-2957773085
                                        • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                        • Instruction ID: e349b47f91686b384500c855ef85e2d174f9377ddabe2a3490a3e781ff565733
                                        • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                        • Instruction Fuzzy Hash: 7321B870E01A0ECBCB04DFE9C4901EEF7B2FF99304F94462AC612E7B91C7744A458A61
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0$LrJ$x
                                        • API String ID: 3519838083-658305261
                                        • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                        • Instruction ID: a30e2eeb3c5ccca06604db01522b6ba50f661f0b655ccdcc7d4fbf8c5996b22d
                                        • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                        • Instruction Fuzzy Hash: B1214932E011199BCF05DB98C9A0BEDB7F5EFA871CF20005AE41177640DB795E09CBA6
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1F4ECC
                                          • Part of subcall function 6C1DF58A: __EH_prolog.LIBCMT ref: 6C1DF58F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :hJ$dJ$xJ
                                        • API String ID: 3519838083-2437443688
                                        • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction ID: 08aff984330f3b7fca87f52620e3e76c8b5d049ab3cb3554a9b1a5f0c8a72b2f
                                        • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction Fuzzy Hash: 2521D8B0901B50CFC761CF6AC14428ABBF4BF2A708B00C95EC0AA97B11D7B9A608CF55
                                        APIs
                                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C1AB0D0,6C061DEA,00008000,6C1AB0D0,?,?,?,6C1AAC7F,6C1AB0D0,?,00000000,6C061DEA), ref: 6C1AADC9
                                        • GetLastError.KERNEL32(?,?,?,6C1AAC7F,6C1AB0D0,?,00000000,6C061DEA,?,6C1B469E,6C1AB0D0,000000FF,000000FF,00000002,00008000,6C1AB0D0), ref: 6C1AADD3
                                        • __dosmaperr.LIBCMT ref: 6C1AADDA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 2336955059-4022487301
                                        • Opcode ID: 72a741b2ed0f18d53a67266bb979dd6fe9255a43b9eed0b7def8157c02334f33
                                        • Instruction ID: 9e5315bb154840a52dbdac4f98137ec55bb39db047a0333345ab13b1ea978afd
                                        • Opcode Fuzzy Hash: 72a741b2ed0f18d53a67266bb979dd6fe9255a43b9eed0b7def8157c02334f33
                                        • Instruction Fuzzy Hash: CC01D837714515BFCF058FAACC059AE3B39EB863357250208F85197680EA71D9028F90
                                        APIs
                                        • AcquireSRWLockExclusive.KERNEL32(6C29466C,?,652EF5AA,6C06230E,6C29430C), ref: 6C196B07
                                        • ReleaseSRWLockExclusive.KERNEL32(6C29466C), ref: 6C196B3A
                                        • WakeAllConditionVariable.KERNEL32(6C294668), ref: 6C196B45
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                        • String ID: lF)l
                                        • API String ID: 1466638765-618779725
                                        • Opcode ID: 3994db872a06b7b55c9e58c6bdd1685862bce292bb224ceaa923fa9e83fc5e91
                                        • Instruction ID: 5ec97817fe53248702eca43ef6b59ac3eee4f48435bc2e94f0fe653423bb1f8c
                                        • Opcode Fuzzy Hash: 3994db872a06b7b55c9e58c6bdd1685862bce292bb224ceaa923fa9e83fc5e91
                                        • Instruction Fuzzy Hash: D5F030B8605504DFCB05EF99D888DA47BB4FB5A351B024069FD0987740C7745901CF65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <J$DJ$HJ$TJ$]
                                        • API String ID: 0-686860805
                                        • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                        • Instruction ID: aa3e08f30bea5f38fc4f167220bb15020287a89780f3c2248c20f0377ebac195
                                        • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                        • Instruction Fuzzy Hash: 3541B630D05789AFCF25CBA0D4909EEB770AF2530CB20C16DD121A7A50EB39A64DCB45
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                        • Instruction ID: e70f70ad1ade6e1e53328cfdd2368bb94d4bd00367e80f89b7a45ddc1377c3f8
                                        • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                        • Instruction Fuzzy Hash: F811C37221460C7FEB204BA5DC40EAFBBBDEB99714F10841DB68592A90CA71AC448770
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,6C19EF64,6C1C6DD8,0000000C), ref: 6C1A49B7
                                        • _free.LIBCMT ref: 6C1A4A14
                                        • _free.LIBCMT ref: 6C1A4A4A
                                        • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C19EF64,6C1C6DD8,0000000C), ref: 6C1A4A55
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ErrorLast_free
                                        • String ID:
                                        • API String ID: 2283115069-0
                                        • Opcode ID: 22ec39382b59bf4d26c6c1e9d85631f737c21c53724793eb8a9d4614e32ba162
                                        • Instruction ID: d4c132e1d7aabf0f1d12207c28e0c6d748f8e475c2102ef033a4aabe1db27fd7
                                        • Opcode Fuzzy Hash: 22ec39382b59bf4d26c6c1e9d85631f737c21c53724793eb8a9d4614e32ba162
                                        • Instruction Fuzzy Hash: FA11E37E3042046BDA015DFA4C88FAA3569ABC637CB261628F92992BC0DF708C1B855C
                                        APIs
                                        • WriteConsoleW.KERNEL32(00000000,?,6C1B46EC,00000000,00000000,?,6C1B4B51,00000000,00000001,00000000,6C1AB0D0,?,6C1AC286,?,?,6C1AB0D0), ref: 6C1B5ED1
                                        • GetLastError.KERNEL32(?,6C1B4B51,00000000,00000001,00000000,6C1AB0D0,?,6C1AC286,?,?,6C1AB0D0,?,6C1AB0D0,?,6C1ABD1C,6C1B5AB6), ref: 6C1B5EDD
                                          • Part of subcall function 6C1B5F2E: CloseHandle.KERNEL32(FFFFFFFE,6C1B5EED,?,6C1B4B51,00000000,00000001,00000000,6C1AB0D0,?,6C1AC286,?,?,6C1AB0D0,?,6C1AB0D0), ref: 6C1B5F3E
                                        • ___initconout.LIBCMT ref: 6C1B5EED
                                          • Part of subcall function 6C1B5F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C1B5EAB,6C1B4B3E,6C1AB0D0,?,6C1AC286,?,?,6C1AB0D0,?), ref: 6C1B5F22
                                        • WriteConsoleW.KERNEL32(00000000,?,6C1B46EC,00000000,?,6C1B4B51,00000000,00000001,00000000,6C1AB0D0,?,6C1AC286,?,?,6C1AB0D0,?), ref: 6C1B5F02
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                        • String ID:
                                        • API String ID: 2744216297-0
                                        • Opcode ID: a9b0a1381a400069cddc850721941ae934d7798da1d832902d42ba8177a7151e
                                        • Instruction ID: 7d290cd5e3379220100bbe49f8c5e17f7442a611fbb31c35891bb935c441288e
                                        • Opcode Fuzzy Hash: a9b0a1381a400069cddc850721941ae934d7798da1d832902d42ba8177a7151e
                                        • Instruction Fuzzy Hash: 20F0C037604115BBCF121FA6DC08A997F36FF0A7A5B084554FE5996660CB328D20EF90
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1CE077
                                          • Part of subcall function 6C1CDFF5: __EH_prolog.LIBCMT ref: 6C1CDFFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :$\
                                        • API String ID: 3519838083-1166558509
                                        • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                        • Instruction ID: 7f2c8ad94f2b7e0a6dcc9aa8587434079ac77ae9f34fff94421fe5e1430d6e3f
                                        • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                        • Instruction Fuzzy Hash: 51E1AE30B40209DADB11DFA4C891BEDB7B1AF3531CF108119F86567A90EB7DA649CB93
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog__aullrem
                                        • String ID: d%K
                                        • API String ID: 3415659256-3110269457
                                        • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                        • Instruction ID: 94dd824b1f0cb6ddae6000e580f9874b8a271729db5db1f4d38acb61aabad167
                                        • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                        • Instruction Fuzzy Hash: 6A81CE71A0820EDBDF00CF95C484BAEB7F5AF4431AF248059EE19ABA41D771D94DCBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID: 8Q
                                        • API String ID: 2427045233-4022487301
                                        • Opcode ID: 5e40f563da94f2398d2f848ccd2f0c5dddf41658f006dade4ac0c3dd2772b84c
                                        • Instruction ID: d9d3afb58a598fe58f8a5b1722aab93fe69533d933c0929bf23368947144007b
                                        • Opcode Fuzzy Hash: 5e40f563da94f2398d2f848ccd2f0c5dddf41658f006dade4ac0c3dd2772b84c
                                        • Instruction Fuzzy Hash: D571D779D092169FDB118FD5C880BFE7BB5AF15318F948226E92067A80DF75C847CB60
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$hfJ
                                        • API String ID: 3519838083-1391159562
                                        • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                        • Instruction ID: f08ab76d8a09bbe9e74c31bf1d4677ac9ed2ab8cf2f37c1cc6b538828cf915a0
                                        • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                        • Instruction Fuzzy Hash: 1D916C70910248EFCB10DFA9C894ADEFBF4FF18308F94451EE556A3A50D774AA4ACB21
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1E8C5D
                                          • Part of subcall function 6C1E761A: __EH_prolog.LIBCMT ref: 6C1E761F
                                          • Part of subcall function 6C1E7A2E: __EH_prolog.LIBCMT ref: 6C1E7A33
                                          • Part of subcall function 6C1E8EA5: __EH_prolog.LIBCMT ref: 6C1E8EAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: WZJ
                                        • API String ID: 3519838083-1089469559
                                        • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction ID: 9eb37522704ed4f34021227ed81bdd27953affff3f8a75e72860601965130ea3
                                        • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction Fuzzy Hash: DA817931E00559DFDF15DFA8D890BDEB7B4AF19318F10409AE412A77A0DB34AE49CBA1
                                        APIs
                                        • ___std_exception_destroy.LIBVCRUNTIME ref: 6C062A76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ___std_exception_destroy
                                        • String ID: Jbx$Jbx
                                        • API String ID: 4194217158-1161259238
                                        • Opcode ID: e6c2b314b7b30ca837b1a97a4f4f84fd4cd4c0ceee975b879df043d2eee10ee7
                                        • Instruction ID: 285a63e6915ef4f1211c1acbd2895bd139465371c04ee1c57d13c2c1f6f9225e
                                        • Opcode Fuzzy Hash: e6c2b314b7b30ca837b1a97a4f4f84fd4cd4c0ceee975b879df043d2eee10ee7
                                        • Instruction Fuzzy Hash: BC5105B19002049FCB14CF69D88479EBBF5EF89314F14856EE8499BB41D335E985CFA2
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: <dJ$Q
                                        • API String ID: 3519838083-2252229148
                                        • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                        • Instruction ID: ae00b0a1fd49dd20e30f7ecf4af321974234084b82677dd8fa07451b1cff1f7b
                                        • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                        • Instruction Fuzzy Hash: 85519F71A04289EFCF01DF94C8909EDB7B1FF59358F10852EF521AB650D7399A4ACB11
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $D^J
                                        • API String ID: 3519838083-3977321784
                                        • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                        • Instruction ID: 8849f45ae33e802175ab85b1d739c3b69332969e405f0229751533d10f922c8d
                                        • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                        • Instruction Fuzzy Hash: E0412C20A04FA06EDB22DA298450BEDBBA19F7E34CF148158C492C7F85DB6559CAC399
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C1B46D6), ref: 6C1AD01B
                                        • __dosmaperr.LIBCMT ref: 6C1AD022
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 1659562826-4022487301
                                        • Opcode ID: 86032003d8d61da4d647f7068e66598e3359e7c98b9923561a5f486208068819
                                        • Instruction ID: eb83af1ea5ac49625cd91fa62f70a0ad6bf4ca118e02472ad05af6207e607dd8
                                        • Opcode Fuzzy Hash: 86032003d8d61da4d647f7068e66598e3359e7c98b9923561a5f486208068819
                                        • Instruction Fuzzy Hash: 7E41A779604194BFD711EFADC8A0BA97FA0EF4A308F1482A8EC808B641D3769C13C790
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: X&L$p|J
                                        • API String ID: 3519838083-2944591232
                                        • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                        • Instruction ID: fc747ccc56268d5843fcd42151185c17c4bf2ccb1e49467d8b78977db84a6cb3
                                        • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                        • Instruction Fuzzy Hash: DF31E2317A510EDFD7009B5CD901FAAB771EF2132DF20013BED10A6EA2CB608986CA5D
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0|J$`)L
                                        • API String ID: 3519838083-117937767
                                        • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction ID: fc849a73111f808cf74585f6576819679a9b9cb4391fd764d25de6267a14799d
                                        • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction Fuzzy Hash: 36418235705789EFCB159F60C4A0BEABBE2FF55209F00842EF86A57750CB356904CB92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID: 3333
                                        • API String ID: 3732870572-2924271548
                                        • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                        • Instruction ID: 0f79247855f643837a9bf1c97f3bf10b0156de3521b3261b490fcc3a19049e5d
                                        • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                        • Instruction Fuzzy Hash: D72188B4A107086FD7308FAA8880B5BBAFDEB44B55F10891FB585D7B40DB70E944C765
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID: dU)l$hU)l
                                        • API String ID: 269201875-2142601761
                                        • Opcode ID: 73c94239a544c2c2ed9cb3b2254074ab8ca687bdf27c7709e54b4deda95f92f6
                                        • Instruction ID: cd95c9658ef83a2d8899fb95a92689034c679acc050a22c20ca838df163ba4d4
                                        • Opcode Fuzzy Hash: 73c94239a544c2c2ed9cb3b2254074ab8ca687bdf27c7709e54b4deda95f92f6
                                        • Instruction Fuzzy Hash: 4811D3792043819BF3148FAAD480B82B7E4EB1535CF20442EE49DC7B80EB71E8878B90
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$LuJ
                                        • API String ID: 3519838083-205571748
                                        • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction ID: f1f4ed04037810473224e88e8b02694590c6cff82dc59ef456350976a9f8ff5e
                                        • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction Fuzzy Hash: E00161B1E0168EDAEB10DFD984909AEF7B4FF55704F40842FE569E3A40C3745904CB55
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$xMJ
                                        • API String ID: 3519838083-951924499
                                        • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                        • Instruction ID: e5315cd10d20fab9b07ec07352f05de21d5e2ba4b5d30c5dfbb92a8dbbde69cf
                                        • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                        • Instruction Fuzzy Hash: 01117C71E00249DBCB00DF99C4A069EF7B4FF59348B51C86ED469E7B00D338AA05CB95
                                        APIs
                                        • _free.LIBCMT ref: 6C1ADD49
                                        • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C1AA63A,?,00000004,?,4B42FCB6,?,?,6C19F78C,4B42FCB6,?), ref: 6C1ADD85
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: AllocHeap_free
                                        • String ID: 8Q
                                        • API String ID: 1080816511-4022487301
                                        • Opcode ID: 874581fd79dc074db6b5e35807175245a46ad29e50fdcecc7f6f2d5b8f8555e7
                                        • Instruction ID: df232723c8b1d97ba55873fd41449dfb765aed0fc83ad4eb7425dbb0b64f1557
                                        • Opcode Fuzzy Hash: 874581fd79dc074db6b5e35807175245a46ad29e50fdcecc7f6f2d5b8f8555e7
                                        • Instruction Fuzzy Hash: F2F0F63A655A0576DB213EF69C44B9A3B689FD3778B260225FD249BED0DF24C403C1E4
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1FF746
                                          • Part of subcall function 6C1FF7BF: __EH_prolog.LIBCMT ref: 6C1FF7C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: uB l$sJ
                                        • API String ID: 3519838083-2598105078
                                        • Opcode ID: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                        • Instruction ID: 889fba4187953eb2c1ae9844039df85454aa2855ce6688dfdac99b0fba06ffb7
                                        • Opcode Fuzzy Hash: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                        • Instruction Fuzzy Hash: 3701A731B00018EBCB01ABA4C851BEDBBB59F95718F01801AE55152A90CFBC454ACF91
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prologctype
                                        • String ID: |zJ
                                        • API String ID: 3037903784-3782439380
                                        • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                        • Instruction ID: 69383c067f79df9591704971758a0ace26c1b3370ff40eea65e1dac8a8300aa6
                                        • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                        • Instruction Fuzzy Hash: CCE0E5327451159BE7158F48C800F9DF3A4FF54B25F10401FE812A7A40CBF0A8008681
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: H_prologctype
                                        • String ID: <oJ
                                        • API String ID: 3037903784-2791053824
                                        • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                        • Instruction ID: 93b457922523991f8aca3abd28d39c0808ca58cf5165b7fc61d07e153ce19823
                                        • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                        • Instruction Fuzzy Hash: 59E0ED32A191109FDB049F08C820BDEF7A4EF92728F12001EE021A3B41CBB9A8108680
                                        APIs
                                        • AcquireSRWLockExclusive.KERNEL32(6C29466C,?,?,652EF5AA,6C0622D8,6C29430C), ref: 6C196AB9
                                        • ReleaseSRWLockExclusive.KERNEL32(6C29466C), ref: 6C196AF3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1940324888.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true
                                        • Associated: 00000006.00000002.1940303826.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941485767.000000006C1B8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942831244.000000006C382000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID: ExclusiveLock$AcquireRelease
                                        • String ID: lF)l
                                        • API String ID: 17069307-618779725
                                        • Opcode ID: fc717b613ec1fc7c80012ae484b532dbb7d060db2873fbf7942683dc3b3b4259
                                        • Instruction ID: 9aa7fb67a8f091b0f629ee03ce654e8596c643d313ea483b37b13f50e086ac94
                                        • Opcode Fuzzy Hash: fc717b613ec1fc7c80012ae484b532dbb7d060db2873fbf7942683dc3b3b4259
                                        • Instruction Fuzzy Hash: F0F0A074640508DBCB10AF59D844A65FBB8FB97735F15422EE86583BC0D7381842DAB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @ K$DJ$T)K$X/K
                                        • API String ID: 0-3815299647
                                        • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                        • Instruction ID: 0730c788bd22e42208f5ff2f12413b821a4552060362c349771e77daf7de913d
                                        • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                        • Instruction Fuzzy Hash: 1A91E13060532A9BCF10DEA4C450BEF73A2AF5530DF14442AECA65BB81DB7DA919CB52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1941551139.000000006C1C8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C1C8000, based on PE: true
                                        • Associated: 00000006.00000002.1942186510.000000006C293000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1942215598.000000006C299000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6c010000_Zt43pLXYiu.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: D)K$H)K$P)K$T)K
                                        • API String ID: 0-2262112463
                                        • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                        • Instruction ID: f97dc45cab8fb3b4e47b42df38af1c4f7dc70fa8a965810c0fa409f9bbf2a5ef
                                        • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                        • Instruction Fuzzy Hash: B8519C30A0420ADBCF12CF90D850BDEB7B1AF6931CF10452AFC5167A80DB7DA958CB52

                                        Execution Graph

                                        Execution Coverage:4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0.4%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:35
                                        execution_graph 73105 26c2e6 73106 26c52f 73105->73106 73109 26544f SetConsoleCtrlHandler 73106->73109 73108 26c53b 73109->73108 73110 27bf67 73111 27bf85 73110->73111 73112 27bf74 73110->73112 73112->73111 73116 27bf8c 73112->73116 73117 27bf96 __EH_prolog 73116->73117 73133 27d144 73117->73133 73121 27bfd0 73140 231e40 free 73121->73140 73123 27bfdb 73141 231e40 free 73123->73141 73125 27bfe6 73142 27c072 free ctype 73125->73142 73127 27bff4 73143 24aafa free VariantClear ctype 73127->73143 73129 27c023 73144 2573d2 free VariantClear __EH_prolog ctype 73129->73144 73131 27bf7f 73132 231e40 free 73131->73132 73132->73111 73135 27d14e __EH_prolog 73133->73135 73145 27d1b7 73135->73145 73138 27bfc5 73139 231e40 free 73138->73139 73139->73121 73140->73123 73141->73125 73142->73127 73143->73129 73144->73131 73153 27d23c 73145->73153 73147 27d1ed 73160 231e40 free 73147->73160 73149 27d209 73161 231e40 free 73149->73161 73151 27d180 73152 278e04 memset 73151->73152 73152->73138 73162 27d2b8 73153->73162 73156 27d25e 73179 231e40 free 73156->73179 73159 27d275 73159->73147 73160->73149 73161->73151 73181 231e40 free 73162->73181 73164 27d2c8 73182 231e40 free 73164->73182 73166 27d2dc 73183 231e40 free 73166->73183 73168 27d2e7 73184 231e40 free 73168->73184 73170 27d2f2 73185 231e40 free 73170->73185 73172 27d2fd 73186 231e40 free 73172->73186 73174 27d308 73187 231e40 free 73174->73187 73176 27d313 73177 27d246 73176->73177 73188 231e40 free 73176->73188 73177->73156 73180 231e40 free 73177->73180 73179->73159 73180->73156 73181->73164 73182->73166 73183->73168 73184->73170 73185->73172 73186->73174 73187->73176 73188->73177 73189 237b20 73192 237ab2 73189->73192 73193 237ac5 73192->73193 73200 23759a 73193->73200 73196 237b03 73214 237919 73196->73214 73197 237aeb SetFileTime 73197->73196 73201 2375a4 __EH_prolog 73200->73201 73230 23764c 73201->73230 73203 237632 73203->73196 73203->73197 73204 2375af 73204->73203 73205 2375d4 CreateFileW 73204->73205 73206 2375e9 73204->73206 73205->73206 73206->73203 73233 232e04 73206->73233 73210 237611 73211 237615 CreateFileW 73210->73211 73212 23762a 73210->73212 73211->73212 73241 231e40 free 73212->73241 73215 237aac 73214->73215 73216 23793c 73214->73216 73216->73215 73217 237945 DeviceIoControl 73216->73217 73218 2379e6 73217->73218 73219 237969 73217->73219 73220 2379ef DeviceIoControl 73218->73220 73221 237a14 73218->73221 73219->73218 73225 2379a7 73219->73225 73220->73221 73222 237a22 DeviceIoControl 73220->73222 73221->73215 73379 23780d 8 API calls ctype 73221->73379 73222->73221 73223 237a44 DeviceIoControl 73222->73223 73223->73221 73378 239252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73225->73378 73226 237aa5 73380 2377de 73226->73380 73229 2379d0 73229->73218 73231 237656 CloseHandle 73230->73231 73232 237661 73230->73232 73231->73232 73232->73204 73242 231e0c 73233->73242 73236 238b4a 73247 238b80 73236->73247 73239 238b6e 73239->73210 73241->73203 73243 231e15 73242->73243 73244 231e1c malloc 73242->73244 73243->73244 73245 231e2a _CxxThrowException 73244->73245 73246 231e3e 73244->73246 73245->73246 73246->73236 73248 238b8a __EH_prolog 73247->73248 73249 238c7b 73248->73249 73257 238be1 73248->73257 73278 238b55 73248->73278 73250 238d23 73249->73250 73252 238c8f 73249->73252 73251 238e8a 73250->73251 73253 238d3b 73250->73253 73254 232e47 2 API calls 73251->73254 73252->73253 73260 238c9e 73252->73260 73256 232e04 2 API calls 73253->73256 73255 238e96 73254->73255 73264 232e47 2 API calls 73255->73264 73259 238d43 73256->73259 73257->73278 73340 232e47 73257->73340 73354 236332 6 API calls 2 library calls 73259->73354 73263 232e47 2 API calls 73260->73263 73261 238c05 73268 238c17 73261->73268 73269 238c24 73261->73269 73276 238ca7 73263->73276 73266 238eb8 73264->73266 73265 238d52 73267 238d56 73265->73267 73355 23859e malloc _CxxThrowException free _CxxThrowException 73265->73355 73366 238f57 memmove 73266->73366 73365 231e40 free 73267->73365 73344 231e40 free 73268->73344 73274 232e47 2 API calls 73269->73274 73273 238ec4 73279 238ec8 73273->73279 73280 238ede 73273->73280 73281 238c35 73274->73281 73277 232e47 2 API calls 73276->73277 73282 238cd0 73277->73282 73278->73239 73334 232f88 73278->73334 73367 231e40 free 73279->73367 73369 233221 malloc _CxxThrowException free _CxxThrowException 73280->73369 73345 238f57 memmove 73281->73345 73349 238f57 memmove 73282->73349 73287 238ed0 73368 231e40 free 73287->73368 73288 238c41 73292 238c6b 73288->73292 73346 2331e5 malloc _CxxThrowException free _CxxThrowException 73288->73346 73289 238eeb 73370 2331e5 malloc _CxxThrowException free _CxxThrowException 73289->73370 73290 238cdc 73295 238d13 73290->73295 73350 233221 malloc _CxxThrowException free _CxxThrowException 73290->73350 73348 231e40 free 73292->73348 73353 231e40 free 73295->73353 73296 238f06 73371 2331e5 malloc _CxxThrowException free _CxxThrowException 73296->73371 73297 238c73 73373 231e40 free 73297->73373 73301 238c60 73347 2331e5 malloc _CxxThrowException free _CxxThrowException 73301->73347 73303 238ced 73351 2331e5 malloc _CxxThrowException free _CxxThrowException 73303->73351 73304 232e04 2 API calls 73308 238ddf 73304->73308 73306 238f11 73372 231e40 free 73306->73372 73309 238e0e 73308->73309 73313 238df1 73308->73313 73314 232f88 3 API calls 73309->73314 73311 238d65 73311->73267 73311->73304 73356 233199 malloc _CxxThrowException free _CxxThrowException 73313->73356 73317 238e0c 73314->73317 73315 238d08 73352 2331e5 malloc _CxxThrowException free _CxxThrowException 73315->73352 73358 238f57 memmove 73317->73358 73319 238e03 73357 233199 malloc _CxxThrowException free _CxxThrowException 73319->73357 73322 238e22 73323 238e26 73322->73323 73324 238e3b 73322->73324 73359 233221 malloc _CxxThrowException free _CxxThrowException 73322->73359 73364 231e40 free 73323->73364 73360 238f34 malloc _CxxThrowException 73324->73360 73328 238e49 73361 2331e5 malloc _CxxThrowException free _CxxThrowException 73328->73361 73330 238e56 73362 231e40 free 73330->73362 73332 238e62 73363 2331e5 malloc _CxxThrowException free _CxxThrowException 73332->73363 73335 232f9a 73334->73335 73336 232fbe 73335->73336 73337 231e0c ctype 2 API calls 73335->73337 73336->73239 73338 232fb4 73337->73338 73377 231e40 free 73338->73377 73341 232e57 73340->73341 73374 232ba6 73341->73374 73344->73278 73345->73288 73346->73301 73347->73292 73348->73297 73349->73290 73350->73303 73351->73315 73352->73295 73353->73297 73354->73265 73355->73311 73356->73319 73357->73317 73358->73322 73359->73324 73360->73328 73361->73330 73362->73332 73363->73323 73364->73267 73365->73278 73366->73273 73367->73287 73368->73278 73369->73289 73370->73296 73371->73306 73372->73297 73373->73278 73375 231e0c ctype 2 API calls 73374->73375 73376 232bbb 73375->73376 73376->73261 73377->73336 73378->73229 73379->73226 73383 2377c8 73380->73383 73386 237731 73383->73386 73385 2377db 73385->73215 73387 237740 73386->73387 73388 23775c SetFilePointer 73386->73388 73387->73388 73389 2377a1 73388->73389 73390 237780 GetLastError 73388->73390 73389->73385 73390->73389 73391 23778c 73390->73391 73394 2376d6 SetFilePointer GetLastError 73391->73394 73393 237796 SetLastError 73393->73389 73394->73393 73395 2b6ba3 VirtualFree 73396 26a42c 73397 26a435 fputs 73396->73397 73398 26a449 73396->73398 73554 231fa0 fputc 73397->73554 73555 26545d 73398->73555 73402 232e04 2 API calls 73403 26a4a1 73402->73403 73559 251858 73403->73559 73405 26a4c9 73621 231e40 free 73405->73621 73407 26a4d8 73408 26a4ee 73407->73408 73622 26c7d7 73407->73622 73410 26a50e 73408->73410 73630 2657fb 73408->73630 73640 26c73e 73410->73640 73415 26ac17 73824 262db9 free ctype 73415->73824 73416 231e0c ctype 2 API calls 73418 26a53a 73416->73418 73420 26a54d 73418->73420 73782 26b0fa malloc _CxxThrowException __EH_prolog 73418->73782 73419 26ac23 73421 26ac3a 73419->73421 73423 26ac35 73419->73423 73658 232fec 73420->73658 73826 26b96d _CxxThrowException 73421->73826 73825 26b988 33 API calls __aulldiv 73423->73825 73427 26ac42 73827 231e40 free 73427->73827 73429 26ac4d 73828 253247 73429->73828 73432 26a586 73664 26ad06 73432->73664 73436 26ac7d 73835 2311c2 free __EH_prolog ctype 73436->73835 73440 26ac89 73836 26be0c free __EH_prolog ctype 73440->73836 73444 26ac98 73837 262db9 free ctype 73444->73837 73445 232e04 2 API calls 73447 26a636 73445->73447 73682 254345 73447->73682 73448 26aca4 73451 26a676 73688 252096 73451->73688 73454 26a66f 73784 26b96d _CxxThrowException 73454->73784 73457 26a6e2 73459 26a722 73457->73459 73785 231fa0 fputc 73457->73785 73458 26c7d7 ctype 6 API calls 73458->73457 73531 26aae5 73823 262db9 free ctype 73531->73823 73554->73398 73556 265466 73555->73556 73557 265473 73555->73557 73838 23275e malloc _CxxThrowException free ctype 73556->73838 73557->73402 73560 251862 __EH_prolog 73559->73560 73839 25021a 73560->73839 73565 2518b9 73853 251aa5 free __EH_prolog ctype 73565->73853 73567 251935 73864 251aa5 free __EH_prolog ctype 73567->73864 73568 2518c7 73854 262db9 free ctype 73568->73854 73571 251944 73592 251966 73571->73592 73865 251d73 5 API calls __EH_prolog 73571->73865 73573 2518d3 73573->73405 73576 251958 _CxxThrowException 73576->73592 73577 2519be 73872 25f1f1 malloc _CxxThrowException free _CxxThrowException 73577->73872 73580 232e04 2 API calls 73580->73592 73581 2518db 73581->73567 73855 250144 malloc _CxxThrowException free _CxxThrowException 73581->73855 73856 2704d2 73581->73856 73862 231524 malloc _CxxThrowException __EH_prolog ctype 73581->73862 73863 231e40 free 73581->73863 73583 2519d6 73873 257ebb 73583->73873 73587 2704d2 5 API calls 73587->73592 73591 257ebb free 73593 2519f7 73591->73593 73592->73577 73592->73580 73592->73587 73866 23631f 73592->73866 73870 231524 malloc _CxxThrowException __EH_prolog ctype 73592->73870 73871 231e40 free 73592->73871 73594 2412d4 4 API calls 73593->73594 73603 2519ff 73594->73603 73596 251a4f 73886 231e40 free 73596->73886 73597 231524 malloc _CxxThrowException 73597->73603 73599 251a57 73887 262db9 free ctype 73599->73887 73601 251a64 73888 262db9 free ctype 73601->73888 73603->73596 73603->73597 73605 251a83 73603->73605 73885 2342e3 CharUpperW 73603->73885 73889 251d73 5 API calls __EH_prolog 73605->73889 73607 251a97 _CxxThrowException 73608 251aa5 __EH_prolog 73607->73608 73890 231e40 free 73608->73890 73610 251ac8 73891 2502e8 free ctype 73610->73891 73612 251ad1 73892 251eab free __EH_prolog ctype 73612->73892 73614 251add 73893 231e40 free 73614->73893 73616 251ae5 73894 231e40 free 73616->73894 73618 251aed 73895 262db9 free ctype 73618->73895 73620 251afa 73620->73405 73621->73407 73623 26c7ea 73622->73623 73624 26c849 73622->73624 73625 26c7fe fputs 73623->73625 74231 2325cb malloc _CxxThrowException free _CxxThrowException ctype 73623->74231 73626 26c85a 73624->73626 74232 231f91 fflush 73624->74232 73625->73624 73626->73408 73631 265805 __EH_prolog 73630->73631 73639 265847 73631->73639 74233 2326dd 73631->74233 73637 26583f 74253 231e40 free 73637->74253 73639->73410 73641 26c748 __EH_prolog 73640->73641 73642 26c7d7 ctype 6 API calls 73641->73642 73643 26c75d 73642->73643 74292 231e40 free 73643->74292 73645 26c768 74293 252c0b 73645->74293 73649 26c77d 74299 231e40 free 73649->74299 73651 26c785 74300 231e40 free 73651->74300 73653 26c78d 74301 231e40 free 73653->74301 73655 26c795 73656 252c0b ctype free 73655->73656 73657 26a51d 73656->73657 73657->73416 73657->73531 73659 232ffc 73658->73659 73663 232ff8 73658->73663 73660 231e0c ctype 2 API calls 73659->73660 73659->73663 73661 233010 73660->73661 74304 231e40 free 73661->74304 73663->73432 74305 26ad29 73664->74305 73667 26bf3e 73668 232fec 3 API calls 73667->73668 73669 26bf85 73668->73669 73670 232fec 3 API calls 73669->73670 73671 26a5ee 73670->73671 73672 243a29 73671->73672 73673 243a37 73672->73673 73674 243a3b 73672->73674 73673->73445 74311 243bd9 free ctype 73674->74311 73676 243a42 73677 243a6f 73676->73677 73678 243a67 73676->73678 73679 243a52 _CxxThrowException 73676->73679 73677->73673 74313 243b76 malloc _CxxThrowException __EH_prolog ctype 73677->74313 74312 270551 malloc _CxxThrowException free memcpy ctype 73678->74312 73679->73678 73683 25434f __EH_prolog 73682->73683 73684 232e04 2 API calls 73683->73684 73685 25436d 73684->73685 73686 232e04 2 API calls 73685->73686 73687 254379 73686->73687 73687->73451 73783 25375c 22 API calls 2 library calls 73687->73783 73696 2520a0 __EH_prolog 73688->73696 73689 2521f0 73690 252209 73689->73690 73691 231e0c ctype 2 API calls 73689->73691 73692 231e0c ctype 2 API calls 73690->73692 73691->73690 73694 252235 73692->73694 73693 232e04 2 API calls 73693->73696 73695 252248 73694->73695 74314 244250 73694->74314 74332 252c22 73695->74332 73696->73689 73696->73693 73697 232f1c 2 API calls 73696->73697 73700 236c72 44 API calls 73696->73700 73701 231e40 free ctype 73696->73701 73703 25224c 73696->73703 73704 252251 73696->73704 74509 24089e malloc _CxxThrowException free _CxxThrowException memcpy 73696->74509 73697->73696 73700->73696 73701->73696 74510 23757d GetLastError 73703->74510 74511 252c6c 6 API calls 2 library calls 73704->74511 73708 252277 74512 231e40 free 73708->74512 73711 25227f 74513 231e40 free 73711->74513 73712 252347 74531 231e40 free 73712->74531 73713 252a55 73715 232e04 2 API calls 73762 25232b 73715->73762 73717 252287 74514 231e40 free 73717->74514 73718 25228f 73718->73457 73718->73458 73720 236c72 44 API calls 73720->73762 73721 252969 74528 23757d GetLastError 73721->74528 73723 25296e 73725 252836 74519 231e40 free 73725->74519 73732 232fec malloc _CxxThrowException free 73732->73762 73733 252855 74520 231e40 free 73733->74520 73735 252860 73736 253247 free 73735->73736 73737 25289d 74522 231e40 free 73737->74522 73741 2528a8 73743 231e40 free ctype 73743->73762 73749 253247 free 73749->73762 73752 232f1c 2 API calls 73752->73762 73756 2528e6 74524 231e40 free 73756->74524 73760 2528f1 73761 253247 free 73760->73761 73762->73712 73762->73715 73762->73720 73762->73721 73762->73725 73762->73732 73762->73733 73762->73737 73762->73743 73762->73749 73762->73752 73762->73756 73763 252921 73762->73763 73775 231fa0 fputc 73762->73775 74336 2447dd 73762->74336 74340 266086 73762->74340 74352 252b09 73762->74352 74358 2531d8 73762->74358 74364 252a72 73762->74364 74368 266359 73762->74368 74411 252cdb 73762->74411 74497 252bb5 73762->74497 74515 243e26 30 API calls 2 library calls 73762->74515 74516 236456 9 API calls 2 library calls 73762->74516 74517 23859e malloc _CxxThrowException free _CxxThrowException 73762->74517 74518 25204d CharUpperW 73762->74518 74526 231e40 free 73763->74526 73767 25292c 73775->73762 73782->73420 73783->73454 73784->73451 73823->73415 73824->73419 73825->73421 73826->73427 73827->73429 73829 25324e 73828->73829 73830 253260 73829->73830 75735 231e40 free 73829->75735 75734 231e40 free 73830->75734 73833 253267 73834 231e40 free 73833->73834 73834->73436 73835->73440 73836->73444 73837->73448 73838->73557 73840 250224 __EH_prolog 73839->73840 73896 243d66 73840->73896 73843 25062e 73849 250638 __EH_prolog 73843->73849 73844 2506de 73983 25019a malloc _CxxThrowException free memcpy 73844->73983 73846 2506e6 73984 251453 26 API calls 2 library calls 73846->73984 73847 2501bc malloc _CxxThrowException free _CxxThrowException memcpy 73847->73849 73849->73844 73849->73847 73852 2506ee 73849->73852 73912 250703 73849->73912 73982 262db9 free ctype 73849->73982 73852->73565 73852->73581 73853->73568 73854->73573 73855->73581 73857 270513 73856->73857 73858 2704df 73856->73858 73857->73581 73859 2704fd 73858->73859 73860 2704e8 _CxxThrowException 73858->73860 74177 270551 malloc _CxxThrowException free memcpy ctype 73859->74177 73860->73859 73862->73581 73863->73581 73864->73571 73865->73576 73867 239245 73866->73867 74178 2390da 73867->74178 73870->73592 73871->73592 73872->73583 73874 2519e1 73873->73874 73876 257ec6 73873->73876 73877 2412d4 73874->73877 73875 231e40 free ctype 73875->73876 73876->73874 73876->73875 73878 2412e7 73877->73878 73884 241327 73877->73884 73879 241304 73878->73879 73880 2412ef _CxxThrowException 73878->73880 74230 231e40 free 73879->74230 73880->73879 73882 24130b 73883 231e0c ctype 2 API calls 73882->73883 73883->73884 73884->73591 73885->73603 73886->73599 73887->73601 73888->73573 73889->73607 73890->73610 73891->73612 73892->73614 73893->73616 73894->73618 73895->73620 73907 2cfb10 73896->73907 73898 243d70 GetCurrentProcess 73908 243e04 73898->73908 73900 243d8d OpenProcessToken 73901 243de3 73900->73901 73902 243d9e LookupPrivilegeValueW 73900->73902 73904 243e04 CloseHandle 73901->73904 73902->73901 73903 243dc0 AdjustTokenPrivileges 73902->73903 73903->73901 73905 243dd5 GetLastError 73903->73905 73906 243def 73904->73906 73905->73901 73906->73843 73907->73898 73909 243e11 CloseHandle 73908->73909 73910 243e0d 73908->73910 73911 243e21 73909->73911 73910->73900 73911->73900 73913 25070d __EH_prolog 73912->73913 73917 250c83 73913->73917 73924 250ab5 73913->73924 73932 232e04 2 API calls 73913->73932 73941 232fec 3 API calls 73913->73941 73952 250b26 73913->73952 73958 2704d2 malloc _CxxThrowException free _CxxThrowException memcpy 73913->73958 73969 250b40 73913->73969 73970 262db9 free ctype 73913->73970 73977 250b48 73913->73977 73979 231524 malloc _CxxThrowException 73913->73979 73980 231e40 free ctype 73913->73980 73985 232da9 73913->73985 73988 232f4a malloc _CxxThrowException free ctype 73913->73988 73989 231089 malloc _CxxThrowException free _CxxThrowException 73913->73989 73990 2513eb 5 API calls 2 library calls 73913->73990 73991 25050b 73913->73991 73996 250021 GetLastError 73913->73996 73997 2349bd 9 API calls 2 library calls 73913->73997 73998 250306 12 API calls 73913->73998 73999 24ff00 5 API calls 2 library calls 73913->73999 74000 25057d 16 API calls 2 library calls 73913->74000 74001 250f8e 24 API calls 2 library calls 73913->74001 74002 23472e CharUpperW 73913->74002 74003 248984 malloc _CxxThrowException free _CxxThrowException memcpy 73913->74003 74004 250ef4 68 API calls 2 library calls 73913->74004 73914 250e1d 74026 250416 18 API calls 2 library calls 73914->74026 73916 250e47 73930 250ea6 73916->73930 74027 25117d 68 API calls 2 library calls 73916->74027 73917->73914 73918 250d11 73917->73918 74017 237496 7 API calls 2 library calls 73918->74017 73919 250c13 74014 231e40 free 73919->74014 73924->73919 73926 232da9 2 API calls 73924->73926 73934 232e04 2 API calls 73924->73934 73946 232fec 3 API calls 73924->73946 73950 25050b 44 API calls 73924->73950 73961 250c79 73924->73961 73962 231e40 free ctype 73924->73962 74005 232f4a malloc _CxxThrowException free ctype 73924->74005 74010 231089 malloc _CxxThrowException free _CxxThrowException 73924->74010 74011 2513eb 5 API calls 2 library calls 73924->74011 74012 250ef4 68 API calls 2 library calls 73924->74012 74013 262db9 free ctype 73924->74013 74015 250021 GetLastError 73924->74015 73926->73924 73927 250de0 74022 262db9 free ctype 73927->74022 74028 27ec78 free ctype 73930->74028 73931 250df8 74024 231e40 free 73931->74024 73932->73913 73934->73924 73938 250e02 74025 262db9 free ctype 73938->74025 73939 232e04 2 API calls 73959 250d29 73939->73959 73941->73913 73945 232fec 3 API calls 73945->73959 73946->73924 73950->73924 74006 231e40 free 73952->74006 73953 250df3 74023 231e40 free 73953->74023 73956 231e40 free ctype 73956->73959 73958->73913 73959->73927 73959->73931 73959->73939 73959->73945 73959->73953 73959->73956 74018 232f1c 73959->74018 74021 25117d 68 API calls 2 library calls 73959->74021 73960 250b30 74007 231e40 free 73960->74007 74016 231e40 free 73961->74016 73962->73924 73965 250b38 74008 231e40 free 73965->74008 73969->73849 73970->73913 74009 262db9 free ctype 73977->74009 73979->73913 73980->73913 73982->73849 73983->73846 73984->73852 74029 232d4d 73985->74029 73987 232dc6 73987->73913 73988->73913 73989->73913 73990->73913 74032 236c72 73991->74032 73993 250575 73993->73913 73994 232f88 3 API calls 73994->73993 73996->73913 73997->73913 73998->73913 73999->73913 74000->73913 74001->73913 74002->73913 74003->73913 74004->73913 74005->73924 74006->73960 74007->73965 74008->73969 74009->73952 74010->73924 74011->73924 74012->73924 74013->73924 74014->73969 74015->73924 74016->73917 74017->73959 74019 232ba6 2 API calls 74018->74019 74020 232f2c 74019->74020 74020->73959 74021->73959 74022->73969 74023->73931 74024->73938 74025->73969 74026->73916 74027->73916 74028->73969 74030 232ba6 2 API calls 74029->74030 74031 232d68 74030->74031 74031->73987 74031->74031 74034 236c7c __EH_prolog 74032->74034 74033 236cd3 74036 236ce2 74033->74036 74039 236d87 74033->74039 74034->74033 74035 236cb7 74034->74035 74037 232f88 3 API calls 74035->74037 74038 232f88 3 API calls 74036->74038 74040 236cc7 74037->74040 74043 236cf5 74038->74043 74041 232e47 2 API calls 74039->74041 74050 236f4a 74039->74050 74040->73993 74040->73994 74042 236db0 74041->74042 74045 232e47 2 API calls 74042->74045 74044 236d4a 74043->74044 74046 236d0b 74043->74046 74150 237b41 28 API calls 74044->74150 74054 236dc0 74045->74054 74149 239252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 74046->74149 74048 236d5f 74061 23764c CloseHandle 74048->74061 74049 236fd1 74056 2370e5 74049->74056 74057 236fed 74049->74057 74076 23701d 74049->74076 74050->74049 74052 236f7e 74050->74052 74165 236bf5 11 API calls 2 library calls 74052->74165 74053 236d36 74053->74044 74059 236d3a 74053->74059 74067 236dfe 74054->74067 74151 233221 malloc _CxxThrowException free _CxxThrowException 74054->74151 74133 236868 74056->74133 74167 236bf5 11 API calls 2 library calls 74057->74167 74059->74040 74061->74040 74063 236f85 74063->74056 74065 236f99 74063->74065 74064 236fca 74071 236848 FindClose 74064->74071 74074 232f88 3 API calls 74065->74074 74066 236e43 74070 236c72 42 API calls 74066->74070 74067->74066 74079 236e1e 74067->74079 74068 237006 74068->74064 74073 236e4e 74070->74073 74071->74040 74077 236e41 74073->74077 74078 236f3a 74073->74078 74075 236fb0 74074->74075 74166 23717b 13 API calls 74075->74166 74076->74056 74168 23717b 13 API calls 74076->74168 74085 232f1c 2 API calls 74077->74085 74163 231e40 free 74078->74163 74079->74077 74082 232fec 3 API calls 74079->74082 74082->74077 74084 237052 74087 237056 74084->74087 74088 237064 74084->74088 74089 236e77 74085->74089 74086 236f42 74164 231e40 free 74086->74164 74091 232f88 3 API calls 74087->74091 74093 232e47 2 API calls 74088->74093 74092 232e04 2 API calls 74089->74092 74130 23705f 74091->74130 74116 236e83 74092->74116 74094 23706d 74093->74094 74169 231089 malloc _CxxThrowException free _CxxThrowException 74094->74169 74097 23707b 74170 231089 malloc _CxxThrowException free _CxxThrowException 74097->74170 74098 236848 FindClose 74098->74040 74100 236ecf 74156 231e40 free 74100->74156 74101 236ec7 SetLastError 74101->74100 74102 237085 74105 236868 12 API calls 74102->74105 74107 237095 74105->74107 74106 236f11 74157 231e40 free 74106->74157 74110 237099 wcscmp 74107->74110 74111 2370bb 74107->74111 74108 236ed3 74155 2331e5 malloc _CxxThrowException free _CxxThrowException 74108->74155 74110->74111 74114 2370b1 74110->74114 74171 236bf5 11 API calls 2 library calls 74111->74171 74113 236f19 74158 236848 74113->74158 74120 232f88 3 API calls 74114->74120 74116->74100 74116->74101 74116->74108 74121 232e04 2 API calls 74116->74121 74152 236bb5 17 API calls 74116->74152 74153 2322bf CharUpperW 74116->74153 74154 231e40 free 74116->74154 74118 2370c6 74123 237129 74118->74123 74126 2370d8 74118->74126 74124 23714c 74120->74124 74121->74116 74123->74114 74174 231e40 free 74124->74174 74172 231e40 free 74126->74172 74128 236f2b 74162 231e40 free 74128->74162 74130->74098 74132 236ff2 74132->74056 74132->74068 74134 236872 __EH_prolog 74133->74134 74135 236848 FindClose 74134->74135 74137 236880 74135->74137 74136 2368f6 74136->74064 74173 23717b 13 API calls 74136->74173 74137->74136 74138 23689b FindFirstFileW 74137->74138 74139 2368a9 74137->74139 74138->74139 74140 2368ee 74139->74140 74142 232e04 2 API calls 74139->74142 74140->74136 74176 236919 malloc _CxxThrowException free 74140->74176 74143 2368ba 74142->74143 74144 238b4a 9 API calls 74143->74144 74145 2368d0 74144->74145 74146 2368e2 74145->74146 74147 2368d4 FindFirstFileW 74145->74147 74175 231e40 free 74146->74175 74147->74146 74149->74053 74150->74048 74151->74067 74152->74116 74153->74116 74154->74116 74155->74100 74156->74106 74157->74113 74159 236852 FindClose 74158->74159 74160 23685d 74158->74160 74159->74160 74161 231e40 free 74160->74161 74161->74128 74162->74040 74163->74086 74164->74050 74165->74063 74166->74064 74167->74132 74168->74084 74169->74097 74170->74102 74171->74118 74172->74132 74173->74064 74174->74130 74175->74140 74176->74136 74177->73857 74179 2390e4 __EH_prolog 74178->74179 74180 232f88 3 API calls 74179->74180 74181 2390f7 74180->74181 74182 23915d 74181->74182 74187 239109 74181->74187 74183 232e04 2 API calls 74182->74183 74184 239165 74183->74184 74185 2391be 74184->74185 74188 239174 74184->74188 74224 236332 6 API calls 2 library calls 74185->74224 74190 232e47 2 API calls 74187->74190 74199 239155 74187->74199 74191 232f88 3 API calls 74188->74191 74189 23917d 74217 2391ca 74189->74217 74222 23859e malloc _CxxThrowException free _CxxThrowException 74189->74222 74192 239122 74190->74192 74191->74189 74219 238f57 memmove 74192->74219 74195 23912e 74198 23914d 74195->74198 74220 2331e5 malloc _CxxThrowException free _CxxThrowException 74195->74220 74197 239185 74202 232e04 2 API calls 74197->74202 74221 231e40 free 74198->74221 74199->73592 74203 239197 74202->74203 74204 23919f 74203->74204 74205 2391ce 74203->74205 74207 2391b9 74204->74207 74223 231089 malloc _CxxThrowException free _CxxThrowException 74204->74223 74206 232f88 3 API calls 74205->74206 74206->74207 74225 233199 malloc _CxxThrowException free _CxxThrowException 74207->74225 74210 2391e6 74226 238f57 memmove 74210->74226 74212 2391ee 74213 2391f2 74212->74213 74215 232fec 3 API calls 74212->74215 74228 231e40 free 74213->74228 74216 239212 74215->74216 74227 2331e5 malloc _CxxThrowException free _CxxThrowException 74216->74227 74229 231e40 free 74217->74229 74219->74195 74220->74198 74221->74199 74222->74197 74223->74207 74224->74189 74225->74210 74226->74212 74227->74213 74228->74217 74229->74199 74230->73882 74231->73625 74232->73626 74234 231e0c ctype 2 API calls 74233->74234 74235 2326ea 74234->74235 74236 265678 74235->74236 74237 2656b1 74236->74237 74238 265689 74236->74238 74254 265593 74237->74254 74240 265593 6 API calls 74238->74240 74242 2656a5 74240->74242 74268 2328a1 74242->74268 74246 26570e fputs 74252 231fa0 fputc 74246->74252 74248 2656ef 74249 265593 6 API calls 74248->74249 74250 265701 74249->74250 74251 265711 6 API calls 74250->74251 74251->74246 74252->73637 74253->73639 74255 2655ad 74254->74255 74256 2328a1 5 API calls 74255->74256 74257 2655b8 74256->74257 74273 23286d 74257->74273 74260 2328a1 5 API calls 74261 2655c7 74260->74261 74262 265711 74261->74262 74263 265721 74262->74263 74264 2656e0 74262->74264 74265 2328a1 5 API calls 74263->74265 74264->74246 74272 232881 malloc _CxxThrowException free memcpy _CxxThrowException 74264->74272 74266 26572b 74265->74266 74281 2655cd 6 API calls 74266->74281 74269 2328b0 74268->74269 74269->74269 74282 23267f 74269->74282 74271 2328bf 74271->74237 74272->74248 74276 231e9d 74273->74276 74277 231ea8 74276->74277 74278 231ead 74276->74278 74280 23263c malloc _CxxThrowException free memcpy _CxxThrowException 74277->74280 74278->74260 74280->74278 74281->74264 74283 2326c2 74282->74283 74284 232693 74282->74284 74283->74271 74285 2326c8 _CxxThrowException 74284->74285 74286 2326bc 74284->74286 74287 2326dd 74285->74287 74291 232595 malloc _CxxThrowException free memcpy ctype 74286->74291 74289 231e0c ctype 2 API calls 74287->74289 74290 2326ea 74289->74290 74290->74271 74291->74283 74292->73645 74302 231e40 free 74293->74302 74295 252c16 74303 231e40 free 74295->74303 74297 252c1e 74298 231e40 free 74297->74298 74298->73649 74299->73651 74300->73653 74301->73655 74302->74295 74303->74297 74304->73663 74306 26ad33 __EH_prolog 74305->74306 74307 232e04 2 API calls 74306->74307 74308 26ad5f 74307->74308 74309 232e04 2 API calls 74308->74309 74310 26a5d8 74309->74310 74310->73667 74311->73676 74312->73677 74313->73677 74315 24425a __EH_prolog 74314->74315 74316 232e04 2 API calls 74315->74316 74317 2442c4 74316->74317 74318 232e04 2 API calls 74317->74318 74319 2442d0 74318->74319 74533 24440b 74319->74533 74333 252c35 74332->74333 74334 252c2e 74332->74334 74333->73762 74335 231e0c ctype 2 API calls 74334->74335 74335->74333 74337 2447ee 74336->74337 74338 2447f4 74336->74338 74544 231e40 free 74337->74544 74338->73762 74341 266092 74340->74341 74342 26612c 74341->74342 74545 265d3c 74341->74545 74342->73762 74353 252b13 __EH_prolog 74352->74353 74354 232e04 2 API calls 74353->74354 74360 2531e2 __EH_prolog 74358->74360 74359 253234 74359->73762 74360->74359 74361 231e0c ctype 2 API calls 74360->74361 74365 252a82 74364->74365 74366 232e04 2 API calls 74365->74366 74369 266363 __EH_prolog 74368->74369 74370 26637f 74369->74370 74371 26c7d7 ctype 6 API calls 74369->74371 74585 265a4d 74370->74585 74371->74370 74412 252ce5 __EH_prolog 74411->74412 74413 232f1c 2 API calls 74412->74413 74498 252bbf __EH_prolog 74497->74498 75701 25d24e 74498->75701 74509->73696 74510->73704 74511->73708 74512->73711 74513->73717 74514->73718 74515->73762 74516->73762 74517->73762 74518->73762 74519->73712 74520->73735 74522->73741 74524->73760 74526->73767 74528->73723 74531->73713 74534 244415 __EH_prolog 74533->74534 74544->74338 75734->73833 75735->73829 75736 241368 75739 24136d 75736->75739 75738 24138c 75739->75738 75742 2c7d80 WaitForSingleObject 75739->75742 75745 26f745 75739->75745 75749 2c7ea0 SetEvent GetLastError 75739->75749 75743 2c7d8e GetLastError 75742->75743 75744 2c7d98 75742->75744 75743->75744 75744->75739 75746 26f74f __EH_prolog 75745->75746 75750 26f784 75746->75750 75748 26f765 75748->75739 75749->75739 75751 26f78e __EH_prolog 75750->75751 75752 2412d4 4 API calls 75751->75752 75753 26f7c7 75752->75753 75754 2412d4 4 API calls 75753->75754 75755 26f7d4 75754->75755 75756 26f871 75755->75756 75759 23c4d6 75755->75759 75765 2b6b23 VirtualAlloc 75755->75765 75756->75748 75763 23c4e9 75759->75763 75760 23c6f3 75760->75756 75763->75760 75764 23c695 memmove 75763->75764 75766 24111c 75763->75766 75771 2411b4 75763->75771 75764->75763 75765->75756 75767 241130 75766->75767 75768 24115f 75767->75768 75776 23d331 75767->75776 75780 23b668 75767->75780 75768->75763 75772 2411c1 75771->75772 75773 2411eb 75772->75773 75807 27ae7c 75772->75807 75812 27af27 75772->75812 75773->75763 75777 23d355 75776->75777 75778 23d374 75777->75778 75779 23b668 10 API calls 75777->75779 75778->75767 75779->75778 75782 23b675 75780->75782 75785 23b81b 75782->75785 75786 23b7e7 75782->75786 75787 23b6aa 75782->75787 75788 237731 5 API calls 75782->75788 75790 23b7ad 75782->75790 75791 23b811 75782->75791 75797 23b864 75782->75797 75804 237b4f ReadFile 75782->75804 75784 23b8aa GetLastError 75784->75787 75785->75787 75789 23b839 memcpy 75785->75789 75792 237731 5 API calls 75786->75792 75786->75797 75787->75767 75788->75782 75789->75787 75790->75782 75798 23b8c7 75790->75798 75803 2b6a20 VirtualAlloc 75790->75803 75805 23b8ec GetLastError 75791->75805 75796 23b80d 75792->75796 75796->75791 75796->75797 75799 237b7c 75797->75799 75798->75787 75800 237b89 75799->75800 75806 237b4f ReadFile 75800->75806 75802 237b9a 75802->75784 75802->75787 75803->75790 75804->75782 75805->75787 75806->75802 75808 27ae86 75807->75808 75811 247140 7 API calls 75808->75811 75819 247190 75808->75819 75809 27aebb 75809->75772 75811->75809 75813 27af36 75812->75813 75814 27ad3a 99 API calls 75813->75814 75816 27b010 75813->75816 75817 27aeeb 107 API calls 75813->75817 75890 23bd0c 75813->75890 75895 27aebf 107 API calls 75813->75895 75814->75813 75816->75772 75817->75813 75820 24719a __EH_prolog 75819->75820 75821 2471b0 75820->75821 75825 2471dd 75820->75825 75822 244d78 VariantClear 75821->75822 75823 2471b7 75822->75823 75823->75809 75832 246fc5 75825->75832 75826 2472b4 75827 244d78 VariantClear 75826->75827 75828 2472c0 75826->75828 75827->75828 75828->75823 75829 247140 7 API calls 75828->75829 75829->75823 75830 247236 75830->75823 75830->75826 75831 2472a3 SetFileSecurityW 75830->75831 75831->75826 75833 246fcf __EH_prolog 75832->75833 75834 2444a6 2 API calls 75833->75834 75837 246fec 75834->75837 75835 24706a 75858 2468ac 75835->75858 75837->75835 75841 247029 75837->75841 75876 246e71 12 API calls 2 library calls 75837->75876 75839 24709e 75882 231e40 free 75839->75882 75841->75835 75877 244dff 7 API calls 2 library calls 75841->75877 75842 247051 75842->75835 75846 2411b4 107 API calls 75842->75846 75845 2470c0 75878 236096 15 API calls 2 library calls 75845->75878 75846->75835 75847 24712e 75847->75830 75849 2470d1 75853 2470e2 75849->75853 75879 244dff 7 API calls 2 library calls 75849->75879 75852 2470fd 75854 2470e6 75852->75854 75855 247103 75852->75855 75853->75854 75880 246b5e 69 API calls 2 library calls 75853->75880 75854->75839 75881 231e40 free 75855->75881 75857 24710b 75857->75847 75859 2468b6 __EH_prolog 75858->75859 75861 246921 75859->75861 75862 237d4b 6 API calls 75859->75862 75873 2468c5 75859->75873 75860 246962 75864 246998 75860->75864 75886 232dcd malloc _CxxThrowException 75860->75886 75861->75860 75861->75864 75885 246a17 6 API calls 2 library calls 75861->75885 75867 246906 75862->75867 75863 2469e1 75889 23bcf8 CloseHandle 75863->75889 75864->75863 75883 237c3b SetFileTime 75864->75883 75867->75861 75884 244dff 7 API calls 2 library calls 75867->75884 75870 24697a 75887 246b09 13 API calls __EH_prolog 75870->75887 75873->75839 75873->75845 75874 24698c 75888 231e40 free 75874->75888 75876->75841 75877->75842 75878->75849 75879->75853 75880->75852 75881->75857 75882->75847 75883->75863 75884->75861 75885->75860 75886->75870 75887->75874 75888->75864 75889->75873 75896 237ca2 75890->75896 75893 23bd3d 75893->75813 75895->75813 75897 237caf 75896->75897 75899 237cdb 75897->75899 75901 237c68 75897->75901 75899->75893 75900 23b8ec GetLastError 75899->75900 75900->75893 75902 237c76 75901->75902 75903 237c79 WriteFile 75901->75903 75902->75903 75903->75897 75904 2c7da0 WaitForSingleObject 75905 2c7dbb GetLastError 75904->75905 75906 2c7dc1 75904->75906 75905->75906 75907 2c7ddf 75906->75907 75908 2c7dce CloseHandle 75906->75908 75908->75907 75909 2c7dd9 GetLastError 75908->75909 75909->75907 75910 26adb7 75911 26adc1 __EH_prolog 75910->75911 75912 2326dd 2 API calls 75911->75912 75913 26ae1d 75912->75913 75914 232e04 2 API calls 75913->75914 75915 26ae38 75914->75915 75916 232e04 2 API calls 75915->75916 75917 26ae44 75916->75917 75918 232e04 2 API calls 75917->75918 75919 26ae68 75918->75919 75920 26ad29 2 API calls 75919->75920 75921 26ae85 75920->75921 75926 26af2d 75921->75926 75923 26ae94 75924 232e04 2 API calls 75923->75924 75925 26aeb2 75924->75925 75927 26af37 __EH_prolog 75926->75927 75938 2434f4 malloc _CxxThrowException __EH_prolog 75927->75938 75929 26afac 75930 232e04 2 API calls 75929->75930 75931 26afbb 75930->75931 75932 232e04 2 API calls 75931->75932 75933 26afca 75932->75933 75934 232e04 2 API calls 75933->75934 75935 26afd9 75934->75935 75936 232e04 2 API calls 75935->75936 75937 26afe8 75936->75937 75937->75923 75938->75929 75939 265475 75940 232fec 3 API calls 75939->75940 75941 2654b4 75940->75941 75942 26c911 24 API calls 75941->75942 75943 2654bb 75942->75943 75944 278eb1 75949 278ed1 75944->75949 75947 278ec9 75950 278edb __EH_prolog 75949->75950 75958 279267 75950->75958 75954 278efd 75963 26e5f1 free ctype 75954->75963 75956 278eb9 75956->75947 75957 231e40 free 75956->75957 75957->75947 75959 279271 __EH_prolog 75958->75959 75964 231e40 free 75959->75964 75961 278ef1 75962 27922b free CloseHandle GetLastError ctype 75961->75962 75962->75954 75963->75956 75964->75961 75968 26993d 76052 26b5b1 75968->76052 75971 269963 76058 241f33 75971->76058 75973 231fb3 11 API calls 75973->75971 75974 269975 75975 2699b7 GetStdHandle GetConsoleScreenBufferInfo 75974->75975 75976 2699ce 75974->75976 75975->75976 75977 231e0c ctype 2 API calls 75976->75977 75978 2699dc 75977->75978 76179 257b48 75978->76179 75980 269a29 76196 26b96d _CxxThrowException 75980->76196 75982 269a30 76197 257018 8 API calls 2 library calls 75982->76197 75984 269a7c 76198 25ddb5 6 API calls 2 library calls 75984->76198 75986 269a66 _CxxThrowException 75986->75984 75987 269aa6 75988 269aaa _CxxThrowException 75987->75988 75998 269ac0 75987->75998 75988->75998 75989 269a37 75989->75984 75989->75986 75990 269b3a 76202 231fa0 fputc 75990->76202 75993 269bfa _CxxThrowException 76051 269be6 75993->76051 75994 269b63 fputs 76203 231fa0 fputc 75994->76203 75997 269b79 strlen strlen 75999 269e25 75997->75999 76000 269baa fputs fputc 75997->76000 75998->75990 75998->75993 76199 257dd7 7 API calls 2 library calls 75998->76199 76200 26c077 6 API calls 75998->76200 76201 231e40 free 75998->76201 76211 231fa0 fputc 75999->76211 76000->76051 76003 269e2c fputs 76212 231fa0 fputc 76003->76212 76005 269f0c 76217 231fa0 fputc 76005->76217 76009 269f13 fputs 76218 231fa0 fputc 76009->76218 76012 269f9f 76014 26ac3a 76012->76014 76015 26ac35 76012->76015 76013 232e04 2 API calls 76013->76051 76224 26b96d _CxxThrowException 76014->76224 76223 26b988 33 API calls __aulldiv 76015->76223 76019 26ac42 76225 231e40 free 76019->76225 76021 26b67d 12 API calls 76021->76051 76023 26ac4d 76025 253247 free 76023->76025 76026 26ac5d 76025->76026 76226 231e40 free 76026->76226 76027 269f29 76027->76012 76039 269f77 fputs 76027->76039 76219 26b650 fputc fputs fputs fputc 76027->76219 76220 26b5e9 fputc fputs 76027->76220 76221 26bde4 fputc fputs 76027->76221 76029 269d2a fputs 76208 2321d8 fputs 76029->76208 76033 269d5f fputs 76033->76051 76034 2331e5 malloc _CxxThrowException free _CxxThrowException 76034->76051 76037 26ac7d 76227 2311c2 free __EH_prolog ctype 76037->76227 76038 269e42 76038->76005 76045 269ee0 fputs 76038->76045 76213 26b650 fputc fputs fputs fputc 76038->76213 76214 2321d8 fputs 76038->76214 76215 26bde4 fputc fputs 76038->76215 76222 231fa0 fputc 76039->76222 76044 26ac89 76228 26be0c free __EH_prolog ctype 76044->76228 76216 231fa0 fputc 76045->76216 76048 26ac98 76229 262db9 free ctype 76048->76229 76050 26aca4 76051->75999 76051->76000 76051->76013 76051->76021 76051->76029 76051->76033 76051->76034 76204 2321d8 fputs 76051->76204 76205 23315e malloc _CxxThrowException free _CxxThrowException 76051->76205 76206 233221 malloc _CxxThrowException free _CxxThrowException 76051->76206 76207 231089 malloc _CxxThrowException free _CxxThrowException 76051->76207 76209 231fa0 fputc 76051->76209 76210 231e40 free 76051->76210 76053 26994a 76052->76053 76054 26b5bc fputs 76052->76054 76053->75971 76053->75973 76230 231fa0 fputc 76054->76230 76056 26b5d5 76056->76053 76057 26b5d9 fputs 76056->76057 76057->76053 76059 241f6c 76058->76059 76060 241f4f 76058->76060 76231 2429eb 76059->76231 76263 251d73 5 API calls __EH_prolog 76060->76263 76063 241f5e _CxxThrowException 76063->76059 76065 241fa3 76067 241fbc 76065->76067 76069 234fc0 5 API calls 76065->76069 76070 241fda 76067->76070 76071 232fec 3 API calls 76067->76071 76068 241f95 _CxxThrowException 76068->76065 76069->76067 76072 242022 wcscmp 76070->76072 76080 242036 76070->76080 76071->76070 76073 2420af 76072->76073 76072->76080 76265 251d73 5 API calls __EH_prolog 76073->76265 76075 2420a9 76266 24393c 6 API calls 2 library calls 76075->76266 76076 2420be _CxxThrowException 76076->76080 76078 2420f4 76267 24393c 6 API calls 2 library calls 76078->76267 76080->76075 76084 24219a 76080->76084 76081 242108 76082 242135 76081->76082 76268 242e04 62 API calls 2 library calls 76081->76268 76089 242159 76082->76089 76269 242e04 62 API calls 2 library calls 76082->76269 76270 251d73 5 API calls __EH_prolog 76084->76270 76087 2421a9 _CxxThrowException 76087->76089 76088 24227f 76236 242aa9 76088->76236 76089->76088 76091 242245 76089->76091 76271 251d73 5 API calls __EH_prolog 76089->76271 76092 232fec 3 API calls 76091->76092 76095 24225c 76092->76095 76095->76088 76272 251d73 5 API calls __EH_prolog 76095->76272 76096 2422d9 76099 242302 76096->76099 76101 232fec 3 API calls 76096->76101 76097 242237 _CxxThrowException 76097->76091 76098 232fec 3 API calls 76098->76096 76102 234fc0 5 API calls 76099->76102 76101->76099 76104 242315 76102->76104 76103 242271 _CxxThrowException 76103->76088 76254 24384c 76104->76254 76106 242322 76108 2426c6 76106->76108 76113 2423a1 76106->76113 76107 2428ce 76110 24293a 76107->76110 76120 2428d5 76107->76120 76108->76107 76109 242700 76108->76109 76285 251d73 5 API calls __EH_prolog 76108->76285 76286 2432ec 14 API calls 2 library calls 76109->76286 76114 2429a5 76110->76114 76115 24293f 76110->76115 76123 24247a wcscmp 76113->76123 76140 24248e 76113->76140 76117 2429ae _CxxThrowException 76114->76117 76135 24264d 76114->76135 76293 234eec 16 API calls 76115->76293 76116 2426f2 _CxxThrowException 76116->76109 76118 242713 76121 243a29 5 API calls 76118->76121 76120->76135 76292 251d73 5 API calls __EH_prolog 76120->76292 76136 242722 76121->76136 76122 24294c 76294 234ea1 8 API calls 76122->76294 76126 2424cf wcscmp 76123->76126 76123->76140 76129 2424ef wcscmp 76126->76129 76126->76140 76132 24250f 76129->76132 76129->76140 76130 242953 76133 234fc0 5 API calls 76130->76133 76131 242920 _CxxThrowException 76131->76135 76276 251d73 5 API calls __EH_prolog 76132->76276 76133->76135 76135->75974 76137 2427cf 76136->76137 76139 232fec 3 API calls 76136->76139 76142 242880 76137->76142 76147 24281f 76137->76147 76288 251d73 5 API calls __EH_prolog 76137->76288 76138 24251e _CxxThrowException 76141 24252c 76138->76141 76144 2427a9 76139->76144 76140->76141 76273 234eec 16 API calls 76140->76273 76274 234ea1 8 API calls 76140->76274 76275 251d73 5 API calls __EH_prolog 76140->76275 76143 242569 76141->76143 76277 242e04 62 API calls 2 library calls 76141->76277 76145 24289b 76142->76145 76152 232fec 3 API calls 76142->76152 76149 24258c 76143->76149 76278 242e04 62 API calls 2 library calls 76143->76278 76144->76137 76287 233563 memmove 76144->76287 76145->76135 76291 251d73 5 API calls __EH_prolog 76145->76291 76147->76142 76156 242847 76147->76156 76289 251d73 5 API calls __EH_prolog 76147->76289 76154 2425a4 76149->76154 76279 242a61 malloc _CxxThrowException free _CxxThrowException memcpy 76149->76279 76150 2424c1 _CxxThrowException 76150->76126 76152->76145 76280 234eec 16 API calls 76154->76280 76155 242811 _CxxThrowException 76155->76147 76156->76142 76290 251d73 5 API calls __EH_prolog 76156->76290 76163 2425ad 76281 251b07 49 API calls 76163->76281 76164 2428c0 _CxxThrowException 76164->76107 76165 242839 _CxxThrowException 76165->76156 76166 242872 _CxxThrowException 76166->76142 76168 2425b4 76282 234ea1 8 API calls 76168->76282 76170 2425bb 76171 232fec 3 API calls 76170->76171 76172 2425d6 76170->76172 76171->76172 76172->76135 76173 24261f 76172->76173 76283 251d73 5 API calls __EH_prolog 76172->76283 76173->76135 76175 232fec 3 API calls 76173->76175 76177 24263f 76175->76177 76176 242611 _CxxThrowException 76176->76173 76284 23859e malloc _CxxThrowException free _CxxThrowException 76177->76284 76180 257b52 __EH_prolog 76179->76180 76304 257eec 76180->76304 76182 257ca4 76182->75980 76184 232e04 malloc _CxxThrowException 76187 257b63 76184->76187 76185 2330ea malloc _CxxThrowException free 76185->76187 76187->76182 76187->76184 76187->76185 76188 231e40 free ctype 76187->76188 76191 2704d2 5 API calls 76187->76191 76192 23429a 3 API calls 76187->76192 76194 257c61 memcpy 76187->76194 76309 2570ea 76187->76309 76312 257a40 76187->76312 76330 257cc3 6 API calls 76187->76330 76331 2412a5 76187->76331 76336 2574eb malloc _CxxThrowException memcpy __EH_prolog ctype 76187->76336 76337 257193 76187->76337 76188->76187 76191->76187 76192->76187 76194->76187 76196->75982 76197->75989 76198->75987 76199->75998 76200->75998 76201->75998 76202->75994 76203->75997 76204->76051 76205->76051 76206->76051 76207->76051 76208->76051 76209->76051 76210->76051 76211->76003 76212->76038 76213->76038 76214->76038 76215->76038 76216->76038 76217->76009 76218->76027 76219->76027 76220->76027 76221->76027 76222->76027 76223->76014 76224->76019 76225->76023 76226->76037 76227->76044 76228->76048 76229->76050 76230->76056 76232 232f1c 2 API calls 76231->76232 76235 2429fe 76232->76235 76234 241f7e 76234->76065 76264 251d73 5 API calls __EH_prolog 76234->76264 76295 231e40 free 76235->76295 76237 242ab3 __EH_prolog 76236->76237 76238 232e8a 2 API calls 76237->76238 76249 242b0f 76237->76249 76240 242af4 76238->76240 76239 2422ad 76239->76096 76239->76098 76296 242a61 malloc _CxxThrowException free _CxxThrowException memcpy 76240->76296 76242 242b04 76297 231e40 free 76242->76297 76243 242bc6 76302 251d73 5 API calls __EH_prolog 76243->76302 76246 242bd6 _CxxThrowException 76246->76239 76249->76239 76249->76243 76251 242b9f 76249->76251 76298 242cb4 48 API calls 2 library calls 76249->76298 76299 242bf5 8 API calls __EH_prolog 76249->76299 76300 242a61 malloc _CxxThrowException free _CxxThrowException memcpy 76249->76300 76251->76239 76301 251d73 5 API calls __EH_prolog 76251->76301 76253 242bb8 _CxxThrowException 76253->76243 76260 243856 __EH_prolog 76254->76260 76255 232e04 malloc _CxxThrowException 76255->76260 76256 232fec 3 API calls 76256->76260 76257 232f88 3 API calls 76257->76260 76258 2704d2 5 API calls 76258->76260 76260->76255 76260->76256 76260->76257 76260->76258 76261 231e40 free ctype 76260->76261 76262 243917 76260->76262 76303 243b76 malloc _CxxThrowException __EH_prolog ctype 76260->76303 76261->76260 76262->76106 76263->76063 76264->76068 76265->76076 76266->76078 76267->76081 76268->76082 76269->76089 76270->76087 76271->76097 76272->76103 76273->76140 76274->76140 76275->76150 76276->76138 76277->76143 76278->76149 76279->76154 76280->76163 76281->76168 76282->76170 76283->76176 76284->76135 76285->76116 76286->76118 76287->76137 76288->76155 76289->76165 76290->76166 76291->76164 76292->76131 76293->76122 76294->76130 76295->76234 76296->76242 76297->76249 76298->76249 76299->76249 76300->76249 76301->76253 76302->76246 76303->76260 76305 257f14 76304->76305 76307 257ef7 76304->76307 76305->76187 76306 257193 free 76306->76307 76307->76305 76307->76306 76345 231e40 free 76307->76345 76310 232e04 2 API calls 76309->76310 76311 257103 76310->76311 76311->76187 76313 257a4a __EH_prolog 76312->76313 76346 23361b 6 API calls 2 library calls 76313->76346 76315 257a78 76347 23361b 6 API calls 2 library calls 76315->76347 76317 257a83 76318 257b20 76317->76318 76322 232e04 malloc _CxxThrowException 76317->76322 76324 232fec 3 API calls 76317->76324 76325 232fec 3 API calls 76317->76325 76326 2704d2 5 API calls 76317->76326 76329 231e40 free ctype 76317->76329 76348 257955 malloc _CxxThrowException __EH_prolog ctype 76317->76348 76349 262db9 free ctype 76318->76349 76320 257b2b 76350 262db9 free ctype 76320->76350 76322->76317 76323 257b37 76323->76187 76324->76317 76327 257aca wcscmp 76325->76327 76326->76317 76327->76317 76329->76317 76330->76187 76332 2704d2 5 API calls 76331->76332 76333 2412ad 76332->76333 76334 231e0c ctype 2 API calls 76333->76334 76335 2412b4 76334->76335 76335->76187 76336->76187 76338 25719d __EH_prolog 76337->76338 76351 262db9 free ctype 76338->76351 76340 2571b3 76352 2571d5 free __EH_prolog ctype 76340->76352 76342 2571bf 76353 231e40 free 76342->76353 76344 2571c7 76344->76187 76345->76307 76346->76315 76347->76317 76348->76317 76349->76320 76350->76323 76351->76340 76352->76342 76353->76344 76354 2b69f0 free 76355 2cffb1 __setusermatherr 76356 2cffbd 76355->76356 76360 2d0068 _controlfp 76356->76360 76358 2cffc2 _initterm __getmainargs _initterm __p___initenv 76359 26c27c 76358->76359 76360->76358 76361 25cefb 76362 25d0cc 76361->76362 76363 25cf03 76361->76363 76363->76362 76408 25cae9 VariantClear 76363->76408 76365 25cf59 76365->76362 76409 25cae9 VariantClear 76365->76409 76367 25cf71 76367->76362 76410 25cae9 VariantClear 76367->76410 76369 25cf87 76369->76362 76411 25cae9 VariantClear 76369->76411 76371 25cf9d 76371->76362 76412 25cae9 VariantClear 76371->76412 76373 25cfb3 76373->76362 76413 25cae9 VariantClear 76373->76413 76375 25cfc9 76375->76362 76414 234504 malloc _CxxThrowException 76375->76414 76377 25cfdc 76378 232e04 2 API calls 76377->76378 76380 25cfe7 76378->76380 76379 25d009 76382 25d07b 76379->76382 76384 25d080 76379->76384 76385 25d030 76379->76385 76380->76379 76381 232f88 3 API calls 76380->76381 76381->76379 76422 231e40 free 76382->76422 76419 257a0c CharUpperW 76384->76419 76388 232e04 2 API calls 76385->76388 76386 25d0c4 76423 231e40 free 76386->76423 76391 25d038 76388->76391 76390 25d08b 76420 24fdbc 4 API calls 2 library calls 76390->76420 76392 232e04 2 API calls 76391->76392 76394 25d046 76392->76394 76415 24fdbc 4 API calls 2 library calls 76394->76415 76395 25d0a7 76397 232fec 3 API calls 76395->76397 76399 25d0b3 76397->76399 76398 25d057 76400 232fec 3 API calls 76398->76400 76421 231e40 free 76399->76421 76402 25d063 76400->76402 76416 231e40 free 76402->76416 76404 25d06b 76417 231e40 free 76404->76417 76406 25d073 76418 231e40 free 76406->76418 76408->76365 76409->76367 76410->76369 76411->76371 76412->76373 76413->76375 76414->76377 76415->76398 76416->76404 76417->76406 76418->76382 76419->76390 76420->76395 76421->76382 76422->76386 76423->76362 76424 23c3bd 76425 23c3db 76424->76425 76426 23c3ca 76424->76426 76426->76425 76428 231e40 free 76426->76428 76428->76425 76429 25a7c5 76433 25a7e9 76429->76433 76438 25a96b 76429->76438 76430 25ade3 76534 231e40 free 76430->76534 76432 25a952 76432->76438 76515 25e0b0 6 API calls 76432->76515 76433->76432 76455 2704d2 5 API calls 76433->76455 76514 25e0b0 6 API calls 76433->76514 76434 25adeb 76535 231e40 free 76434->76535 76438->76430 76448 25ac1e 76438->76448 76463 25ac6c 76438->76463 76476 25ad88 76438->76476 76480 25ad17 76438->76480 76482 25acbc 76438->76482 76496 24101c 76438->76496 76499 2598f2 76438->76499 76505 25cc6f 76438->76505 76516 259531 5 API calls __EH_prolog 76438->76516 76517 2580c1 malloc _CxxThrowException __EH_prolog 76438->76517 76518 25c820 5 API calls 2 library calls 76438->76518 76519 25814d 6 API calls 76438->76519 76520 258125 free ctype 76438->76520 76439 25adf3 76440 25ae99 76439->76440 76450 2704d2 malloc _CxxThrowException free _CxxThrowException memcpy 76439->76450 76443 231e0c ctype 2 API calls 76440->76443 76444 25aea9 memset memset 76443->76444 76446 25aedd 76444->76446 76445 25ac26 76522 231e40 free 76445->76522 76536 231e40 free 76446->76536 76521 231e40 free 76448->76521 76450->76439 76451 25aee5 76537 231e40 free 76451->76537 76455->76433 76456 25aef0 76538 231e40 free 76456->76538 76459 25c430 76540 231e40 free 76459->76540 76462 25c438 76541 231e40 free 76462->76541 76523 231e40 free 76463->76523 76467 25c443 76542 231e40 free 76467->76542 76468 25ac85 76524 231e40 free 76468->76524 76471 25c44e 76543 231e40 free 76471->76543 76472 25ac2e 76539 231e40 free 76472->76539 76474 25c459 76531 258125 free ctype 76476->76531 76528 258125 free ctype 76480->76528 76481 25ad93 76532 231e40 free 76481->76532 76525 258125 free ctype 76482->76525 76486 25acc7 76526 231e40 free 76486->76526 76487 25ad3c 76529 231e40 free 76487->76529 76488 25adac 76533 231e40 free 76488->76533 76492 25ace0 76527 231e40 free 76492->76527 76493 25ad55 76530 231e40 free 76493->76530 76498 23b95a 6 API calls 76496->76498 76497 241028 76497->76438 76498->76497 76500 2598fc __EH_prolog 76499->76500 76544 259987 76500->76544 76502 259911 76503 259970 76502->76503 76548 25ef8d 12 API calls 2 library calls 76502->76548 76503->76438 76588 27cf91 76505->76588 76596 27f445 76505->76596 76602 275505 76505->76602 76506 25cc8b 76510 25cccb 76506->76510 76606 25979e VariantClear __EH_prolog 76506->76606 76508 25ccb1 76508->76510 76607 25cae9 VariantClear 76508->76607 76510->76438 76514->76433 76515->76438 76516->76438 76517->76438 76518->76438 76519->76438 76520->76438 76521->76445 76522->76472 76523->76468 76524->76472 76525->76486 76526->76492 76527->76472 76528->76487 76529->76493 76530->76472 76531->76481 76532->76488 76533->76472 76534->76434 76535->76439 76536->76451 76537->76456 76538->76472 76539->76459 76540->76462 76541->76467 76542->76471 76543->76474 76545 259991 __EH_prolog 76544->76545 76549 2880aa 76545->76549 76546 2599a8 76546->76502 76548->76503 76550 2880b4 __EH_prolog 76549->76550 76551 231e0c ctype 2 API calls 76550->76551 76552 2880bf 76551->76552 76553 2880d3 76552->76553 76555 27bdb5 76552->76555 76553->76546 76556 27bdbf __EH_prolog 76555->76556 76561 27be69 76556->76561 76558 27bdef 76559 232e04 2 API calls 76558->76559 76560 27be16 76559->76560 76560->76553 76562 27be73 __EH_prolog 76561->76562 76565 275e2b 76562->76565 76564 27be7f 76564->76558 76566 275e35 __EH_prolog 76565->76566 76571 2708b6 76566->76571 76568 275e41 76576 24dfc9 malloc _CxxThrowException __EH_prolog 76568->76576 76570 275e57 76570->76564 76577 239c60 76571->76577 76573 2708c4 76582 239c8f GetModuleHandleA GetProcAddress 76573->76582 76575 2708f3 __aulldiv 76575->76568 76576->76570 76587 239c4d GetCurrentProcess GetProcessAffinityMask 76577->76587 76579 239c6e 76580 239c80 GetSystemInfo 76579->76580 76581 239c79 76579->76581 76580->76573 76581->76573 76583 239cc4 GlobalMemoryStatusEx 76582->76583 76584 239cef GlobalMemoryStatus 76582->76584 76583->76584 76586 239cce 76583->76586 76585 239d08 76584->76585 76585->76586 76586->76575 76587->76579 76589 27cf9b __EH_prolog 76588->76589 76590 27f445 14 API calls 76589->76590 76591 27d018 76590->76591 76593 27d01f 76591->76593 76608 281511 76591->76608 76593->76506 76594 27d08b 76594->76593 76614 282c5d 11 API calls 2 library calls 76594->76614 76597 27f455 76596->76597 76740 241092 76597->76740 76600 27f478 76600->76506 76603 27550f __EH_prolog 76602->76603 76753 274e8a 76603->76753 76606->76508 76607->76510 76609 28151b __EH_prolog 76608->76609 76615 2810d3 76609->76615 76612 281589 76612->76594 76613 281552 _CxxThrowException 76613->76594 76614->76593 76616 2810dd __EH_prolog 76615->76616 76617 27d1b7 free 76616->76617 76618 2810f2 76617->76618 76619 2812ef 76618->76619 76620 2811f4 76618->76620 76624 241168 10 API calls 76618->76624 76619->76612 76619->76613 76620->76619 76646 23b95a 6 API calls 76620->76646 76621 2813c4 76647 241168 76621->76647 76622 28139e 76622->76619 76622->76621 76625 231e0c ctype 2 API calls 76622->76625 76624->76620 76625->76621 76626 2813da 76629 2813f9 76626->76629 76639 2813de 76626->76639 76685 27ef67 _CxxThrowException 76626->76685 76650 27f047 76629->76650 76632 2814ba 76689 280943 50 API calls 2 library calls 76632->76689 76633 281450 76654 2806ae 76633->76654 76637 2814e7 76690 262db9 free ctype 76637->76690 76691 231e40 free 76639->76691 76642 28148e 76643 27f047 _CxxThrowException 76642->76643 76644 2814ac 76643->76644 76644->76632 76688 27ef67 _CxxThrowException 76644->76688 76646->76622 76648 24111c 10 API calls 76647->76648 76649 24117b 76648->76649 76649->76626 76651 27f063 76650->76651 76652 27f072 76651->76652 76692 27ef67 _CxxThrowException 76651->76692 76652->76632 76652->76633 76686 27ef67 _CxxThrowException 76652->76686 76655 2806b8 __EH_prolog 76654->76655 76693 2803f4 76655->76693 76657 2412a5 5 API calls 76681 280715 76657->76681 76658 27b8dc ctype free 76659 2808a6 76658->76659 76723 231e40 free 76659->76723 76661 2808e3 _CxxThrowException 76663 2808f7 76661->76663 76662 2808ae 76724 231e40 free 76662->76724 76667 27b8dc ctype free 76663->76667 76665 23429a 3 API calls 76665->76681 76666 2808b6 76725 231e40 free 76666->76725 76668 280914 76667->76668 76727 231e40 free 76668->76727 76669 231e0c ctype 2 API calls 76669->76681 76672 2808be 76726 27c149 free ctype 76672->76726 76673 28091c 76728 231e40 free 76673->76728 76676 2808d0 76676->76637 76676->76642 76687 27ef67 _CxxThrowException 76676->76687 76677 280924 76729 231e40 free 76677->76729 76679 2781ec 29 API calls 76679->76681 76680 28092c 76730 27c149 free ctype 76680->76730 76681->76657 76681->76661 76681->76663 76681->76665 76681->76669 76681->76679 76683 280877 76681->76683 76684 27ef67 _CxxThrowException 76681->76684 76683->76658 76684->76681 76685->76629 76686->76633 76687->76642 76688->76632 76689->76637 76690->76639 76691->76619 76692->76652 76694 27f047 _CxxThrowException 76693->76694 76695 280407 76694->76695 76698 27f047 _CxxThrowException 76695->76698 76699 280475 76695->76699 76696 28049a 76697 2804b8 76696->76697 76735 28159a malloc _CxxThrowException free ctype 76696->76735 76700 2804e8 76697->76700 76706 2804cd 76697->76706 76701 280421 76698->76701 76699->76696 76734 27fa3f 22 API calls 2 library calls 76699->76734 76737 287c4a malloc _CxxThrowException free ctype 76700->76737 76707 28043e 76701->76707 76731 27ef67 _CxxThrowException 76701->76731 76704 280492 76709 27f047 _CxxThrowException 76704->76709 76736 27fff0 9 API calls 2 library calls 76706->76736 76732 27f93c 7 API calls 2 library calls 76707->76732 76708 2804f3 76719 2804e3 76708->76719 76738 24089e malloc _CxxThrowException free _CxxThrowException memcpy 76708->76738 76709->76696 76713 2804db 76715 27f047 _CxxThrowException 76713->76715 76714 28046d 76717 27f047 _CxxThrowException 76714->76717 76715->76719 76716 280446 76716->76714 76733 27ef67 _CxxThrowException 76716->76733 76717->76699 76718 28054a 76718->76681 76719->76718 76739 27ef67 _CxxThrowException 76719->76739 76723->76662 76724->76666 76725->76672 76726->76676 76727->76673 76728->76677 76729->76680 76730->76676 76731->76707 76732->76716 76733->76714 76734->76704 76735->76697 76736->76713 76737->76708 76738->76708 76739->76718 76742 23b95a 6 API calls 76740->76742 76741 2410aa 76741->76600 76743 27f1b2 76741->76743 76742->76741 76744 27f1bc __EH_prolog 76743->76744 76745 241168 10 API calls 76744->76745 76746 27f1d3 76745->76746 76747 27f231 memcpy 76746->76747 76748 27f21c _CxxThrowException 76746->76748 76749 27f1e6 76746->76749 76751 27f24c 76747->76751 76748->76747 76749->76600 76750 27f2f0 memmove 76750->76751 76751->76749 76751->76750 76752 27f31a memcpy 76751->76752 76752->76749 76754 274e94 __EH_prolog 76753->76754 76755 232e04 2 API calls 76754->76755 76858 274f1d 76754->76858 76756 274ed7 76755->76756 76885 247fc5 76756->76885 76758 274f37 76761 274f63 76758->76761 76762 274f41 76758->76762 76759 274f0a 76760 23965d VariantClear 76759->76760 76764 274f15 76760->76764 76763 232f88 3 API calls 76761->76763 76765 23965d VariantClear 76762->76765 76767 274f71 76763->76767 76906 231e40 free 76764->76906 76766 274f4c 76765->76766 76907 231e40 free 76766->76907 76770 23965d VariantClear 76767->76770 76771 274f80 76770->76771 76908 245bcf malloc _CxxThrowException 76771->76908 76773 274f9a 76774 232e47 2 API calls 76773->76774 76775 274fad 76774->76775 76776 232f1c 2 API calls 76775->76776 76777 274fbd 76776->76777 76778 232e04 2 API calls 76777->76778 76779 274fd1 76778->76779 76780 232e04 2 API calls 76779->76780 76789 274fdd 76780->76789 76781 275404 76947 231e40 free 76781->76947 76783 27540c 76948 231e40 free 76783->76948 76785 275414 76949 231e40 free 76785->76949 76788 275099 76791 232da9 2 API calls 76788->76791 76789->76781 76909 245bcf malloc _CxxThrowException 76789->76909 76790 27541c 76950 231e40 free 76790->76950 76793 2750a9 76791->76793 76796 232fec 3 API calls 76793->76796 76794 275424 76951 231e40 free 76794->76951 76797 2750b6 76796->76797 76910 231e40 free 76797->76910 76798 27542c 76952 231e40 free 76798->76952 76801 2750be 76911 231e40 free 76801->76911 76803 2750cd 76804 232f88 3 API calls 76803->76804 76805 2750e3 76804->76805 76806 2750f1 76805->76806 76807 275100 76805->76807 76808 2330ea 3 API calls 76806->76808 76912 233044 malloc _CxxThrowException free ctype 76807->76912 76810 2750fe 76808->76810 76913 241029 6 API calls 76810->76913 76812 27511a 76813 275120 76812->76813 76814 27516b 76812->76814 76914 231e40 free 76813->76914 76920 24089e malloc _CxxThrowException free _CxxThrowException memcpy 76814->76920 76817 275128 76915 231e40 free 76817->76915 76818 275187 76821 2704d2 5 API calls 76818->76821 76820 275130 76916 231e40 free 76820->76916 76823 2751ba 76821->76823 76921 270516 malloc _CxxThrowException ctype 76823->76921 76824 275138 76917 231e40 free 76824->76917 76827 2751c5 76832 2751f5 76827->76832 76833 27522d 76827->76833 76828 275140 76918 231e40 free 76828->76918 76830 275148 76919 231e40 free 76830->76919 76922 231e40 free 76832->76922 76834 232e04 2 API calls 76833->76834 76880 275235 76834->76880 76836 2751fd 76923 231e40 free 76836->76923 76839 275205 76924 231e40 free 76839->76924 76840 27532e 76933 231e40 free 76840->76933 76842 27520d 76925 231e40 free 76842->76925 76845 275347 76845->76781 76847 275358 76845->76847 76846 275215 76926 231e40 free 76846->76926 76934 231e40 free 76847->76934 76849 2753a3 76940 231e40 free 76849->76940 76851 275360 76935 231e40 free 76851->76935 76852 27521d 76927 231e40 free 76852->76927 76856 275368 76936 231e40 free 76856->76936 76858->76506 76860 2753bc 76941 231e40 free 76860->76941 76861 275370 76937 231e40 free 76861->76937 76865 2753c4 76942 231e40 free 76865->76942 76866 275378 76938 231e40 free 76866->76938 76868 2704d2 5 API calls 76868->76880 76870 2753cc 76943 231e40 free 76870->76943 76871 275380 76939 231e40 free 76871->76939 76875 2753d4 76944 231e40 free 76875->76944 76877 2753dc 76945 231e40 free 76877->76945 76879 2753e4 76946 231e40 free 76879->76946 76880->76840 76880->76849 76880->76868 76883 232e04 2 API calls 76880->76883 76928 27545c 5 API calls 2 library calls 76880->76928 76929 241029 6 API calls 76880->76929 76930 24089e malloc _CxxThrowException free _CxxThrowException memcpy 76880->76930 76931 270516 malloc _CxxThrowException ctype 76880->76931 76932 231e40 free 76880->76932 76883->76880 76886 247fcf __EH_prolog 76885->76886 76887 248061 76886->76887 76889 24805c 76886->76889 76890 248019 76886->76890 76893 247ff4 76886->76893 76887->76889 76901 248025 76887->76901 76961 239630 VariantClear 76889->76961 76890->76893 76894 24801e 76890->76894 76891 2480b8 76896 23965d VariantClear 76891->76896 76904 24800a 76893->76904 76953 23950d 76893->76953 76897 248042 76894->76897 76898 248022 76894->76898 76900 2480c0 76896->76900 76959 239597 VariantClear 76897->76959 76898->76901 76902 248032 76898->76902 76900->76758 76900->76759 76901->76904 76960 2395df VariantClear 76901->76960 76958 239604 VariantClear 76902->76958 76962 239736 VariantClear 76904->76962 76906->76858 76907->76858 76908->76773 76909->76788 76910->76801 76911->76803 76912->76810 76913->76812 76914->76817 76915->76820 76916->76824 76917->76828 76918->76830 76919->76858 76920->76818 76921->76827 76922->76836 76923->76839 76924->76842 76925->76846 76926->76852 76927->76858 76928->76880 76929->76880 76930->76880 76931->76880 76932->76880 76933->76845 76934->76851 76935->76856 76936->76861 76937->76866 76938->76871 76939->76858 76940->76860 76941->76865 76942->76870 76943->76875 76944->76877 76945->76879 76946->76858 76947->76783 76948->76785 76949->76790 76950->76794 76951->76798 76952->76858 76963 239767 76953->76963 76955 239518 SysAllocStringLen 76956 239539 _CxxThrowException 76955->76956 76957 23954f 76955->76957 76956->76957 76957->76904 76958->76904 76959->76904 76960->76904 76961->76904 76962->76891 76964 239770 76963->76964 76965 239779 76963->76965 76964->76955 76968 239686 VariantClear 76965->76968 76967 239780 76967->76955 76968->76967 76969 270343 76974 27035f 76969->76974 76972 270358 76975 270369 __EH_prolog 76974->76975 76991 24139e 76975->76991 76980 270143 ctype free 76981 27039a 76980->76981 77001 231e40 free 76981->77001 76983 2703a2 77002 231e40 free 76983->77002 76985 2703aa 77003 2703d8 76985->77003 76990 231e40 free 76990->76972 76992 2413b3 76991->76992 76993 2413ae 76991->76993 76995 2701c4 76992->76995 77019 2c7ea0 SetEvent GetLastError 76993->77019 76999 2701ce __EH_prolog 76995->76999 76997 27020b 76997->76980 76998 270203 77020 231e40 free 76998->77020 76999->76998 77021 231e40 free 76999->77021 77001->76983 77002->76985 77004 2703e2 __EH_prolog 77003->77004 77005 24139e ctype 2 API calls 77004->77005 77006 2703fb 77005->77006 77022 2c7d50 77006->77022 77008 270403 77009 2c7d50 ctype 2 API calls 77008->77009 77010 27040b 77009->77010 77011 2c7d50 ctype 2 API calls 77010->77011 77012 2703b7 77011->77012 77013 27004a 77012->77013 77014 270054 __EH_prolog 77013->77014 77028 231e40 free 77014->77028 77016 270067 77029 231e40 free 77016->77029 77018 27006f 77018->76972 77018->76990 77019->76992 77020->76997 77021->76999 77023 2c7d59 CloseHandle 77022->77023 77024 2c7d7b 77022->77024 77025 2c7d64 GetLastError 77023->77025 77026 2c7d75 77023->77026 77024->77008 77025->77024 77027 2c7d6e 77025->77027 77026->77024 77027->77008 77028->77016 77029->77018 77030 23b144 77031 23b153 77030->77031 77033 23b159 77030->77033 77032 2411b4 107 API calls 77031->77032 77032->77033 77034 25d3c2 77035 25d3e9 77034->77035 77036 23965d VariantClear 77035->77036 77037 25d42a 77036->77037 77038 25d883 2 API calls 77037->77038 77039 25d4b1 77038->77039 77125 258d4a 77039->77125 77042 258b05 VariantClear 77045 25d4e3 77042->77045 77043 252a72 2 API calls 77044 25d54c 77043->77044 77046 232fec 3 API calls 77044->77046 77045->77043 77047 25d594 77046->77047 77048 25d742 77047->77048 77049 25d5cd 77047->77049 77157 25cd49 malloc _CxxThrowException free 77048->77157 77051 25d7d9 77049->77051 77142 259317 77049->77142 77160 231e40 free 77051->77160 77052 25d754 77055 232fec 3 API calls 77052->77055 77058 25d763 77055->77058 77056 25d7e1 77161 231e40 free 77056->77161 77158 231e40 free 77058->77158 77060 25d5f1 77063 2704d2 5 API calls 77060->77063 77062 25d7e9 77065 25326b free 77062->77065 77066 25d5f9 77063->77066 77064 25d76b 77159 231e40 free 77064->77159 77076 25d69a 77065->77076 77148 25e332 77066->77148 77070 25d773 77072 25326b free 77070->77072 77072->77076 77073 25d610 77155 231e40 free 77073->77155 77075 25d618 77077 25326b free 77075->77077 77078 25d2a8 77077->77078 77078->77076 77100 25d883 77078->77100 77081 232fec 3 API calls 77082 25d361 77081->77082 77083 232fec 3 API calls 77082->77083 77084 25d36d 77083->77084 77112 25d0e1 77084->77112 77086 25d380 77087 25d665 77086->77087 77088 25d38a 77086->77088 77089 25d68b 77087->77089 77156 25cd49 malloc _CxxThrowException free 77087->77156 77090 2704d2 5 API calls 77088->77090 77093 25326b free 77089->77093 77091 25d392 77090->77091 77094 25e332 2 API calls 77091->77094 77093->77076 77096 25d3a1 77094->77096 77095 25d67c 77097 232fec 3 API calls 77095->77097 77098 25326b free 77096->77098 77097->77089 77099 25d3b0 77098->77099 77101 25d88d __EH_prolog 77100->77101 77102 232e04 2 API calls 77101->77102 77103 25d8c6 77102->77103 77104 232e04 2 API calls 77103->77104 77105 25d8d2 77104->77105 77106 232e04 2 API calls 77105->77106 77107 25d8de 77106->77107 77108 252b63 2 API calls 77107->77108 77109 25d8fa 77108->77109 77110 252b63 2 API calls 77109->77110 77111 25d34f 77110->77111 77111->77081 77113 25d0eb __EH_prolog 77112->77113 77114 25d138 77113->77114 77115 25d10b 77113->77115 77117 231e0c ctype 2 API calls 77114->77117 77118 25d112 77114->77118 77116 231e0c ctype 2 API calls 77115->77116 77116->77118 77119 25d14b 77117->77119 77118->77086 77120 232fec 3 API calls 77119->77120 77121 25d17b 77120->77121 77162 237b41 28 API calls 77121->77162 77123 25d18a 77123->77118 77163 23757d GetLastError 77123->77163 77133 258d54 __EH_prolog 77125->77133 77126 258da4 77127 258e15 77126->77127 77128 258e09 77126->77128 77136 258e11 77126->77136 77129 258e2d 77127->77129 77131 258e21 77127->77131 77132 258e5e 77127->77132 77130 23965d VariantClear 77128->77130 77129->77132 77137 258e2b 77129->77137 77130->77136 77165 233097 malloc _CxxThrowException free SysStringLen ctype 77131->77165 77135 23965d VariantClear 77132->77135 77133->77126 77164 232b55 malloc _CxxThrowException free _CxxThrowException ctype 77133->77164 77135->77136 77136->77042 77138 23965d VariantClear 77137->77138 77140 258e47 77138->77140 77140->77136 77166 258e7c 6 API calls __EH_prolog 77140->77166 77146 259321 __EH_prolog 77142->77146 77143 259360 77144 23965d VariantClear 77143->77144 77145 2593d0 77144->77145 77145->77051 77145->77060 77146->77143 77167 239686 VariantClear 77146->77167 77149 25e33c __EH_prolog 77148->77149 77150 231e0c ctype 2 API calls 77149->77150 77151 25e34a 77150->77151 77152 25d608 77151->77152 77168 25e3d1 malloc _CxxThrowException __EH_prolog 77151->77168 77154 231e40 free 77152->77154 77154->77073 77155->77075 77156->77095 77157->77052 77158->77064 77159->77070 77160->77056 77161->77062 77162->77123 77163->77118 77164->77126 77165->77137 77166->77136 77167->77143 77168->77152 77169 25d948 77199 25dac7 77169->77199 77171 25d94f 77172 232e04 2 API calls 77171->77172 77173 25d97b 77172->77173 77174 232e04 2 API calls 77173->77174 77175 25d987 77174->77175 77178 25d9e7 77175->77178 77207 236404 77175->77207 77180 25da36 77178->77180 77181 25da0f 77178->77181 77185 25da94 77180->77185 77189 232da9 2 API calls 77180->77189 77196 2704d2 5 API calls 77180->77196 77234 231524 malloc _CxxThrowException __EH_prolog ctype 77180->77234 77235 231e40 free 77180->77235 77232 231e40 free 77181->77232 77184 25d9bf 77230 231e40 free 77184->77230 77236 231e40 free 77185->77236 77186 25da17 77233 231e40 free 77186->77233 77189->77180 77191 25d9c7 77231 231e40 free 77191->77231 77192 25da9c 77237 231e40 free 77192->77237 77193 25d9cf 77196->77180 77200 25dad1 __EH_prolog 77199->77200 77201 232e04 2 API calls 77200->77201 77202 25db33 77201->77202 77203 232e04 2 API calls 77202->77203 77204 25db3f 77203->77204 77205 232e04 2 API calls 77204->77205 77206 25db55 77205->77206 77206->77171 77208 23631f 9 API calls 77207->77208 77209 236414 77208->77209 77210 236423 77209->77210 77211 232f88 3 API calls 77209->77211 77212 232f88 3 API calls 77210->77212 77211->77210 77213 23643d 77212->77213 77214 247e5a 77213->77214 77215 247e64 __EH_prolog 77214->77215 77238 248179 77215->77238 77218 257ebb free 77219 247e7f 77218->77219 77220 232fec 3 API calls 77219->77220 77221 247e9a 77220->77221 77222 232da9 2 API calls 77221->77222 77223 247ea7 77222->77223 77224 236c72 44 API calls 77223->77224 77225 247eb7 77224->77225 77243 231e40 free 77225->77243 77227 247ecb 77228 247ed8 77227->77228 77244 23757d GetLastError 77227->77244 77228->77178 77228->77184 77230->77191 77231->77193 77232->77186 77233->77193 77234->77180 77235->77180 77236->77192 77237->77193 77241 248906 77238->77241 77239 247e77 77239->77218 77241->77239 77245 248804 free ctype 77241->77245 77246 231e40 free 77241->77246 77243->77227 77244->77228 77245->77241 77246->77241 77247 2b6bc6 77248 2b6bca 77247->77248 77249 2b6bcd 77247->77249 77249->77248 77250 2b6bd1 malloc 77249->77250 77250->77248 77251 2342d1 77252 2342bd 77251->77252 77253 2342c5 77252->77253 77254 231e0c ctype 2 API calls 77252->77254 77254->77253 77255 26acd3 77256 26ace0 77255->77256 77260 26acf1 77255->77260 77256->77260 77261 26acf8 77256->77261 77262 26c0b3 __EH_prolog 77261->77262 77263 26c0ed 77262->77263 77266 257193 free 77262->77266 77269 231e40 free 77262->77269 77270 231e40 free 77263->77270 77265 26aceb 77268 231e40 free 77265->77268 77266->77262 77268->77260 77269->77262 77270->77265 77271 241ade 77272 241ae8 __EH_prolog 77271->77272 77322 2313f5 77272->77322 77275 241b32 6 API calls 77277 241b8d 77275->77277 77286 241bf8 77277->77286 77340 241ea4 9 API calls 77277->77340 77278 241b24 _CxxThrowException 77278->77275 77280 241bdf 77281 2327bb 3 API calls 77280->77281 77282 241bec 77281->77282 77341 231e40 free 77282->77341 77284 241c89 77336 241eb9 77284->77336 77286->77284 77342 251d73 5 API calls __EH_prolog 77286->77342 77290 241cb2 _CxxThrowException 77290->77284 77323 2313ff __EH_prolog 77322->77323 77324 257ebb free 77323->77324 77325 23142b 77324->77325 77326 231438 77325->77326 77343 231212 free ctype 77325->77343 77328 231e0c ctype 2 API calls 77326->77328 77333 23144d 77328->77333 77329 2314f4 77329->77275 77339 251d73 5 API calls __EH_prolog 77329->77339 77330 2704d2 5 API calls 77330->77333 77333->77329 77333->77330 77334 231507 77333->77334 77344 231265 5 API calls 2 library calls 77333->77344 77345 231524 malloc _CxxThrowException __EH_prolog ctype 77333->77345 77335 232fec 3 API calls 77334->77335 77335->77329 77346 239313 GetCurrentProcess OpenProcessToken 77336->77346 77339->77278 77340->77280 77341->77286 77342->77290 77343->77326 77344->77333 77345->77333 77347 239390 77346->77347 77348 23933a LookupPrivilegeValueW 77346->77348 77349 239382 77348->77349 77350 23934c AdjustTokenPrivileges 77348->77350 77352 239385 CloseHandle 77349->77352 77350->77349 77351 239372 GetLastError 77350->77351 77351->77352 77352->77347 77353 23b5d9 77354 23b5e6 77353->77354 77355 23b5f7 77353->77355 77354->77355 77359 23b5fe 77354->77359 77360 23b608 __EH_prolog 77359->77360 77366 2b6a40 VirtualFree 77360->77366 77362 23b63d 77363 23764c CloseHandle 77362->77363 77364 23b5f1 77363->77364 77365 231e40 free 77364->77365 77365->77355 77366->77362 77368 2b69d0 77369 2b69d7 malloc 77368->77369 77370 2b69d4 77368->77370
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002781F1
                                          • Part of subcall function 0027F749: _CxxThrowException.MSVCRT(?,002E4A58), ref: 0027F792
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prologThrow
                                        • String ID:
                                        • API String ID: 461045715-3916222277
                                        • Opcode ID: 7eab74c6f185c73d12fd8f65f2a6d8a72d8cea0be57e0fdf77d656285995075e
                                        • Instruction ID: c0d2e371755ab0e1bd1ebb782201e9867c62f957b30079e21d6ffca99c41c6a9
                                        • Opcode Fuzzy Hash: 7eab74c6f185c73d12fd8f65f2a6d8a72d8cea0be57e0fdf77d656285995075e
                                        • Instruction Fuzzy Hash: 2792A23191024ADFDF15DFA8C888BAEBBB1BF15304F248099E809AB291CB71DD65CF51
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0023686D
                                          • Part of subcall function 00236848: FindClose.KERNELBASE(00000000,?,00236880), ref: 00236853
                                        • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 002368A5
                                        • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 002368DE
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: Find$FileFirst$CloseH_prolog
                                        • String ID:
                                        • API String ID: 3371352514-0
                                        • Opcode ID: 55ecf60a42c1f404608676072cd61fcfdfe0b3ffd1a50293cd24e0ac4b332111
                                        • Instruction ID: 96d96fe5d0df581c3e3b6701d7a4970d0e40a73e3d9e75cc4a0442da6e547401
                                        • Opcode Fuzzy Hash: 55ecf60a42c1f404608676072cd61fcfdfe0b3ffd1a50293cd24e0ac4b332111
                                        • Instruction Fuzzy Hash: E711E6B151020AEFCF10EFA4D8596EDB77DEF14324F208629E96157191DB318EAADF40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 26a013-26a01a 1 26a020-26a02d call 241ac8 0->1 2 26a37a-26a544 call 2704d2 call 231524 call 2704d2 call 231524 call 231e0c 0->2 7 26a033-26a03a 1->7 8 26a22e-26a235 1->8 62 26a546-26a54f call 26b0fa 2->62 63 26a551 2->63 12 26a054-26a089 call 2692d3 7->12 13 26a03c-26a042 7->13 10 26a367-26a375 call 26b55f 8->10 11 26a23b-26a24d call 26b4f6 8->11 28 26ac23-26ac2a 10->28 29 26a24f-26a253 11->29 30 26a259-26a2fb call 257ebb call 2327bb call 2326dd call 253d70 call 26ad99 call 2327bb 11->30 26 26a08b-26a091 12->26 27 26a099 12->27 13->12 15 26a044-26a04f call 2330ea 13->15 15->12 26->27 33 26a093-26a097 26->33 34 26a09d-26a0de call 232fec call 26b369 27->34 35 26ac2c-26ac33 28->35 36 26ac3a-26ac66 call 26b96d call 231e40 call 253247 28->36 29->30 94 26a303-26a362 call 26b6ab call 262db9 call 231e40 * 2 call 26bff8 30->94 95 26a2fd 30->95 33->34 58 26a0e0-26a0e4 34->58 59 26a0ea-26a0fa 34->59 35->36 40 26ac35 35->40 68 26ac6e-26acb5 call 231e40 call 2311c2 call 26be0c call 262db9 36->68 69 26ac68-26ac6a 36->69 45 26ac35 call 26b988 40->45 45->36 58->59 64 26a0fc-26a102 59->64 65 26a10d 59->65 72 26a553-26a55c 62->72 63->72 64->65 66 26a104-26a10b 64->66 67 26a114-26a19e call 232fec call 257ebb call 26ad99 65->67 66->67 102 26a1a2 call 25f8e0 67->102 69->68 77 26a564-26a5c1 call 232fec call 26b277 72->77 78 26a55e-26a560 72->78 96 26a5c3-26a5c7 77->96 97 26a5cd-26a652 call 26ad06 call 26bf3e call 243a29 call 232e04 call 254345 77->97 78->77 94->28 95->94 96->97 136 26a676-26a6c8 call 252096 97->136 137 26a654-26a671 call 25375c call 26b96d 97->137 107 26a1a7-26a1b1 102->107 111 26a1b3-26a1bb call 26c7d7 107->111 112 26a1c0-26a1c9 107->112 111->112 117 26a1d1-26a229 call 26b6ab call 262db9 call 231e40 call 26bfa4 call 26940b 112->117 118 26a1cb 112->118 117->28 118->117 143 26a6cd-26a6d6 136->143 137->136 146 26a6e2-26a6e5 143->146 147 26a6d8-26a6dd call 26c7d7 143->147 150 26a6e7-26a6ee 146->150 151 26a72e-26a73a 146->151 147->146 154 26a722-26a725 150->154 155 26a6f0-26a71d call 231fa0 fputs call 231fa0 call 231fb3 call 231fa0 150->155 152 26a79e-26a7aa 151->152 153 26a73c-26a74a call 231fa0 151->153 156 26a7ac-26a7b2 152->156 157 26a7d9-26a7e5 152->157 169 26a755-26a799 fputs call 232201 call 231fa0 fputs call 232201 call 231fa0 153->169 170 26a74c-26a753 153->170 154->151 158 26a727 154->158 155->154 156->157 161 26a7b4-26a7d4 fputs call 232201 call 231fa0 156->161 163 26a7e7-26a7ed 157->163 164 26a818-26a81a 157->164 158->151 161->157 167 26a899-26a8a5 163->167 171 26a7f3-26a813 fputs call 232201 call 231fa0 163->171 166 26a81c-26a82b 164->166 164->167 174 26a851-26a85d 166->174 175 26a82d-26a84c fputs call 232201 call 231fa0 166->175 179 26a8a7-26a8ad 167->179 180 26a8e9-26a8ed 167->180 169->152 170->152 170->169 171->164 174->167 183 26a85f-26a872 call 231fa0 174->183 175->174 185 26a8ef 179->185 189 26a8af-26a8c2 call 231fa0 179->189 184 26a8f6-26a8f8 180->184 180->185 183->167 209 26a874-26a894 fputs call 232201 call 231fa0 183->209 194 26a8fe-26a90a 184->194 195 26aaaf-26aaeb call 2543b3 call 231e40 call 26c104 call 26ad82 184->195 185->184 189->185 207 26a8c4-26a8e4 fputs call 232201 call 231fa0 189->207 203 26aa73-26aa89 call 231fa0 194->203 204 26a910-26a91f 194->204 246 26aaf1-26aaf7 195->246 247 26ac0b-26ac1e call 262db9 * 2 195->247 203->195 220 26aa8b-26aaaa fputs call 232201 call 231fa0 203->220 204->203 211 26a925-26a929 204->211 207->180 209->167 211->195 217 26a92f-26a93d 211->217 223 26a93f-26a964 fputs call 232201 call 231fa0 217->223 224 26a96a-26a971 217->224 220->195 223->224 225 26a973-26a97a 224->225 226 26a98f-26a9a8 fputs call 232201 224->226 225->226 232 26a97c-26a982 225->232 240 26a9ad-26a9bd call 231fa0 226->240 232->226 238 26a984-26a98d 232->238 238->226 244 26aa06-26aa1f fputs call 232201 238->244 240->244 252 26a9bf-26aa01 fputs call 232201 call 231fa0 fputs call 232201 call 231fa0 240->252 251 26aa24-26aa29 call 231fa0 244->251 246->247 247->28 258 26aa2e-26aa4b fputs call 232201 251->258 252->244 262 26aa50-26aa5b call 231fa0 258->262 262->195 269 26aa5d-26aa71 call 231fa0 call 26710e 262->269 269->195
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$ExceptionThrow
                                        • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&/$p&/$N
                                        • API String ID: 3665150552-428575995
                                        • Opcode ID: 6bb2784de4be3501908fa0c09270cac3e4b1b0b50fb91377e818e81ffd9bec97
                                        • Instruction ID: 147dc6297742ddd2a5e49dd9bcc3d84f73ca2d3ce9155483f1a2e8641a16cc3d
                                        • Opcode Fuzzy Hash: 6bb2784de4be3501908fa0c09270cac3e4b1b0b50fb91377e818e81ffd9bec97
                                        • Instruction Fuzzy Hash: 66527D71920259DFDF26EBA4C895BEDFBB5AF44300F14409AE449A3291DB706EE8CF11

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 274 26a42c-26a433 275 26a435-26a444 fputs call 231fa0 274->275 276 26a449-26a4df call 26545d call 232e04 call 251858 call 231e40 274->276 275->276 286 26a4e1-26a4e9 call 26c7d7 276->286 287 26a4ee-26a4f1 276->287 286->287 289 26a4f3-26a4fa 287->289 290 26a50e-26a520 call 26c73e 287->290 289->290 291 26a4fc-26a509 call 2657fb 289->291 295 26a526-26a544 call 231e0c 290->295 296 26ac0b-26ac2a call 262db9 * 2 290->296 291->290 304 26a546-26a54f call 26b0fa 295->304 305 26a551 295->305 306 26ac2c-26ac33 296->306 307 26ac3a-26ac66 call 26b96d call 231e40 call 253247 296->307 309 26a553-26a55c 304->309 305->309 306->307 310 26ac35 call 26b988 306->310 327 26ac6e-26acb5 call 231e40 call 2311c2 call 26be0c call 262db9 307->327 328 26ac68-26ac6a 307->328 313 26a564-26a5c1 call 232fec call 26b277 309->313 314 26a55e-26a560 309->314 310->307 325 26a5c3-26a5c7 313->325 326 26a5cd-26a652 call 26ad06 call 26bf3e call 243a29 call 232e04 call 254345 313->326 314->313 325->326 348 26a676-26a6d6 call 252096 326->348 349 26a654-26a671 call 25375c call 26b96d 326->349 328->327 355 26a6e2-26a6e5 348->355 356 26a6d8-26a6dd call 26c7d7 348->356 349->348 358 26a6e7-26a6ee 355->358 359 26a72e-26a73a 355->359 356->355 362 26a722-26a725 358->362 363 26a6f0-26a71d call 231fa0 fputs call 231fa0 call 231fb3 call 231fa0 358->363 360 26a79e-26a7aa 359->360 361 26a73c-26a74a call 231fa0 359->361 364 26a7ac-26a7b2 360->364 365 26a7d9-26a7e5 360->365 377 26a755-26a799 fputs call 232201 call 231fa0 fputs call 232201 call 231fa0 361->377 378 26a74c-26a753 361->378 362->359 366 26a727 362->366 363->362 364->365 369 26a7b4-26a7d4 fputs call 232201 call 231fa0 364->369 371 26a7e7-26a7ed 365->371 372 26a818-26a81a 365->372 366->359 369->365 375 26a899-26a8a5 371->375 379 26a7f3-26a813 fputs call 232201 call 231fa0 371->379 374 26a81c-26a82b 372->374 372->375 382 26a851-26a85d 374->382 383 26a82d-26a84c fputs call 232201 call 231fa0 374->383 387 26a8a7-26a8ad 375->387 388 26a8e9-26a8ed 375->388 377->360 378->360 378->377 379->372 382->375 391 26a85f-26a872 call 231fa0 382->391 383->382 393 26a8ef 387->393 397 26a8af-26a8c2 call 231fa0 387->397 392 26a8f6-26a8f8 388->392 388->393 391->375 417 26a874-26a894 fputs call 232201 call 231fa0 391->417 402 26a8fe-26a90a 392->402 403 26aaaf-26aaeb call 2543b3 call 231e40 call 26c104 call 26ad82 392->403 393->392 397->393 415 26a8c4-26a8e4 fputs call 232201 call 231fa0 397->415 411 26aa73-26aa89 call 231fa0 402->411 412 26a910-26a91f 402->412 403->296 454 26aaf1-26aaf7 403->454 411->403 428 26aa8b-26aaaa fputs call 232201 call 231fa0 411->428 412->411 419 26a925-26a929 412->419 415->388 417->375 419->403 425 26a92f-26a93d 419->425 431 26a93f-26a964 fputs call 232201 call 231fa0 425->431 432 26a96a-26a971 425->432 428->403 431->432 433 26a973-26a97a 432->433 434 26a98f-26a9a8 fputs call 232201 432->434 433->434 440 26a97c-26a982 433->440 448 26a9ad-26a9bd call 231fa0 434->448 440->434 446 26a984-26a98d 440->446 446->434 452 26aa06-26aa4b fputs call 232201 call 231fa0 fputs call 232201 446->452 448->452 458 26a9bf-26aa01 fputs call 232201 call 231fa0 fputs call 232201 call 231fa0 448->458 466 26aa50-26aa5b call 231fa0 452->466 454->296 458->452 466->403 473 26aa5d-26aa71 call 231fa0 call 26710e 466->473 473->403
                                        APIs
                                        • fputs.MSVCRT(Scanning the drive for archives:), ref: 0026A43E
                                          • Part of subcall function 00231FA0: fputc.MSVCRT ref: 00231FA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputcfputs
                                        • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&/$p&/$!"$N
                                        • API String ID: 269475090-2731497898
                                        • Opcode ID: 18f3531979705f3d778178ab6a761fa3abea8e23ca4fa3050784342755fd6cca
                                        • Instruction ID: c74bc44941c91560d80330c4cdb862c166bd01d3e524de5e68be58182a7fb9d9
                                        • Opcode Fuzzy Hash: 18f3531979705f3d778178ab6a761fa3abea8e23ca4fa3050784342755fd6cca
                                        • Instruction Fuzzy Hash: B4228E31920259DFDF26EBA4C856BEDFBB5BF44300F14409AE44A632A1DB716EA4CF11

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 777 268012-268032 call 2cfb10 780 268285 777->780 781 268038-26806c fputs call 268341 777->781 782 268287-268295 780->782 785 26806e-268071 781->785 786 2680c8-2680cd 781->786 789 268073-268089 fputs call 231fa0 785->789 790 26808b-26808d 785->790 787 2680d6-2680df 786->787 788 2680cf-2680d4 786->788 791 2680e2-268110 call 268341 call 268622 787->791 788->791 789->786 793 268096-26809f 790->793 794 26808f-268094 790->794 805 268112-268119 call 26831f 791->805 806 26811e-26812f call 268565 791->806 797 2680a2-2680c7 call 232e47 call 2685c6 call 231e40 793->797 794->797 797->786 805->806 806->782 812 268135-26813f 806->812 813 268141-268148 call 2682bb 812->813 814 26814d-26815b 812->814 813->814 814->782 817 268161-268164 814->817 818 2681b6-2681c0 817->818 819 268166-268186 817->819 820 268276-26827f 818->820 821 2681c6-2681e1 fputs 818->821 824 26818c-268196 call 268565 819->824 825 268298-26829d 819->825 820->780 820->781 821->820 826 2681e7-2681fb 821->826 831 26819b-26819d 824->831 827 2682b1-2682b9 SysFreeString 825->827 829 268273 826->829 830 2681fd-26821f 826->830 827->782 829->820 834 268221-268245 830->834 835 26829f-2682a1 830->835 831->825 832 2681a3-2681b4 SysFreeString 831->832 832->818 832->819 838 268247-268271 call 2684a7 call 23965d SysFreeString 834->838 839 2682a3-2682ab call 23965d 834->839 836 2682ae 835->836 836->827 838->829 838->830 839->836
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00268017
                                        • fputs.MSVCRT ref: 0026804D
                                          • Part of subcall function 00268341: __EH_prolog.LIBCMT ref: 00268346
                                          • Part of subcall function 00268341: fputs.MSVCRT ref: 0026835B
                                          • Part of subcall function 00268341: fputs.MSVCRT ref: 00268364
                                        • fputs.MSVCRT ref: 0026807A
                                          • Part of subcall function 00231FA0: fputc.MSVCRT ref: 00231FA7
                                          • Part of subcall function 0023965D: VariantClear.OLEAUT32(?), ref: 0023967F
                                        • SysFreeString.OLEAUT32(00000000), ref: 002681AA
                                        • fputs.MSVCRT ref: 002681CD
                                        • SysFreeString.OLEAUT32(00000000), ref: 00268267
                                        • SysFreeString.OLEAUT32(00000000), ref: 002682B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                        • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                        • API String ID: 2889736305-3797937567
                                        • Opcode ID: 7d4e248349e231e435e3fac04d644def0eb84e267c949666597ca922071ed777
                                        • Instruction ID: 1bb8f0cbb2b4d10d108dbbfb41818feda10ebe9c5f7b129bbeb7594df599e5be
                                        • Opcode Fuzzy Hash: 7d4e248349e231e435e3fac04d644def0eb84e267c949666597ca922071ed777
                                        • Instruction Fuzzy Hash: 95918B71A20605EFCF14DFA4C995AAEB7B5FF48310F204229E512A7291DB70ADA5CF60

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 846 266766-266792 call 2cfb10 EnterCriticalSection 849 266794-266799 call 26c7d7 846->849 850 2667af-2667b7 846->850 857 26679e-2667ac 849->857 851 2667be-2667c3 850->851 852 2667b9 call 231f91 850->852 855 266892-2668a8 851->855 856 2667c9-2667d5 851->856 852->851 860 266941 855->860 861 2668ae-2668b4 855->861 858 266817-26682f 856->858 859 2667d7-2667dd 856->859 857->850 864 266873-26687b 858->864 865 266831-266842 call 231fa0 858->865 859->858 862 2667df-2667eb 859->862 866 266943-26695a 860->866 861->860 863 2668ba-2668c2 861->863 869 2667f3-266801 862->869 870 2667ed 862->870 867 266933-26693f call 26c5cd 863->867 871 2668c4-2668e6 call 231fa0 fputs 863->871 864->867 868 266881-266887 864->868 865->864 883 266844-26686c fputs call 232201 865->883 867->866 868->867 873 26688d 868->873 869->864 875 266803-266815 fputs 869->875 870->869 886 2668fb-266917 call 244f2a call 231fb3 call 231e40 871->886 887 2668e8-2668f9 fputs 871->887 879 26692e call 231f91 873->879 881 26686e call 231fa0 875->881 879->867 881->864 883->881 889 26691c-266928 call 231fa0 886->889 887->889 889->879
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0026676B
                                        • EnterCriticalSection.KERNEL32(002F2938), ref: 00266781
                                        • fputs.MSVCRT ref: 0026680B
                                        • LeaveCriticalSection.KERNEL32(002F2938), ref: 00266944
                                          • Part of subcall function 0026C7D7: fputs.MSVCRT ref: 0026C840
                                        • fputs.MSVCRT ref: 00266851
                                          • Part of subcall function 00232201: fputs.MSVCRT ref: 0023221E
                                        • fputs.MSVCRT ref: 002668D9
                                        • fputs.MSVCRT ref: 002668F6
                                          • Part of subcall function 00231FA0: fputc.MSVCRT ref: 00231FA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                        • String ID: v$8)/$8)/$Sub items Errors:
                                        • API String ID: 2670240366-1571250424
                                        • Opcode ID: 2bda3594f6ba96c054b4cc38626e3a08a9c54607f4ca3ec64f496abdbaef5c93
                                        • Instruction ID: fb45cd05dcdd03477da2526576cfca6357dd642d4ae0bbc321b3d272a4f5a378
                                        • Opcode Fuzzy Hash: 2bda3594f6ba96c054b4cc38626e3a08a9c54607f4ca3ec64f496abdbaef5c93
                                        • Instruction Fuzzy Hash: 3E51AE31921641CFC725AF74D998AAAB7E2FF84310F64442EE59A87661CB317CA4CF50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 898 266359-266373 call 2cfb10 901 266375-266385 call 26c7d7 898->901 902 26639e-2663af call 265a4d 898->902 901->902 907 266387-26639b 901->907 908 2663b5-2663cd 902->908 909 2665ee-2665f1 902->909 907->902 912 2663d2-2663d4 908->912 913 2663cf 908->913 910 266624-26663c 909->910 911 2665f3-2665fb 909->911 916 266643-26664b 910->916 917 26663e call 231f91 910->917 914 266601-266607 call 268012 911->914 915 2666ea call 26c5cd 911->915 918 2663d6-2663d9 912->918 919 2663df-2663e7 912->919 913->912 928 26660c-26660e 914->928 927 2666ef-2666fd 915->927 916->915 924 266651-26668f fputs call 23211a call 231fa0 call 268685 916->924 917->916 918->919 923 2664b1-2664bc call 266700 918->923 925 266411-266413 919->925 926 2663e9-2663f2 call 231fa0 919->926 945 2664c7-2664cf 923->945 946 2664be-2664c1 923->946 924->927 981 266691-266697 924->981 929 266415-26641d 925->929 930 266442-266446 925->930 926->925 950 2663f4-26640c call 23210c call 231fa0 926->950 928->927 934 266614-26661f call 231fa0 928->934 935 26641f-266425 call 266134 929->935 936 26642a-26643b 929->936 938 266497-26649f 930->938 939 266448-266450 930->939 934->915 935->936 936->930 938->923 942 2664a1-2664ac call 231fa0 call 231f91 938->942 947 266452-26647a fputs call 231fa0 call 231fb3 call 231fa0 939->947 948 26647f-266490 939->948 942->923 954 2664d1-2664da call 231fa0 945->954 955 2664f9-2664fb 945->955 946->945 953 2665a2-2665a6 946->953 947->948 948->938 950->925 964 2665da-2665e6 953->964 965 2665a8-2665b6 953->965 954->955 986 2664dc-2664f4 call 23210c call 231fa0 954->986 961 2664fd-266505 955->961 962 26652a-26652e 955->962 970 266507-26650d call 266134 961->970 971 266512-266523 961->971 973 266530-266538 962->973 974 26657f-266587 962->974 964->908 979 2665ec 964->979 975 2665d3 965->975 976 2665b8-2665ca call 266244 965->976 970->971 971->962 983 266567-266578 973->983 984 26653a-266562 fputs call 231fa0 call 231fb3 call 231fa0 973->984 974->953 980 266589-266595 call 231fa0 974->980 975->964 976->975 999 2665cc-2665ce call 231f91 976->999 979->909 980->953 1003 266597-26659d call 231f91 980->1003 989 2666df-2666e5 call 231f91 981->989 990 266699-26669f 981->990 983->974 984->983 986->955 989->915 996 2666b3-2666ce call 244f2a call 231fb3 call 231e40 990->996 997 2666a1-2666b1 fputs 990->997 1004 2666d3-2666da call 231fa0 996->1004 997->1004 999->975 1003->953 1004->989
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0026635E
                                        • fputs.MSVCRT ref: 0026645F
                                          • Part of subcall function 0026C7D7: fputs.MSVCRT ref: 0026C840
                                        • fputs.MSVCRT ref: 00266547
                                        • fputs.MSVCRT ref: 0026665F
                                        • fputs.MSVCRT ref: 002666AE
                                          • Part of subcall function 00231F91: fflush.MSVCRT ref: 00231F93
                                          • Part of subcall function 00231FB3: __EH_prolog.LIBCMT ref: 00231FB8
                                          • Part of subcall function 00231E40: free.MSVCRT ref: 00231E44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog$fflushfree
                                        • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                        • API String ID: 1750297421-1898165966
                                        • Opcode ID: c1805273bdf51a2e5ea25b7f8563704714ed5ccb903b4f3c7471b0c595066b40
                                        • Instruction ID: 555148e317b2634d4de9258c946557f6fa91dc8b5a1389b81cbf676b9191a5d9
                                        • Opcode Fuzzy Hash: c1805273bdf51a2e5ea25b7f8563704714ed5ccb903b4f3c7471b0c595066b40
                                        • Instruction Fuzzy Hash: 95B18A706217028FDB24EF60D9A9BAAB7F1BF44304F04852DE59B57692CB74ACA4CF50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1563 236c72-236c8e call 2cfb10 1566 236c90-236c94 1563->1566 1567 236c96-236c9e 1563->1567 1566->1567 1568 236cd3-236cdc call 238664 1566->1568 1569 236ca0-236ca4 1567->1569 1570 236ca6-236cae 1567->1570 1575 236ce2-236d02 call 2367f0 call 232f88 call 2387df 1568->1575 1576 236d87-236d92 call 2388c6 1568->1576 1569->1568 1569->1570 1570->1568 1572 236cb0-236cb5 1570->1572 1572->1568 1574 236cb7-236cce call 2367f0 call 232f88 1572->1574 1591 23715d-23715f 1574->1591 1601 236d04-236d09 1575->1601 1602 236d4a-236d61 call 237b41 1575->1602 1585 236d98-236d9e 1576->1585 1586 236f4c-236f62 call 2387fa 1576->1586 1585->1586 1590 236da4-236dc7 call 232e47 * 2 1585->1590 1596 236f67-236f74 call 2385e2 1586->1596 1597 236f64-236f66 1586->1597 1609 236dd4-236dda 1590->1609 1610 236dc9-236dcf 1590->1610 1594 237118-237126 1591->1594 1611 236fd1-236fd8 1596->1611 1612 236f76-236f7c 1596->1612 1597->1596 1601->1602 1606 236d0b-236d38 call 239252 1601->1606 1614 236d63-236d65 1602->1614 1615 236d67-236d6b 1602->1615 1606->1602 1631 236d3a-236d45 1606->1631 1616 236df1-236df9 call 233221 1609->1616 1617 236ddc-236def call 232407 1609->1617 1610->1609 1618 236fe4-236feb 1611->1618 1619 236fda-236fde 1611->1619 1612->1611 1620 236f7e-236f8a call 236bf5 1612->1620 1622 236d7a-236d82 call 23764c 1614->1622 1623 236d78 1615->1623 1624 236d6d-236d75 1615->1624 1636 236dfe-236e0b call 2387df 1616->1636 1617->1616 1617->1636 1628 23701d-237024 call 238782 1618->1628 1629 236fed-236ff7 call 236bf5 1618->1629 1619->1618 1627 2370e5-2370ea call 236868 1619->1627 1620->1627 1644 236f90-236f93 1620->1644 1648 237116 1622->1648 1623->1622 1624->1623 1640 2370ef-2370f3 1627->1640 1628->1627 1645 23702a-237035 1628->1645 1629->1627 1650 236ffd-237000 1629->1650 1631->1591 1655 236e43-236e50 call 236c72 1636->1655 1656 236e0d-236e10 1636->1656 1646 2370f5-2370f7 1640->1646 1647 23710c 1640->1647 1644->1627 1651 236f99-236fb6 call 2367f0 call 232f88 1644->1651 1645->1627 1652 23703b-237044 call 238578 1645->1652 1646->1647 1653 2370f9-237102 1646->1653 1654 23710e-237111 call 236848 1647->1654 1648->1594 1650->1627 1657 237006-23701b call 2367f0 1650->1657 1682 236fc2-236fc5 call 23717b 1651->1682 1683 236fb8-236fbd 1651->1683 1652->1627 1676 23704a-237054 call 23717b 1652->1676 1653->1647 1660 237104-237107 call 23717b 1653->1660 1654->1648 1677 236e56 1655->1677 1678 236f3a-236f4b call 231e40 * 2 1655->1678 1663 236e12-236e15 1656->1663 1664 236e1e-236e36 call 2367f0 1656->1664 1679 236fca-236fcc 1657->1679 1660->1647 1663->1655 1670 236e17-236e1c 1663->1670 1680 236e58-236e7e call 232f1c call 232e04 1664->1680 1681 236e38-236e41 call 232fec 1664->1681 1670->1655 1670->1664 1692 237056-23705f call 232f88 1676->1692 1693 237064-237097 call 232e47 call 231089 * 2 call 236868 1676->1693 1677->1680 1678->1586 1679->1654 1701 236e83-236e99 call 236bb5 1680->1701 1681->1680 1682->1679 1683->1682 1703 237155-237158 call 236848 1692->1703 1725 237099-2370af wcscmp 1693->1725 1726 2370bf-2370cc call 236bf5 1693->1726 1710 236e9b-236e9f 1701->1710 1711 236ecf-236ed1 1701->1711 1703->1591 1712 236ea1-236eae call 2322bf 1710->1712 1713 236ec7-236ec9 SetLastError 1710->1713 1715 236f09-236f35 call 231e40 * 2 call 236848 call 231e40 * 2 1711->1715 1722 236ed3-236ed9 1712->1722 1723 236eb0-236ec5 call 231e40 call 232e04 1712->1723 1713->1711 1715->1648 1732 236edb-236ee0 1722->1732 1733 236eec-236f07 call 2331e5 1722->1733 1723->1701 1729 2370b1-2370b6 1725->1729 1730 2370bb 1725->1730 1743 237129-237133 call 2367f0 1726->1743 1744 2370ce-2370d1 1726->1744 1736 237147-237154 call 232f88 call 231e40 1729->1736 1730->1726 1732->1733 1738 236ee2-236ee8 1732->1738 1733->1715 1736->1703 1738->1733 1759 237135-237138 1743->1759 1760 23713a 1743->1760 1749 2370d3-2370d6 1744->1749 1750 2370d8-2370e4 call 231e40 1744->1750 1749->1743 1749->1750 1750->1627 1761 237141-237144 1759->1761 1760->1761 1761->1736
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00236C77
                                        • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00236EC9
                                          • Part of subcall function 00236C72: wcscmp.MSVCRT ref: 002370A5
                                          • Part of subcall function 00236BF5: __EH_prolog.LIBCMT ref: 00236BFA
                                          • Part of subcall function 00236BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00236C1A
                                          • Part of subcall function 00236BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00236C49
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                        • String ID: :$DATA
                                        • API String ID: 3316598575-2587938151
                                        • Opcode ID: 0fd140af0f55a0b4fe4c3bbc9c2a29b315d985d34f7988b9b7c35e4ebb808d25
                                        • Instruction ID: 46dd86763e6f016cbbe3e2e71bdda84b34ce5dcf2f40220e5705c248602adf9c
                                        • Opcode Fuzzy Hash: 0fd140af0f55a0b4fe4c3bbc9c2a29b315d985d34f7988b9b7c35e4ebb808d25
                                        • Instruction Fuzzy Hash: CBE138F192030AEACF25EFA4C849BEDB7B5AF14314F108519E4866B2D1DB70A969CF10
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog
                                        • String ID: =
                                        • API String ID: 2614055831-2525689732
                                        • Opcode ID: 437ff23e565ca96f41756b08a1d67eb269ab8ba140bc6a1d2963d979b8376468
                                        • Instruction ID: 97628c35d340ae2ba3ab733c1ff80aac892d9649b883ed7bd4ba2b6b676b74bc
                                        • Opcode Fuzzy Hash: 437ff23e565ca96f41756b08a1d67eb269ab8ba140bc6a1d2963d979b8376468
                                        • Instruction Fuzzy Hash: C4219D72924118EBCF0AEB94E953BEDBBB5EF48310F20412AE40172191DFB16E64CF91
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00268346
                                        • fputs.MSVCRT ref: 0026835B
                                        • fputs.MSVCRT ref: 00268364
                                          • Part of subcall function 002683BF: __EH_prolog.LIBCMT ref: 002683C4
                                          • Part of subcall function 002683BF: fputs.MSVCRT ref: 00268401
                                          • Part of subcall function 002683BF: fputs.MSVCRT ref: 00268437
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog
                                        • String ID: =
                                        • API String ID: 2614055831-2525689732
                                        • Opcode ID: 7422d6a53da4cf2346c7a11c59c83af20ed800fca06be4ac08bd2d208a0e2d91
                                        • Instruction ID: 648ad8b916b641c12073ca2017d4eaaf4ccf5d3492040f8a11c83ef08e1addb6
                                        • Opcode Fuzzy Hash: 7422d6a53da4cf2346c7a11c59c83af20ed800fca06be4ac08bd2d208a0e2d91
                                        • Instruction Fuzzy Hash: 5D01D671A20014EBCF05BBA4DC12AEDBB76EF94710F00811AF401622A1CFB44A75DFD1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0025209B
                                          • Part of subcall function 0023757D: GetLastError.KERNEL32(0023D14C), ref: 0023757D
                                          • Part of subcall function 00252C6C: __EH_prolog.LIBCMT ref: 00252C71
                                          • Part of subcall function 00231E40: free.MSVCRT ref: 00231E44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ErrorLastfree
                                        • String ID: Cannot find archive file$The item is a directory
                                        • API String ID: 683690243-1569138187
                                        • Opcode ID: 921154007beac45121e10fca478e83bfbf030d8d324f20a3092c9f8335284179
                                        • Instruction ID: 494e309eb844abdd6b8a12a5c11dc8922844ba68d5e5285bc03632f5fd2c84bb
                                        • Opcode Fuzzy Hash: 921154007beac45121e10fca478e83bfbf030d8d324f20a3092c9f8335284179
                                        • Instruction Fuzzy Hash: 56726870D10259DFCB25DFA8C884BDDBBB5AF09301F14409AE859A7392CB709EA9CF54
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: CountTickfputs
                                        • String ID: .
                                        • API String ID: 290905099-4150638102
                                        • Opcode ID: bbff1dd98c1eab2f012a37e3a9c312745af910e00ab68dbd3b47c6e76d0072db
                                        • Instruction ID: 4bcd779567f6989f3a06cc24e8f0c241e15a8006a37ed385d677c7cf73160c59
                                        • Opcode Fuzzy Hash: bbff1dd98c1eab2f012a37e3a9c312745af910e00ab68dbd3b47c6e76d0072db
                                        • Instruction Fuzzy Hash: FB714770620B059FCB25EF65C581ABAB7F6AF81704F20481DE0D797A41DB70F9A9CB11
                                        APIs
                                          • Part of subcall function 00239C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00239CB3
                                          • Part of subcall function 00239C8F: GetProcAddress.KERNEL32(00000000), ref: 00239CBA
                                          • Part of subcall function 00239C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00239CC8
                                        • __aulldiv.LIBCMT ref: 0027093F
                                        • __aulldiv.LIBCMT ref: 0027094B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                        • String ID: 3333
                                        • API String ID: 3520896023-2924271548
                                        • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                        • Instruction ID: 1ad7527abda8a7fa5526e476692efd8a84ca1552652e90ce2d76cdc09895f56c
                                        • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                        • Instruction Fuzzy Hash: C821A8B1910704AEE730DF698881B5BF6F9EB84B10F00892EB28AD3242D670A9548B65
                                        APIs
                                          • Part of subcall function 00231E40: free.MSVCRT ref: 00231E44
                                        • memset.MSVCRT ref: 0025AEBA
                                        • memset.MSVCRT ref: 0025AECD
                                          • Part of subcall function 002704D2: _CxxThrowException.MSVCRT(?,002E4A58), ref: 002704F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: memset$ExceptionThrowfree
                                        • String ID: Split
                                        • API String ID: 1404239998-1882502421
                                        • Opcode ID: 50c3c4c6be5f7a42e10c5a983128053601bf6bccc6f81fffa9415ebced6cef06
                                        • Instruction ID: e598ae28fb4c970231491579471bd845c5d4ede41ec7dd5312f3f6bd01d5aeba
                                        • Opcode Fuzzy Hash: 50c3c4c6be5f7a42e10c5a983128053601bf6bccc6f81fffa9415ebced6cef06
                                        • Instruction Fuzzy Hash: F6429E30A10249DFCF25DFA4C886BEDB7B1BF09306F144199E849A7251CB71AEA9CF15
                                        APIs
                                        • fputs.MSVCRT ref: 00268437
                                        • fputs.MSVCRT ref: 00268401
                                          • Part of subcall function 00231FB3: __EH_prolog.LIBCMT ref: 00231FB8
                                        • __EH_prolog.LIBCMT ref: 002683C4
                                          • Part of subcall function 00231FA0: fputc.MSVCRT ref: 00231FA7
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologfputs$fputc
                                        • String ID:
                                        • API String ID: 678540050-0
                                        • Opcode ID: e3a0e9729a8b773dc15fcb9562a7142d72576720da2ff82cd212ad894adc23ad
                                        • Instruction ID: 9a2cda1bf8f7fc3e60d2c75af364c761c4b8a490fbdd61cd0625662594539920
                                        • Opcode Fuzzy Hash: e3a0e9729a8b773dc15fcb9562a7142d72576720da2ff82cd212ad894adc23ad
                                        • Instruction Fuzzy Hash: 431182B1B242159BCB09BBA0DC13AAEBB76DF84750F10002AF502A26E1DF6559758ED4
                                        APIs
                                        • fputs.MSVCRT ref: 0026C840
                                          • Part of subcall function 002325CB: _CxxThrowException.MSVCRT(?,002E4A58), ref: 002325ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowfputs
                                        • String ID:
                                        • API String ID: 1334390793-399585960
                                        • Opcode ID: 12b1fc6c69d45bdf5877e03286178d8d628e9119fac465fbc374d45e25d01b0c
                                        • Instruction ID: f9ebe09a12860011d4569cf0ff06a0f6d9ac4da7e713d8b737cac3a2fa52bad8
                                        • Opcode Fuzzy Hash: 12b1fc6c69d45bdf5877e03286178d8d628e9119fac465fbc374d45e25d01b0c
                                        • Instruction Fuzzy Hash: A31101716147049FDB26DF58C8C1BAAFBE6EF49304F14446EE1868B240C7B1BC54CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID: Open
                                        • API String ID: 1795875747-71445658
                                        • Opcode ID: 60cb75c9c5987b2498ba429e744ee30970164e82d542ba2d0956560f01d64fc5
                                        • Instruction ID: 98ff97cb0948cd4ab3a8b7b204461909db37676a634bf511947db63e390ae1e6
                                        • Opcode Fuzzy Hash: 60cb75c9c5987b2498ba429e744ee30970164e82d542ba2d0956560f01d64fc5
                                        • Instruction Fuzzy Hash: DE11EC72411704DFC760EF34ED99ADABBA5FF15310F50882FE19A83252DA31A9A4CF90
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002806B3
                                        • _CxxThrowException.MSVCRT(?,002ED480), ref: 002808F2
                                          • Part of subcall function 00231E0C: malloc.MSVCRT ref: 00231E1F
                                          • Part of subcall function 00231E0C: _CxxThrowException.MSVCRT(?,002E4B28), ref: 00231E39
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prologmalloc
                                        • String ID:
                                        • API String ID: 3044594480-0
                                        • Opcode ID: b89ac743d761b62edf606b05e354a5d3cb1b105ba6410846bceb39e88bfea074
                                        • Instruction ID: 81c12a056762168dc313b6d1917307fbb35f2709b2ed684aa13782360de46459
                                        • Opcode Fuzzy Hash: b89ac743d761b62edf606b05e354a5d3cb1b105ba6410846bceb39e88bfea074
                                        • Instruction Fuzzy Hash: FD915375D11249DFCF21EFA4C881AEEBBB5BF09304F148199E449A7292CB306E65CF61
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 883817c343d733126896e218b82a2692fae3c25ec2b8855a4512ca928b812d45
                                        • Instruction ID: 4735116c79fa69e84866b0487969f42ce3ce6669fe1aba1bfff49c670280f125
                                        • Opcode Fuzzy Hash: 883817c343d733126896e218b82a2692fae3c25ec2b8855a4512ca928b812d45
                                        • Instruction Fuzzy Hash: 66F1D070524786CFCF39CF64C498AAABBF1BF16304F54486EE48A9B611D731AD64CB12
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00244255
                                          • Part of subcall function 0024440B: __EH_prolog.LIBCMT ref: 00244410
                                          • Part of subcall function 00231E0C: malloc.MSVCRT ref: 00231E1F
                                          • Part of subcall function 00231E0C: _CxxThrowException.MSVCRT(?,002E4B28), ref: 00231E39
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 3744649731-0
                                        • Opcode ID: 273f185b1cc339f70468cfe3e54e0832f9380f457d88772df683f2ff51e1e0fc
                                        • Instruction ID: c67e4afce312b674be111ce0d4e898344a93c0b148acc55c4d06751c14e22499
                                        • Opcode Fuzzy Hash: 273f185b1cc339f70468cfe3e54e0832f9380f457d88772df683f2ff51e1e0fc
                                        • Instruction Fuzzy Hash: 8751D5B0811B44CFC725DF69C18468AFBF4BF19304F5588AEC49A97752D7B0AA18CFA1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: c1688b1e3ee46e732e036a7b799db13259cac682fe82ec458725771a6615bbf0
                                        • Instruction ID: 56bdba68a5d74f63874ad2b716023fce4bfe6d5f032a4930a492a5db4b44678e
                                        • Opcode Fuzzy Hash: c1688b1e3ee46e732e036a7b799db13259cac682fe82ec458725771a6615bbf0
                                        • Instruction Fuzzy Hash: CD314CB0D10209DFCB14DF94CC918AEBBB8FF84361B10851DE81A67241C7309D24CFA4
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0025021F
                                          • Part of subcall function 00243D66: __EH_prolog.LIBCMT ref: 00243D6B
                                          • Part of subcall function 00243D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00243D7D
                                          • Part of subcall function 00243D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00243D94
                                          • Part of subcall function 00243D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00243DB6
                                          • Part of subcall function 00243D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00243DCB
                                          • Part of subcall function 00243D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00243DD5
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID:
                                        • API String ID: 1532160333-0
                                        • Opcode ID: d6e7490597302d2e92c2f93f64f04b748c59998ab104dfde3dccf076d07b29f4
                                        • Instruction ID: f9506e0529afbba85117b574cbc66a3313066cc3db875bb30bab2da91e9c1cfc
                                        • Opcode Fuzzy Hash: d6e7490597302d2e92c2f93f64f04b748c59998ab104dfde3dccf076d07b29f4
                                        • Instruction Fuzzy Hash: 36214AB1846B90CFC321CF6A86D0686FFF4BB19604B949A6FC0DA83B12C370A548CF55
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0026C0B8
                                          • Part of subcall function 00257193: __EH_prolog.LIBCMT ref: 00257198
                                          • Part of subcall function 00231E40: free.MSVCRT ref: 00231E44
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 3d8e09783ba146465144140991ad509f7de232fe9c4c8846c61769a89244b259
                                        • Instruction ID: 76712e7c9f91a93f9e44d064e25847fdb7e58b7ae2ee47ca4625d1427aa381df
                                        • Opcode Fuzzy Hash: 3d8e09783ba146465144140991ad509f7de232fe9c4c8846c61769a89244b259
                                        • Instruction Fuzzy Hash: 01F0B4B2A30612DBD725AF49D841BAEF3A9EF58760F20412FE40197601CFB29C708A90
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00270364
                                          • Part of subcall function 002701C4: __EH_prolog.LIBCMT ref: 002701C9
                                          • Part of subcall function 00270143: __EH_prolog.LIBCMT ref: 00270148
                                          • Part of subcall function 00231E40: free.MSVCRT ref: 00231E44
                                          • Part of subcall function 002703D8: __EH_prolog.LIBCMT ref: 002703DD
                                          • Part of subcall function 0027004A: __EH_prolog.LIBCMT ref: 0027004F
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: fcaefb6fc0701470e5f8429616a5a4fa40512766eef4d59de0db179fe8999433
                                        • Instruction ID: 51969e430f71e4e1b1d6adb5cb33ef52ded2e817101f0d460dea7cf8525699db
                                        • Opcode Fuzzy Hash: fcaefb6fc0701470e5f8429616a5a4fa40512766eef4d59de0db179fe8999433
                                        • Instruction Fuzzy Hash: B2F0F970934650DBCB19EB68C41279DBBE5AF04314F10869DF456532D2CFB45B249B44
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: ace3dd28c8ee8f0ecf6522df64fb05528fa73f9e4c587c73a915cc06830cba3f
                                        • Instruction ID: 918eee329c815c0488a4fe2f2092c9e7160731273e9e72d30d8299a715ca2879
                                        • Opcode Fuzzy Hash: ace3dd28c8ee8f0ecf6522df64fb05528fa73f9e4c587c73a915cc06830cba3f
                                        • Instruction Fuzzy Hash: 54F04F72E2111AABCB14EF98D8409AFBB75FF48750B10815AF416E7251DB348A55CB90
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID:
                                        • API String ID: 1795875747-0
                                        • Opcode ID: ee157fa7dd93d22b7ab0fd24922ea35f36c471ac2952c5ff3077dbb8f1be9051
                                        • Instruction ID: 6b9f31791a6310088d0716bec9ca9eb09160543c0e16722d0a6c2046a5179986
                                        • Opcode Fuzzy Hash: ee157fa7dd93d22b7ab0fd24922ea35f36c471ac2952c5ff3077dbb8f1be9051
                                        • Instruction Fuzzy Hash: ABD01272504129ABDF156B98EC05CDD77BCEF08214B10441BF545E2150EAB5E924CB94
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002880AF
                                          • Part of subcall function 00231E0C: malloc.MSVCRT ref: 00231E1F
                                          • Part of subcall function 00231E0C: _CxxThrowException.MSVCRT(?,002E4B28), ref: 00231E39
                                          • Part of subcall function 0027BDB5: __EH_prolog.LIBCMT ref: 0027BDBA
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 3744649731-0
                                        • Opcode ID: 7f761f710271df88d97c72f53e2c0fa30d3bbbecc83124964b8552af309a09b0
                                        • Instruction ID: 1936f0d2b10bebeb0979df4a78665c9bbb72fa05249be95cbe7d4d2225d33221
                                        • Opcode Fuzzy Hash: 7f761f710271df88d97c72f53e2c0fa30d3bbbecc83124964b8552af309a09b0
                                        • Instruction Fuzzy Hash: 55D05E71B21102AFDB48FFB4982276F72A1AB48304F00867EB416E3781EF709D60CA20
                                        APIs
                                        • FindClose.KERNELBASE(00000000,?,00236880), ref: 00236853
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 708890529447b7836407b5b6273a23913f950eb6a5f3a67e6650d1bfb82cf7cf
                                        • Instruction ID: 6707c58957de3060f9d404bd3700bf3c7a0cf9075e072f71238651a024b412c8
                                        • Opcode Fuzzy Hash: 708890529447b7836407b5b6273a23913f950eb6a5f3a67e6650d1bfb82cf7cf
                                        • Instruction Fuzzy Hash: 00D0127151422356CA645E3DB84C9C537DC6E0A334331475AF0F4C31E1D770CC979650
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID:
                                        • API String ID: 1795875747-0
                                        • Opcode ID: f5c3e3a7e066fdce405e38e57993b78b3a1369117777d06d4ab4d86c36e9147d
                                        • Instruction ID: a7391e4beff8c90774c029c34bff0de7abe658d8a65c80dbdef46695f608a422
                                        • Opcode Fuzzy Hash: f5c3e3a7e066fdce405e38e57993b78b3a1369117777d06d4ab4d86c36e9147d
                                        • Instruction Fuzzy Hash: E0D0C77600C2519F96155F15FC09C87BBA5FFD5320725081FF440511605B625C29DA60
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: memmove
                                        • String ID:
                                        • API String ID: 2162964266-0
                                        • Opcode ID: a725aab47a023b2de843d3d4a0a336967503162a36a3cfcc8481622138bdb6f8
                                        • Instruction ID: b22647026e479b5f8161e67d859a5f3d8369d6fc4f6421d49994831413e942dd
                                        • Opcode Fuzzy Hash: a725aab47a023b2de843d3d4a0a336967503162a36a3cfcc8481622138bdb6f8
                                        • Instruction Fuzzy Hash: 2C816FB1E2435A9FCF14CFA8C485AADBBB5EF88314F248469D911B7241D771AA90CF50
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                        • Instruction ID: f08450db448989693bfa88e528949a2233500927a6d525948957ac85a2759fa8
                                        • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                        • Instruction Fuzzy Hash: 74D0137163350605DF484D304D4DB9B31A61F5035EF18457CE813DB191F71DC63A9554
                                        APIs
                                        • VirtualAlloc.KERNELBASE(00000000), ref: 002B6B31
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 29ece9d8865d47dced6d84fa979f1d36e2c5e79b49866000175bba31b4b09058
                                        • Instruction ID: 876c5171b0eb308bbd723fe827474696d0b3ea40d06ce7e5caf4383153d4fae9
                                        • Opcode Fuzzy Hash: 29ece9d8865d47dced6d84fa979f1d36e2c5e79b49866000175bba31b4b09058
                                        • Instruction Fuzzy Hash: BEC08CE1A4E280DFDF0213109C447603B208B83301F0A00C2E4045B092C2041C08C722
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                        • Instruction ID: 85c1231b3c911b94f3ceb25bf62cf52ad2210ab80ecb5d55beafde79230a65ad
                                        • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                        • Instruction Fuzzy Hash: 22A024D553104101DD5C11303C05D57100113503077C005FC7403C0101F71FD1341005
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                        • Instruction ID: 4d01765cd99645966048f9589cf10a197d767ec1eec7dfc84b8cce0d2a4ccccb
                                        • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                        • Instruction Fuzzy Hash: 8CA012CDE2000101DD4410343805957101322E07057D4C478640180105FA19D0242002
                                        APIs
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 002B6BAC
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: dda93af448a5e0eef3968be7e1da9682eb80f0c5010ff2bb847fb06106ac6a30
                                        • Instruction ID: 03a164bd72a8b7e9e102a1f2efa90b08cf4d7dc206411a549737c50b199c2838
                                        • Opcode Fuzzy Hash: dda93af448a5e0eef3968be7e1da9682eb80f0c5010ff2bb847fb06106ac6a30
                                        • Instruction Fuzzy Hash: B1A00278A91701B7ED6067307D4FF5937247780F06F30C5457241690D45AE47444DA5C
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                        • Instruction ID: 0053e3514c9404e3b57095775b438340ab85defab829b626111ded9b11a3bc51
                                        • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813276544.0000000000231000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00230000, based on PE: true
                                        • Associated: 0000000A.00000002.1813259663.0000000000230000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813375353.00000000002DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813395764.00000000002F2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813503132.00000000002FB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_230000_7zr.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                        • Instruction ID: 8e1c09809f7914ac7a6fb890e89df1dcfda051c90d0be882614d56f30a9b2886
                                        • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                        • Instruction Fuzzy Hash: